SOC

Remote Security Operations Centers: 7 Key Learnings

Author: Jon Hencinski, Expel
Author: Jon Hencinski, director of SecOps, Expel

Like many other businesses, we moved to 100 percent remote work as a company earlier this year. That included our 24x7 SOC. Expel’s CEO and co-founder, Merk, shared his thoughts on some of the things he witnessed during our shift to an all remote workforce, but I wanted to share some of the changes we made to keep our SOC highly effective in this new setup.

Security operations is a team sport at Expel. One of our SOC guiding principles is this: teamwork makes the dream work. It’s simple: great outcomes happen when people work together.

But as of last week, our SOC analysts are no longer sitting together. It’s a change I knew that would require us to adapt a bit. Because in order to maintain the texture of the team in a completely remote setting we’d need to commit to a new set of daily habits – seven in fact, to keep our (remote) SOC highly effective.

To be candid: It’s a big change for us and we’re still adjusting. You may be going through something similar right now too. Or you and your SOC team may consider yourselves veterans of an all-remote setting. That’s great too.

Now we’re all in the same boat.

We’ll share what’s worked for us (so far) and we’d love to hear what’s worked for you too.

1. Prioritize video conferencing

Workplace camaraderie and trust are key ingredients of an effective SOC. Trust brings safety and camaraderie adds a sense of “togetherness.” We trust each other to operate in the best interest of achieving our goal (protecting our customers and helping them improve) and to work with a “we’re in this together” mentality. We need to maintain and nurture these key ingredients in an all-remote setting. But how?

Queue the SOC party line. The SOC party line is the name of our Zoom meeting that’s open 24x7 for the team. Instead of walking onto the SOC floor, our analysts start their day by joining this Zoom meeting. While we’re no longer able to sit next to each other we can be with each other. It matters. We’re emulating the texture of the SOC floor by staying connected via Zoom and maintaining our sense of “togetherness.” And yes, there’s an endless pursuit to find a funny Zoom virtual background.

(Side note: Security is serious business. We have the privilege of helping organizations manage risk. We take our work very seriously but don’t take ourselves too seriously. It’s okay to find the bad guys and have fun while doing it.)

2. When in pursuit: To the breakout room!

While our 24x7 Zoom meeting, aka the SOC party line, emulates the SOC floor and brings us together, pursuing threats and coordinating response in this main Zoom meeting wouldn’t yield the precise, coordinated response we’re seeking. Too many cooks in the kitchen.

Instead, as work enters the system and the team spots activity that warrants investigation or follow-up, the lead investigator spins up a Zoom breakout room and invites the necessary resources required to run the item to ground.

As an individual contributor you’re provided with a virtual conference room with a clear goal and objective. As a manager, you have a clear understanding of current utilization based on the number of folks in the main Zoom room versus breakout rooms. You’re enabling a highly coordinated response and have a clear line of sight on capacity. A win-win.

3. Emphasize empathy

Empathy is a core competency for leaders. I personally believe that no other skill makes a bigger difference than empathy when it comes to leadership. Simon Sinek agrees with me on this one. And now more than ever, during these stressful times, we need to emphasize empathy. We’re all going through something significant right now. It’s okay to acknowledge that and talk about it with one another.

As a SOC management team, we’re spending more time with our people, not less. And most of our 1:1s right now are centered around how our folks are doing and what else we could be doing to set them up for success in this all-remote setting. We listen really hard and most importantly we let them know we’ve got their back.

Pro tip: Empathy builds trust. And as you already know, trust is a key ingredient to an effective SOC.

4. Be transparent about quality

We’re doing everything we can to make our shift to a remote SOC seamless for the team. But we’re also being super transparent about the quality of our work output. Has our quality gone down as a result of this change?

I wrote about our SOC quality program in a previous post, but as a quick recap: we use a quality control (QC) standard, Acceptable Quality Limits (AQL), to tell us how many alerts and incidents we should review each day. We then randomly select a number (based on AQL) of alerts, investigations and incidents and review them using a check sheet. We send the results to the team using a Slack workflow.

Here’s an example:

Reviewing the results with the team lets us know how we’re doing. It lets us know where we’re having problems so we can adjust and improve. And no, we never expect perfection.

5. Over-communicate

This one is a bit obvious but it’s worth stating. Since we’re no longer working alongside each other, effective communication is crucial. And working in an all-remote setup may mean more distractions for some folks, not less.

We’re emphasizing empathy and listening really hard to learn what these distractions are for the team and landed on the need to over-communicate. Repeat important messages in team meetings and 1:1s. In our SOC, “I don’t know” or “I’m having difficulty understanding that” is always an acceptable answer to a question (If you’re not testing for candor in your interview process you totally should be, by the way). Bottom line: remote work may mean more distractions. Over-communicate like your team depends on it.

6. Seek out fun

In these stressful times, not only is it okay to have fun … but you should seek it out for your team. We’re still finding our way here a bit, but we’ve experimented with happy hours, coffee breaks and book clubs all over Zoom (don’t worry, we’re always watching). The digital happy hour has been the biggest hit so far but we’re still coming up with new ideas. If you don’t have Zoom, Skype, Google Hangouts, FaceTime and Facebook messenger are all good alternatives. Seeking out fun for your team is a great way to take care of them. You’ll reduce stress and build camaraderie.

7. Test, learn, iterate

Completely remote work may be our new normal for a while. Do I think the adjustments we’ve made are all of the right moves? Nope. But we’ll continue to test new things, learn from our mistakes and iterate our way to an even more successful remote setup. We’re never afraid to ask: Is there a better way to do this? We’re always trying to learn and improve.

Parting words

We’re still getting adjusted to our all-remote setup but we’ve landed on some things that work and wanted to share them with you. We’ll continue to learn and improve, as we always do, but I’d love to hear from you if there are daily habits you and your team practice that make your remote SOC highly effective.

Finally, we’re all going through something significant right now. It’s okay to acknowledge that and talk about it. Emphasize empathy with your team and the people around you. Listen really hard. Prioritize effective communication. Over-communicate. And try to have a little fun while doing it.

Author Jon Hencinski is director of SecOps at Expel. Read more Expel blogs here.

Sponsored by Expel

Expel is a managed detection and response (MDR) service provider. Expel offers 24×7 detection, response and resilience services to customers.

You can skip this ad in 5 seconds