Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

The First Building Block for the SOC of the Future is Data

Data is the lifeblood of security because it provides context from a wide range of internal and external sources

Data is the lifeblood of security because it provides context from a wide range of internal and external sources

Previously, I discussed the concept of the SOC of the future, with a mission to be a detection and response organization. Entirely new solution categories have emerged to support this mission, including Security Orchestration, Automation and Response (SOAR) and, more recently, Extended Detection and Response (XDR). Thousands of reports, articles and research papers have been written on each. 

As a security professional it’s important to remain informed about security innovations and update your tools and technologies. But you risk limiting the value you can derive from your next security investment without first thinking about your top use cases and the capabilities needed to address them. Threat detection and monitoring, investigation, incident response and hunting are all use cases aimed at detection and response. And the starting point for each of these use cases is to focus on data.

Data is the lifeblood of security because it provides context from a wide range of internal and external sources, including systems, threats, vulnerabilities, identities and more. When security is data-driven, teams have the context to focus on relevant, high-priority issues, make the best decisions and take the right action. Data-driven security also provides a continuous feedback loop that enables teams to capture and use data to improve future analysis. 

A data-driven approach to security challenges earlier process-driven approaches that take the tack of accelerating response by defining a process and automating the steps needed to complete that process. Instead, data-driven is based on the premise that you need to start by analyzing data to determine that the right criteria are met and once something meets the criteria, then the appropriate process is triggered. Automating and orchestrating noisy data just amplifies the noise. And in a dynamic and variable environment, the operational reality is that you need to continuously ensure you have the right data to focus on what really matters to your organization, use that data to ensure the right actions are taken faster, and capture feedback to learn from actions taken for improvement.

So, how do you help your SOC to focus on data?  

Start by aggregating events and associated indicators from inside your environment, for example from your SIEM system, log management repository, endpoint detection and response (EDR), case management system and other security infrastructure. Then, correlate this data to connect the dots and understand how events may relate to one another as well as augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors, as well as frameworks like MITRE ATT&CK. Normalizing all this data from different sources, formats and languages allows you to make it useable. You can correlate events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, contextualizing information from internal systems to understand relevance to the organization and the who, what, where, when, why and how of an attack. 

Advertisement. Scroll to continue reading.

With an understanding of relevance to your organization, you can determine the right data to focus on first and which can be kept as peripheral, so you can work efficiently and effectively. The ability to assign risk scores allows you to prioritize data based on your environment and your company-specific risk profile. With parameters you set around source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for your organization and prioritize what really matters. For instance, data from trusted sources around attacks and vulnerabilities specific to your industry and geography, or to your business model and supporting infrastructure, or that may impact third parties your organization works with, coupled with sightings of indicators or vulnerabilities within your environment, require immediate attention. Once analysis happens and decisions are made, prioritized data is translated into the format and language different tools in your security infrastructure can understand to drive detection, prevention and response.

A data-driven approach comes full circle, delivering feedback that continues to enrich the data. Results of actions taken provide additional context. And priorities, threats, campaigns and vulnerabilities are updated as they evolve, so that data remains dependable. You can learn and adjust to all these dynamics, collecting more data and context throughout the process and analyzing and applying it to update prioritization and scoring for continuous improvement.

The ability to focus on data is just one core capability the SOC of the future needs to be efficient and effective. But there’s more to it. Human involvement is crucial to learning and effectiveness. And we haven’t touched on the architecture required to get data in and send data out efficiently. These are topics for next time. 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.