Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Security Infrastructure

Improve Data Utilization to Modernize the SOC

The Ability to Think Global, Act Local is One of the Hallmarks of a Modern Security Operations Center

The Ability to Think Global, Act Local is One of the Hallmarks of a Modern Security Operations Center

If you want to modernize your SOC to focus on detection and response you need to start by capturing the right data. A central repository, continuously updated with new data and observations, and curated to ensure relevance, provides the foundation you need. The next challenge is improving data utilization by collaborating with the teams and organizations that make up your entire enterprise, to mitigate risk across your environment. Basically, you’re applying the concept of “think global, act local” to security operations to achieve enterprise-wide risk management. 

When I talk about collaboration here, I’m referring to passive collaboration, or sharing information across teams and systems from a single source of truth. Often, when one team member researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. Or they may take action based on the information and consider it no longer important. But the reality is that the information could still be important to someone else working in a different context. Even if you recognize this behavior as unproductive and try to do something proactively to change it, security teams are organized into silos and each use their own tools so utilizing data across teams to take advantage of potential synergies is complex. And when organizations are geographically dispersed, collaboration tends to be even more cumbersome, inconvenient and less likely to happen. Passive collaboration simplifies the complexity by seamlessly incorporating collaboration into security operations.

Think about the following scenarios:

● Government entities with distinct threat intelligence teams and missions that are federated and need to collaborate and share relevant intelligence. 

● Commercial organizations with locations worldwide or segmented business units that have different risk profiles based on geographic-, partner- and sector-specific nuances. 

● Managed Security Services Providers (MSSPs) that provide multi-sector or geographic coverage to their customers.  

A subset of data needs to be sent to each team or location for consistent detection around the globe and to ensure global security risk is covered. However, privacy and data segregation requirements unique to teams, locations and customers further complicate the ability to utilize data across these entities. The trick is to enable and manage collaboration as part of existing workflows without further burdening your already stretched security team.

Advertisement. Scroll to continue reading.

Typically, organizations have one central team responsible for collecting, analyzing and prioritizing internal and external threat and event data to provide relevant threat intelligence. To enable passive collaboration of threat intelligence, this team needs the ability to further curate the threat intelligence based on parameters set by the entities they are working with, so that each time data is transferred it is already curated for local consumption.

Bi-directional communication is also important so that the central team can collect feedback on the disseminated intelligence. This feedback enables them to better understand the security posture of the global organization with respect to specific threats they are tracking, highlighting trending intelligence and pinpointing areas of weakness in the coverage. As each subsidiary manages security incidents, uncovers new threats or finds additional context around known threats, this feedback can also be stored in the central repository, which serves as organizational memory.  When new data and learnings are added to the platform, intelligence can be automatically reevaluated and reprioritized.

Finally, data within the central repository and in local repositories can be shared across existing security infrastructure manually, automatically or some combination to harden security controls. Enterprise-wide, the right data can be sent to the right tools for a better defensive posture. 

The ability to think global, act local is one of the hallmarks of a modern SOC. Collaboration with teams across the organization to utilize data more efficiently and effectively, dramatically improves detection and response and is critical to achieve enterprise-wide risk management. 

Learn More at SecurityWeek’s Threat Intelligence Summit May 25-26, 2021

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Security Infrastructure

While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency,...