External factors, including security tools shifting to the cloud, the rise of Endpoint Detection and Response (EDR) solutions, and the cybersecurity talent shortage, are presenting challenges for security operations centers (SOCs). There is a lot of talk right now about the need for SOCs to become more efficient and effective to address not only these factors but to also become more ‘intelligent.’ However, this notion of an intelligent SOC is not new. In fact, back in 2015 Gartner issued a report (PDF) titled, “The Five Characteristics of an Intelligence-Driven Security Operations Center.”
I thought it would be interesting to review the list of five characteristics to see how Gartner defined an intelligence-driven SOC four years ago and compare that list to where we are today.
1) Uses multisource threat intelligence strategically and tactically. Establishing an intelligent SOC begins with changing how we collect and manage the millions of threat-focused datapoints that analysts are bombarded with every day. With a platform that brings all this global data together – some from commercial sources, some open source, some industry and some from their existing security vendors – in one manageable location and translates it into a uniform format, you can begin to use threat intelligence strategically and tactically.
2) Uses advanced analytics to operationalize security intelligence. What is interesting here is the shift from the term ‘threat intelligence’ to ‘security intelligence’ which also encompasses internal intelligence. By leveraging the platform to combine events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with external data on indicators, adversaries and their methods, you gain context for analysis and to understand relevance to your environment. This allows you to operationalize security intelligence, determining which intelligence to focus on first and which can be kept as peripheral.
3) Automates whenever feasible. For years we’ve debated what, when and how to automate aspects of security. In the intelligent SOC, humans must be involved but certain time-intensive, manual tasks can be automated. One way to use automation is to aggregate, score and prioritize threat intelligence based on relevance to your environment, using parameters you set instead of relying on the global risk scores some vendors provide. This reduces noise so security operators can focus on what really matters to the organization rather than wasting time and resources chasing ghosts. With the right data you can also have confidence in decision making. Once you have confidence in the decisions, then you can automate aspects of security operations, for example automatically exporting curated threat intelligence from the platform directly to the sensor grid (firewalls, anti-virus, IPS/IDS, web and email security, endpoint detection and response, NetFlow, etc.) to be anticipatory and prevent future attacks.
4) Adopts an adaptive security architecture. Gartner’s CARTA (continuous adaptive risk and trust assessment) process involves continuously assessing ecosystem risk, which extends beyond the walls of the enterprise, and adapting as necessary. This is where ongoing prioritization and assessment is critical. As the threat landscape dynamically changes along with your internal environment, more data and context are added to the platform as well as learnings about adversaries and their tactics, techniques and procedures (TTPs). Automatically recalculating and reevaluating priorities and threat assessments ensures security operators can adapt and continue to stay focused on what is relevant to mitigate the organization’s risk.
5) Proactively hunts and investigates. Security teams engage in proactive threat hunting when they learn of a threat from an external source, believe they might have missed something in the past, or receive a call from management about the latest attack in the news. With a platform that can act as a virtual cybersecurity situation room, teams and team members can share the same pool of threat data and evidence to conduct investigations collaboratively. As the platform is updated continuously with new data and learnings, intelligence is reevaluated and reprioritized to support proactive threat hunting.
The good news is that Gartner had a vision of the SOC of the future which still holds true. Even better news, we now have the tools and technologies we need to make the intelligent SOC a reality – and we can all agree it is time.