We’re excited to announce our latest research on vulnerability risk management (VRM) and security operations center (SOC) teams. VRM and SOC teams are pivotal parts of the security organization, with different responsibilities but shared challenges. When Allie and I kicked off our research on interlocks between these teams earlier this year, we weren’t sure what we would find. We shepherded captivating interviews, held long debates, and penned pages of notes. The result of that research is a fresh perspective on how VRM teams can enhance collaboration with the SOC and where they must slice through red tape so that they can achieve their common objective of stopping and mitigating breaches.
As opposed to listing the differences in roles and responsibilities between the VRM and SOC teams, our research defined these underlying doctrines for the team members:
- VRM analysts are proactive, focusing on finding, prioritizing, and closing vulnerabilities.
- SOC analysts are reactive, focusing on detecting and responding to active attacks.
- Threat hunters are proactive, focusing on finding attacks that have yet to be detected.
We expect these doctrines to evolve as threats change and supporting technologies (such as endpoint detection and response; security information and event management; vulnerability threat intelligence; and attack surface management) become more integrated. As SOC teams optimize their tools and processes, they’ll be able to take advantage of the context provided by VRM. As VRM teams speed up reaction times to new threat intelligence, improve responses to active exploits, and slowly adopt remediation automation capabilities, they’ll begin to blur the line of proactive versus reactive as they prioritize and remediate vulnerabilities.
We recommend that organizations focus on enhancing SOC and VRM collaboration in three core areas:
- Incident response. SOC teams can calibrate responses with knowledge of systems that are most vulnerable and of which assets are the most important.
- Remediation prioritization. VRM teams can fine-tune risk calculations with context from the SOC as to which systems and vulnerabilities are being exploited.
- Critical vulnerability response. Both teams can apply analyst experience to better discover, explore, classify, determine, and execute their approach to high-profile vulnerability-related incidents, such as Log4j.