Four habits of highly effective security teams

· 3 MIN READ · PETER SILBERMAN · MAY 6, 2019 · TAGS: Employee retention / Managed security / Management / Planning / SOC

No matter if your security team is big or small, I bet you feel understaffed to deliver on your mission. And if your “team” is just you then you should multiply those feelings by 10x.

You’re not alone. In the absence of having the people and budget to snag all of the products on your wish list — or the people to help shrink your to-do list — how can you behave like a team twice your size and focus on the stuff that’ll make the biggest impact?

Here at Expel, we’re fortunate to have a bunch of people who’ve been managing teams and building security operations centers (SOCs) for eons. Looking back at our collective experience, we identified four consistent habits that all the highly effective security teams we’ve been a part of have practiced.

Here’s what we observed and why it all matters, whether you’re a security team of one or 100.

1. They understand what their products do

When it comes to security tech, highly effective security teams focus on two things: 1) The alert signal each vendor’s technology produces and 2) What questions they ask of their technology during an investigation.

We work with more than two dozen different products here at Expel. We’ve taken the time to generalize the various capabilities that an EDR, Network or SIEM vendor can offer an analyst. We think about the capabilities offered by each class of technology as a capability model. It doesn’t matter how EDR vendor A or vendor B acquire files; our analysts know that vendor A and B offer an acquire file capability and they use Expel Workbench to fetch that file from either vendor.

In short, creating a capability model is a good way for us to develop a structured understanding of the questions we can “ask” our technology.

2. They take a common approach to investigating

When something goes sideways and it’s time to take action, highly effective security teams have a consistent approach to how they run an investigation. It’s important that investigations follow a defined, repeatable process where analysts take the same actions for the same type of alert every time that alert pops up. For example, when our SOC analysts see an alert for a suspicious login, they know their first step in the investigation is to grab historical data for that user to determine what constitutes “normal” activity.

Note that I said “process” — not “prescription.” Yes, you need a standard approach to taking action, but analysts still need to exercise good judgement and make quick decisions. There will always be alerts that turn your usual playbook on its head, which is why ongoing learning and training is so important.

3. They invest in training

In my experience, the best security teams make training a priority. So once you’ve got a grip on what your product(s) do and have your investigative process down, you need to get real hands-on practice — over and over again.

One of our favorite ways to keep our analysts sharp is to run threat emulation exercises. Threat emulation is the process of simulating a realistic threat you’re likely to encounter with a heavy emphasis on what happens after an attacker breaks in. It’s the best way to flex those response muscles and improve your team’s collective detection skills.

If you want to create your own threat emulation exercise, we’ve got step-by-step instructions right here. We’ve also got some pro tips on how to build a cloud-focused threat emulation exercise in AWS.

4. They demonstrate value to their “customers”

Finally, highly effective security teams demonstrate value to their customers. A great way of demonstrating value is to figure out how to show your work. Note that showing your work is not bringing an incident report to a board meeting. It’s important to figure out what your customers want to understand about security and then adjust what and how you’re presenting to make sure you’re aligning with their business objectives. And when I say “customers” I’m not just talking about the companies that pay you for services. These customers could be your CISO, CEO or a board member.

If you’re sitting there thinking that building all of these habits into your team’s culture feels overwhelming, I get it. In that case, start small — pick one of the four habits and focus on getting your team to execute on that.

For example, maybe you have a retention issue because the work isn’t interesting or analysts feel like they aren’t learning. So focus on finding more training opportunities for analysts to flex their detection muscles and have fun doing what they love.

Find little ways to keep your security nerds happy and you’ll have an engaged, talented and all-around awesome team.