The proverbial sun does not set inside the world of a security operations center (SOC). Unfortunately, attackers do not work according to a traditional workday. An attacker does not call it quits because the clock has hit 6 PM wherever you are. Network penetration tools and brute force tools can run around the clock without anyone stopping them or monitoring them. So how do you as a cybersecurity professional defend against a foe that has more free time than you and can work whenever they want?
The traditional “follow the sun” model is a type of global workflow in which incidents can be handled by and passed between incident response teams in different time zones, increasing manpower that can be dedicated towards a specific incident. It was developed so that cybersecurity teams could provide around the clock customer service, literally following the sun around the globe, ensuring that teams are at their peak performance times while dealing with an incident. If the sun is shining over a region, be at New York, Paris, Beijing, or Sydney, business is being conducted there. Wherever there is business being conducted, you can expect that there is some attacker trying to penetrate that companies’ network and steal their data or perform some other type of malicious activity.
In the early days of follow the sun, it was thought that only cybersecurity teams at enterprise companies could follow this approach. Enterprise companies were thought to have larger resources and offices around the globe that was prebuilt to support a follow the sun model. However, with the advent of MSSPs, it has become much easier for any company to work within a follow the sun model. Additionally, the process as built out by IT teams, provides a fantastic framework for follow the sun.
Getting Started
Before you can successfully embark on a follow the sun model, you need to ensure that your SOC team possesses the correct soft skill set to work according to this methodology. Additionally, your team will need to learn how to follow processes that work according to the follow the sun model. if you are considering moving to a follow the sun model you should ask yourself the following questions:
- Are your security tools and network equipped to be accessed remotely?
- How complicated are the incidents that you will be handing over?
- Where will global security teams be located?
- How will incidents be handed over?
- What times will the handover be happening?
Once you have figured out the answers to these questions, it’s time to start training. In order to be truly effective when using a follow the sun model, your team has to know how to be on the same page at all times, even when they are not working. You need to work in a training environment that allows for a follow the sun model to exist. Your training platform should include complex networks like your team sees every single day. Additionally, if possible, you should be working with the same toolset or at least a very similar toolset so that all your teams know how to work with those security tools. Finally, your team should be working against real-world simulated attacks so that they are used to the length of time and the multiple handovers that will need to happen during a critical incident.
Within your training system, there should be a handover application That allows your team to practice their handover methodologies and processes. Hand over application could be as simple as an IRC chat tool or may include more complex project management systems. We have found over the course of our training that it is generally a combination of your event management system and IRC chat that make up the toolset. The tools alone will not ensure that your team is prepared to work in a follow the sun model. Complete buy-in from the entire team will ensure that they communicate properly and properly log their evidence so that it is clear where the next analyst needs to pick up on the investigation and remediation process.
There are also teams that use a different sort of follow the sun model. There are times, even during a critical incident, that you are not looking for the person who is in the right time zone. rather, you would be looking for the right person to handle each incident. For example, if you have someone who is particularly skilled at performing forensic analysis on network logs, you may want that specific analyst to be handling an incident. In this case, you should ensure that during training sessions the specific analyst involved is logged into the training platform so that once the incident is discovered it can be immediately passed over to them. This should mirror how your process would proceed in real life, assigning the best talent to deal with incidents that are most appropriate for them.
A follow the sun model can be extremely effective when dealing with any incident that is occurring on your network. The model gives you increased flexibility when it comes to handling incidents, increased performance ensuring that team members are working at the appropriate hours of the day for them, and assures 24-hour coverage for your network. Just be sure that when you move to a follow the sun model, you have the appropriate training mechanisms, like a cyber range, available so that you can ensure success for your cybersecurity team.