Why every modern SOC needs a dedicated Vulnerability Operations Center (VOC)
The fundamentals of a VOC
Most cybersecurity strategies today have a short-term, reactive focus, putting emphasis on detecting and chasing down the latest vulnerabilities. However, we often forget there is backlog of historic vulnerabilities enabling most of the cyberattacks pummeling organizations. Over 76% of vulnerabilities being exploited by ransomware gangs were discovered more than three years ago! Something isn’t working.
The answer lies in a more centralized, automated, and risk-based approach to managing vulnerabilities. (Analysts call it a paradigm shift, I call it common sense.) The shortest, most effective route to achieving this “shift” is through a dedicated Vulnerability Operations Center (VOC). Think of a VOC as an integrated operational center within – or alongside – your SOC that exclusively focuses on the prevention, detection, analysis, prioritization, and remediation of security flaws impacting your IT environment. While a SOC manages alerts and incidents, a VOC manages vulnerability data and creates rules to fix them before they turn into full-blown incidents. Imagine squashing ransomware well before you get to the ransom part.
VP of Strategy, Hackuity.
How do you link your existing SOC to your future VOC?
Linking your SOC to your VOC is crucial to ensuring a seamless flow of actionable intelligence about vulnerabilities directly into the threat response mechanism. Primarily, an organization should appoint a specific team or unit dedicated to establishing and setting up the VOC, which the CISO or other security project leaders will oversee. Establishing a VOC is an operational activity and should be treated as a SecOps project. It extends across various segments of an organization, so CISOs must clearly define responsibility and accountability.
The project's first step should be to use your vulnerability assessment tools to establish a baseline of the current security posture by assessing the existing vulnerabilities across the organization’s assets. From there, aggregate, deduplicate, and normalize all vulnerability data to create a clear and actionable dataset. The SOC can then integrate this dataset into its security information and event management (SIEM) systems for enhanced visibility and context of security events.
Next, transition from technical vulnerability assessment to risk-based prioritization by evaluating how each vulnerability impacts the business. Identify tasks within the SOC that can be automated, such as routine vulnerability scans, alert prioritization, as well as patch management and deployment. Implement automation tools that can harness the VOC’s aggregated data to streamline SOC operations, ensuring that analysts spend their time on tasks that require human judgment, doing what machines cannot.
From there, it’s all about continuous improvement and adaptation. As the VOC identifies new vulnerabilities and trends, the SOC should adapt its monitoring and response strategies accordingly. Establish feedback loops between the SOC and VOC to ensure that the SOC’s threat intelligence is up to date, and that the VOC team is aware of how the current threat landscape affects your specific organization.
Define your policies
A seamless integration between the VOC and SOC requires a comprehensive policy and governance framework. Security teams will need to define schedules, rules, SLAs on when certain vulnerabilities will be fixed.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It's also critical to formalize policies that classify particular types of vulnerabilities as actionable incidents to streamline the response process. Take, for instance, a high-profile vulnerability like Log4j, which garners significant attention due to its widespread exploitability. In such cases, it's imperative to have a policy in place that mandates an immediate notification to SOC teams whenever a Log4j vulnerability is detected by the VOC. This ensures it's escalated as an incident without delay, signifying the urgency and importance of a rapid and coordinated response to protect the organization’s assets.
Setting up a VOC might seem like a complex project, but it’s an indispensable step toward solving the vulnerability chaos cyber teams are facing. It’s also a heck of a lot simpler than the reactive patchwork of systems and processes we’re currently relying on. VOCs can help organizations integrate effective risk-based vulnerability management workflows across the IT production teams, AppSec teams, and the entire SOC itself. Implementing one starts by refusing the security juggling act we’re all being asked to perform.
We list the best network monitoring tool.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Sylvain Cortes, VP of Strategy, Hackuity.