Lessons Learned from the Microsoft SOC

By John Dellinger, Executive Security Advisor, Microsoft

With trillions of cyber threats in daily circulation, Security Operations Centers (SOCs) must be fast and accurate for detection and response. Everything in the SOC should be oriented toward limiting the time and access attackers have to the organization’s assets in an attack to mitigate business risk. This ultimately increases the attacker’s cost and decreases the benefit, damaging their return on investment (ROI) and motivation for attacking your organization.

Like all things in security, the Microsoft SOC has evolved considerably over the years and will continue to evolve. Our SOC has sustained a 100+ percent growth in security incidents handled over a three to four year timeframe with a nearly flat staffing level. At Microsoft, we organized our SOC into specialized teams, allowing them to better develop and apply deep expertise, which supports the overall goals of reducing time to acknowledge and remediate threats.

We use a “fusion center” model with a shared operating floor — our Cyber Defense Operations Center (CDOC) — to increase collaboration and facilitate rapid communication among these teams. CDOC brings together security response experts from across the company to help protect, detect, and respond to threats in real-time. Staffed with dedicated teams 24×7, the CDOC has direct access to thousands of security professionals, data scientists, and product engineers throughout Microsoft to ensure rapid response and resolution to security threats. Our Detection and Response Team (DART) further helps our customers respond to major incidents.

Aside from how we’ve organized the Microsoft SOC, we’ve also been able to successfully attract, retain and empower our SOC analysts to do their best work and avoid burnout. We’ve incorporated some lessons learned from “the trenches” that can help improve your overall SOC.

Focus on Your People & Invest in Them

A SOC analyst is a high-stress job. At Microsoft, our SOCs bear not just the responsibility of reducing risk to our employees and investors, but also the weight of the trust that millions of customers accessing our cloud services and products put in us. We believe that people are the most valuable asset in the SOC – their experience, skill, insight, creativity and resourcefulness are what make our SOC effective. Our SOC management team spends a lot of time thinking about how to ensure our people are set up with what they need to succeed, stay engaged and enjoy their jobs. We have a three-tiered SOC analyst model that not only organizes the work of the SOC, but also guides our analysts in building their knowledge and skills and shapes their careers with increasing levels of skills and different challenges.

Recruiting people and developing their skills is one of the most critical aspects of the SOC’s success. The biggest challenges in this space are the scarcity of people with the right skill sets, the speed at which skill sets must evolve, the potential for analyst burnout, and the need to blend diverse skills and perspectives to address both the human and technical aspects of attacks. This is why it’s critical to promote from within and stay focused on people development.

Build a Strong SOC Culture

A significant problem for many SOC analysts is alert fatigue and burnout, which is why focusing on a strong SOC culture is just as important as the individuals you hire, the tools you use and automation. Our biggest recommendation for the SOC organization is to define the culture you want first, as this will shape your team and attract the talent you want.

At Microsoft, our cultural elements are very much focused on people, teamwork and continuous learning and include these learnings:

• Use your human talent wisely – Since our people are the most valuable asset we have in the SOC, we can’t afford to waste their time on repetitive, thoughtless tasks that can be automated. To combat the human threats we face, we need knowledgeable and well-equipped humans that can apply expertise, judgment, and creative thinking. This human factor affects almost every aspect of SOC operations including the role of tools and automation to empower humans to do more, and in reducing toil on our analysts.
• Teamwork – At Microsoft, we’ve learned that we can’t tolerate the “lone hero” mindset in the SOC, meaning nobody is as smart as all of us together. Teamwork makes a high-pressure working environment like the SOC much more fun, enjoyable, and productive when everyone knows they’re on the same team and everyone has each other’s back. We design our processes and tools to divide tasks into specialties and encourage people to share insights, coordinate and check each other’s work, and constantly learn from each other.
• Adopt a “shift left” mindset – To stay ahead of cybercriminals and hackers who constantly evolve their techniques, we must continuously improve and shift our activities to the left in the attack timeline. We focus on speed and efficiency to try and get “faster than the speed of attack” by looking at ways we could have detected attacks earlier and responded more quickly. This principle effectively applies a continuous learning “growth mindset” to keep the team laser-focused on reducing risk for our organization and our customers.

Empower Your SOC Team with Automation

Rapidly sorting out the signal (real detections) from the noise (false positives) in the SOC requires investing in both humans and automation. We strongly believe in the power of automation and technology to reduce human toil, but ultimately, we’re dealing with human attack operators so as a result, human judgment is critical to the process.

In the Microsoft SOC, automation is not about using efficiency to remove humans from the process — it is all about empowering humans. We continuously think about how we can automate repetitive tasks from the analyst’s job, so they can focus on the complex problems that people are uniquely able to solve. When repetitive (and sometimes boring) work is automated, analysts can apply more of their creative minds and energy to solving the new problems that attackers present to them and proactively hunt for attackers that got past the first lines of defense.

To learn more about Microsoft’s SOC and how to build and operate great SOC teams, please read our full whitepaper, Lessons learned from the Microsoft SOC: Organization, People, and Technology.