Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

The Intelligent SOC Can be a Reality Today

External factors, including security tools shifting to the cloud, the rise of Endpoint Detection and Response (EDR) solutions, and the cybersecurity talent shortage, are presenting challenges for security operations centers (SOCs). There is a lot of talk right now about the need for SOCs to become more efficient and effective to address not only these factors but to also become more ‘intelligent.’ However, this notion of an intelligent SOC is not new.

External factors, including security tools shifting to the cloud, the rise of Endpoint Detection and Response (EDR) solutions, and the cybersecurity talent shortage, are presenting challenges for security operations centers (SOCs). There is a lot of talk right now about the need for SOCs to become more efficient and effective to address not only these factors but to also become more ‘intelligent.’ However, this notion of an intelligent SOC is not new. In fact, back in 2015 Gartner issued a report (PDF) titled, “The Five Characteristics of an Intelligence-Driven Security Operations Center.” 

I thought it would be interesting to review the list of five characteristics to see how Gartner defined an intelligence-driven SOC four years ago and compare that list to where we are today. 

1) Uses multisource threat intelligence strategically and tactically. Establishing an intelligent SOC begins with changing how we collect and manage the millions of threat-focused datapoints that analysts are bombarded with every day. With a platform that brings all this global data together – some from commercial sources, some open source, some industry and some from their existing security vendors – in one manageable location and translates it into a uniform format, you can begin to use threat intelligence strategically and tactically. 

2) Uses advanced analytics to operationalize security intelligence. What is interesting here is the shift from the term ‘threat intelligence’ to ‘security intelligence’ which also encompasses internal intelligence. By leveraging the platform to combine events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with external data on indicators, adversaries and their methods, you gain context for analysis and to understand relevance to your environment. This allows you to operationalize security intelligence, determining which intelligence to focus on first and which can be kept as peripheral. 

3) Automates whenever feasible. For years we’ve debated what, when and how to automate aspects of security. In the intelligent SOC, humans must be involved but certain time-intensive, manual tasks can be automated. One way to use automation is to aggregate, score and prioritize threat intelligence based on relevance to your environment, using parameters you set instead of relying on the global risk scores some vendors provide. This reduces noise so security operators can focus on what really matters to the organization rather than wasting time and resources chasing ghosts. With the right data you can also have confidence in decision making. Once you have confidence in the decisions, then you can automate aspects of security operations, for example automatically exporting curated threat intelligence from the platform directly to the sensor grid (firewalls, anti-virus, IPS/IDS, web and email security, endpoint detection and response, NetFlow, etc.) to be anticipatory and prevent future attacks. 

4) Adopts an adaptive security architecture. Gartner’s CARTA (continuous adaptive risk and trust assessment) process involves continuously assessing ecosystem risk, which extends beyond the walls of the enterprise, and adapting as necessary. This is where ongoing prioritization and assessment is critical. As the threat landscape dynamically changes along with your internal environment, more data and context are added to the platform as well as learnings about adversaries and their tactics, techniques and procedures (TTPs). Automatically recalculating and reevaluating priorities and threat assessments ensures security operators can adapt and continue to stay focused on what is relevant to mitigate the organization’s risk. 

5) Proactively hunts and investigates. Security teams engage in proactive threat hunting when they learn of a threat from an external source, believe they might have missed something in the past, or receive a call from management about the latest attack in the news. With a platform that can act as a virtual cybersecurity situation room, teams and team members can share the same pool of threat data and evidence to conduct investigations collaboratively. As the platform is updated continuously with new data and learnings, intelligence is reevaluated and reprioritized to support proactive threat hunting. 

The good news is that Gartner had a vision of the SOC of the future which still holds true. Even better news, we now have the tools and technologies we need to make the intelligent SOC a reality – and we can all agree it is time.

Advertisement. Scroll to continue reading.
Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...