ThetaPoint Blog

Security Reference Architecture - Process - Analysis Workflow

Your SOC’s analysis workflows mitigate most of the risks from intelligent actors. They also comprise your front-line staff’s most frequently executed work. As we stated in our framework overview, most analyses will not result in actionable findings. However, this underscores the need for high-quality alerts and quickly moving on from non-actionable events. We have split the main analytical workload into two core processes – one that makes sense out of alerts (Triage), and one that creates the logic for generating alerts (Use Case Development). We lift these two processes out of the typical investigation loop to…

Security Reference Architecture - People

Many organizations struggle identifying, hiring, and retaining qualified security personnel. Because of this challenge, we often see organizations reducing their standards, leading to individuals who are ill-suited for their responsibilities or trapped with no opportunity for career progression. Because so many organizations are seeking the same types of skillsets, adding too many requirements to the position can limit your search. In addition, promoting from within and from the wrong skillsets can pigeonhole you and your staff for years to come. In some scenarios, your talent pool can become insufficient and unbalanced: heavy in some skill areas, light in others, and…

Security Reference Architecture – Technology

ThetaPoint’s Security Reference Architecture has abstracted the Security Operations Center’s (SOC) technology stack into four simple buckets: These categories focus on the critical services that the SOC performs. Many proprietary tools provide more than one of these services, but since vendor independence is one of our overarching goals, this division allows us to focus on the key features needed to support our production use cases. This simplified stack helps frame discussions about organizational responsibilities in the context of supporting the SOC as well as how the SOC can leverage parts of the enterprise technology stack to…

Security Reference Architecture - Framework Overview

Framework Overview The challenge of running an effective Security Operations Center far outweighs the effort to build one. This difficulty stems from the fact that the organization will be operating for far longer than the time needed for its implementation, and that the decision points are both more numerous and unanticipated. There are plenty of sources for guidance to help mitigate the effort, but this advice often comes in the form of consensus-driven control frameworks and abstract guidelines. While important, for this post we will assume that you already have a solid foundational understanding of these controls. We have repeatedly…

Introduction: ThetaPoint Security Reference Architecture

The Primary Function of Security Operations Has Been Subverted The Security Operations Center (SOC) provides two major enterprise services: Situation Awareness (SA) for enterprise systems in the Cyber Domain Incident Response (IR) for events that require intervention For the last 20 years, innovation in the Security Information and Event Management (SIEM) product space has largely dictated the evolution of how these two services are supported. Over this time, the products have also shaped perspective on how to effectively perform these enterprise services. This influence on perspective has only increased as products have added more sophisticated features to meet more complex requirements. …