Focusing the SOC on Detection and Response

Threat Intelligence is the Foundation and Lifeblood of the Security Operations Center

We all know the security industry mantra: it’s not a matter of if, but when and how we’ll be attacked. The global pandemic has done nothing to change this. In fact, it has reinforced it. Recent reports indicate a rise in cyberattacks on schools and at the end of October a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warned of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. A similar alert was issued a few months earlier for companies in critical infrastructure sectors. 

As the mantra started to echo across industries and organizations a few years ago, security operations centers (SOCs) began to narrow the focus of their mission to become detection and response organizations. Neil McDonald of Gartner anticipated this evolution back in 2013. In his paper, Prevention is Futile in 2020: Protect information Via Pervasive Monitoring and Collective Intelligence, he projected that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013. You’ve got to hand it to Neil, he was more right than wrong. 

With the benefit of hindsight, I’d venture to say the spend may be closer to 80% with the emergence of entirely new product categories aimed at detection and response. A prime example is the movement towards and evolution of Security Orchestration, Automation and Response (SOAR) platforms and tools. In 2015, Gartner started talking about SOAR tools as the convergence of security incident response (SIR), security orchestration and automation (SOA), and threat and vulnerability management. In subsequent years, the definition shifted towards detection and response with vulnerability management remaining part of security operations, but not a core focus of the SOC. In 2017, Gartner began describing SOAR as the convergence of SOA, SIR and threat intelligence. And by 2019, Gartner defined the use cases for SOAR as SOC optimization; threat monitoring, investigation and response; and threat intelligence management – all capabilities focused on detection and response, whether reactive or proactive, with the overarching objective of SOC optimization.

Intelligence is the foundation for each of these use cases and thus the lifeblood of the SOC. But there’s a stumbling block – threat intelligence has become a poisoned term which has prevented many security teams from fully appreciating it or reaping the full value for detection and response. Many equate threat intelligence with external sources of threat data only. For the sake of SOC optimization, we need to think of threat intelligence as the combination of internal and external threat data. This combination allows teams to create a customized data set for their company. Curated threat intelligence becomes an essential capability of the SOC, enabling tools and teams to work more efficiently and effectively to optimize everything from incident response to threat hunting. 

In 2020, this intelligence capability is foundational to the next new product category aimed at SOC optimization – Extended Detection and Response (XDR) solutions. XDR requires aggregating internal data across the entire ecosystem so analysts can gain a comprehensive understanding of the threat they are facing and what they must defend. Pulling the right data from the right tools validates the detection and is critical to effective response. Analysts can augment and enrich this data automatically with threat data from the multiple sources they subscribe to – commercial, open source, government, industry, existing security vendors – as well as with frameworks like MITRE ATT&CK. Combining and correlating internal and external data provides a complete picture of the attack with context for comprehensive response.

In the face of the global pandemic, that security industry mantra resonates more than ever as threats continue to expand and accelerate. Fortunately, with the shift in security focus and investment since 2013, we have several strong responses. SOAR solutions are steadily gaining traction in real-world use, and XDR is being touted as the number one trend CISOs should understand to increase detection accuracy and improve security operations efficiency and productivity. With threat intelligence as the foundation, both approaches will propel SOCs even further on their mission to be detection and response organizations.

Is your SOC aligned with this mission and armed with the resources to execute successfully?