To Make the Most of your SOC and to Truly Minimize Cyber Risk, it Requires All Hands on Deck—Making Security Everybody’s Business.
Just a few years ago, enterprises started creating security operations centers (SOCs) to centralize monitoring and response of threats and vulnerabilities. The goal of these first generation SOCs was to centralize the management, analysis and response to alerts and incidents coming in from many different perimeter and endpoint tools. The operators typically sat in front of tool-specific consoles, like DLP, and/or in front of a SIEM tool that aggregated all the logs into one place. Additional visuals and map type screens were also prominently displayed, especially for visiting executives.
SOCs were created to consolidate response staff and enhance the collaboration between different security domains to more easily “catch the bad guys.” However, having staff manually analyzing mountains of data and connecting the dots between isolated incidents and indicators proved inefficient, unsustainable and overwhelming, especially given that the volume of data continues to surge and the pool of qualified analysts cannot grow fast enough to close the gap. Additionally, attacks are getting increasingly complex and undetectable, especially without a more sophisticated mechanism for connecting the dots between disparate sensor and activity data. To keep up with the harmful actors, we need to arm operators with the ability to draw conclusions and take the most impactful actions as quickly as possible.
Integration means more than just putting the data into one central location or even in one tool. To extract real meaning from the mountains of data pumping through the SOC, it needs to be brought together into an integrated model that transforms the SOC’s perspective from isolated incidents to interacting entities. Crucial to integrating all this data in a meaningful way, is the addition of context.
Technical incident data lacks the business and risk context to effectively enable prioritized response. Ultimately, the goal is not about stopping every attack or responding to every incident from every sensor. Just as business continuity planning does not (cannot) seek to prevent all possible business interruptions and manages risk by ensuring those processes that are critical to the business maintain suitable operability, the SOC’s goal is to mitigate those risks that pose the greatest business risk. Layering organizational and information asset context into an integrated data model provides the necessary business context for analytics and human operators to prioritize their response based on what is most important from an operational and financial perspective.
The human factor is the greatest challenge in a SOC operation. While we all dream of solving the skills shortage by completely automating the entire detection and response process, it is simply unlikely to happen in the foreseeable future. Until then, the focus should be on using machine learning, artificial intelligence and automated analytics to minimize the knowledge and manual effort required by SOC operators to do their job. That includes behavioral and value-at- risk analytics that minimize false positives and provide the operator with their “next action” based on risk to the business, along with a mechanism for validating and making sense of the identified risks with the fewest clicks possible.
The logical extension for enabling SOC operators to do their jobs more efficiently is to automate response options for validated risks. Once the analyst has reviewed and verified the nature of the identified threat or vulnerability, they should be able to take automated action at the click of a button.
No matter how many SOC operators a company may have, they cannot be everywhere at once, nor will they have the full context of individuals in the business. To make the most of your SOC and to truly minimize cyber risk, it requires all hands on deck—making security everybody’s business. Whether it’s every email user flagging potential phishing emails or application owners validating unusual behavior on their application, every person in the company should be viewed as a channel of information for the SOC. That does not mean everybody is part of the SOC, but everybody should be aware of cyber risks and have the ability to inform the SOC.
Just like every employee can provide intelligence for questionable events within the business, collaborating with other companies within your industry and with the government will increase the likelihood you will be able to stop an attack before it happens. Increased sharing and implementing threat intelligence from commercial providers, ISACs and government NCICs are becoming increasingly critical to the good guys winning.
Early SOCs were a critical first step to taming the cyber security beast. Just like any other critical business operation, best practices molded by lessons learned and technical innovations will lead to greater effectiveness and efficiency in minimizing the impact of cyber risks to the business.