Sony’s Charles Anderson on How to Manage Detections and Risk Across a Global Company

Managing the global SOC for a company as big as Sony has its challenges — specifically in that there's no one-size-fits-all solution to detection at scale. But as Charles Anderson, Director, Global SOC at Sony, explains in our newest podcast episode, they've figured out some best approaches and practices to mitigate risk across the organization.

Here are the top takeaways:

• Use metadata to improve risk-based alerting. Sony's SOC takes a layered approach to alerting. But they also track the metadata of their detection content. That way they can look at low fidelity alerts and make connections — like seeing sequential kill chain phases.
• In a global company, you may need a more complex approach to tuning. A company as large as Sony needs specialization, so their approach today uses a baseline condition layered with content that has different scopes. This allows for the flexibility they need at scale while also ensuring high-quality detections. 
• Think about your detection content as classification algorithms. Charles says that when you take this approach, you can borrow knowledge from the software engineering industry on how to grade the quality of algorithms. However, your approach should always align with what leadership will care about the most.
• Track metrics like Time to Detect to help with strategy. Sony tracks Time to Detect for every piece of detection content individually. They do so in order to see the full story of their program and identify where they can make improvements in their approach. Tracking metrics allows for a "fail fast and fix it" approach.