The Hierarchy of SOC Needs

“We should really do some threat hunting more regularly.” How often have you heard SecOps teams say something like this - not just once, but quarter after quarter? It’s a common lament from teams that are frequently overwhelmed with alerts and triage tasks. They’d love to get to a more proactive posture - right after they triage “just one more alert” that’s about to go out of SLA. 

Look, I get it. When there’s a blinking red notification in your face, tight SLAs that are on the brink of violation, and a seemingly endless queue of alerts to triage, it’s really difficult to think about anything else. You’re stuck at the foundation of the Hierarchy of SOC Needs. 

It’s no coincidence that this is where most SOC tooling vendors focus as well. The pain of alerts drowns out just about every other need and desire to focus on more proactive tasks. But what happens once you begin to wrangle the alert queue more effectively? What does the rest of the hierarchy look like?

Alert Management

Nobody wants to be responsible for missing “the big one”: the alert that indicates some massive security incident or ransomware event is about to kick off. As a result, SOCs frequently fall into the trap of responding to alerts above any other activity, without considering a crucial factor: their alert budget. 

An alert budget is simply the amount of time available to perform triage tasks, divided by the amount of time it takes to triage a single alert. If you have one person doing triage for 8 hours per day, and each alert takes 15 minutes to investigate and triage, your daily alert budget is 32 alerts. 

There are only three ways you can stay within an alert budget:

• Increase the number of resources that are triaging alerts
• Decrease the amount of time it takes to do triage
• Decrease the number of alerts that need triaging

Strategies for staying within your alert budget are left as an exercise to the reader (and maybe a future blog post.) But for the sake of the team’s long-term health and success, it’s vital.

Detection Coverage

When your alert queue is within budget, your team will finally have the time to optimize detection coverage. This isn’t just about throwing more alerts into your queue - remember, we still need to stay within budget. Instead, it’s about being able to ask questions like:

• Does our detection coverage accurately reflect our crown jewels, or are we disproportionately monitoring peripheral systems that have minimal business impact?
• What’s our ratio of critical to low-severity alerts? Are we spending too much of our alert budget on detections that don’t make a big difference?
• What’s our biggest source of false positives? Can we do anything to improve the quality of those detections?

Management always wants to know: do we have monitoring in place for critical systems? Do we have attack coverage? When the team’s time isn’t solely dedicated to alerts, the answer can more frequently become “yes!”

Threat Awareness

Even with a dedicated threat intelligence team, taking an intelligence-informed approach to finding and stopping adversaries is a significant effort. Being able to prioritize detection coverage and alerts using threat intelligence requires a thoughtful approach that is at odds with rapidly increasing detection coverage, or ensuring that a zero day doesn’t slip through the cracks in our alerting. 

If you have a dedicated threat intelligence team, great! Now is a perfect time to start building a deeper partnership with them to turn their understanding of threats in the ecosystem into actionable detections that become higher-signal alerts. Of course, even if you don’t have a dedicated team, you can still allocate some time to understanding the threat landscape yourself, now that your entire day doesn’t solely consist of triaging alerts.

Ultimately, your alert budget is kind of like a diet: you will get very different outcomes eating 2,000 calories per day of junk food vs. 2,000 calories of nutritious food. I will gladly swap out a generic vendor-provided alert for a threat-informed detection any day of the week.

Threat Discovery

As you begin to take a threat-informed approach to building detections, you’ll start to notice something: not all intel makes a valuable detection. Some of it is useful but too low-signal to afford adding it to our alert budget. This is where we can start taking advantage of threat hunts and retrohunts.

Retrohunts are easy to implement and automate. If you get a threat intelligence report that indicates “X domain or IP was actively controlled by a threat actor over Y period of time,” it’s trivial to quickly search your historical data for relevant hits during that period. 

Threat hunting, on the other hand, is much more of a time-intensive art form. Developing a threat hunting hypothesis, investigating the behaviors and data sources that help prove or disprove the hypothesis, and documenting the outcomes mean that teams who are exceeding their alert budgets simply don’t have the bandwidth to implement threat hunting at scale. 

Posture Improvement

This is the nirvana state for a SecOps team. Imagine a world where all your alerts, incidents, detections, and threat intelligence actually made a data-driven case for improving the security of the business. For example, what if rather than constantly battling incidents resulting from stolen OTP tokens, incident data drove the business to switch to hardware-based MFA or Passkeys? 

When we’re stuck in the weeds of alerts and day-to-day incident response, it’s really hard to think about connecting the data points we see every day to insights that can change the way we do business. But this, ultimately, is the true power of the SOC team: to inform the business about where it can make smarter risk decisions based on the real-world impact of its current risk posture. 

In Conclusion

Having the ability to move up the Hierarchy of SOC Needs doesn’t mean that the SOC mission has changed: it’s still very much about finding and stopping bad actors as fast as possible. However, it does mean that teams who are able to move beyond alert management are going to be able to take a much more proactive approach to defense. And isn’t empowering our defenders ultimately the goal?