Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Want to Modernize Your SOC? Start with Data

How to Tackle the Data Challenge to Improve and Accelerate Detection and Response

How to Tackle the Data Challenge to Improve and Accelerate Detection and Response

I’ve discussed before how Security Operations Centers (SOCs) are now becoming detection and response organizations. But like most transitions, that shift doesn’t happen overnight. Three different areas need to be addressed – data, systems and people.

Many organizations today deal with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. Their systems are disconnected and disparate, workflows are not orchestrated nor automated, and each system uses its own specific language which makes it difficult, if not impossible, to get them to interoperate. Finally, there’s a significant lack of skilled resources to get things done. And the security professionals they do have can’t keep pace because they’re bogged down by repetitive, manual tasks and operate in siloes. Each of these areas needs to be addressed to improve detection, gain a better understanding of threats, enable teams to collaborate and, ultimately, take the right actions faster. 

Here, I’m going to address how to tackle the data challenge to improve and accelerate detection and response.

Security Operations Center (SOC)To gain a comprehensive understanding of the threats you are facing and what you must defend, you need to start by aggregating internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. In addition to the SIEM, this includes data from modern security tools and technologies, like Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR). Not only is this data high fidelity, it’s also free!

With the right internal threat and event data aggregated in a platform that serves as a central repository, the next step is to augment and enrich it with external threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Analysts are bombarded by millions of threat datapoints every day, which makes it impossible to fully appreciate or realize the full value of third-party data. Compounding the problem, new research presented at the 29th USENIX Security Symposium found that there is little overlap between these sources. Bringing this data into a central repository helps stop the assault, normalizing it automatically, so that it is in a uniform format for analysis and prioritization.

Additional complexity springs from the need to keep pace with an ever-changing threat landscape. As we saw with COVID-19 and the SolarWinds Orion security breach, crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many of the sources have no ready-made connectors to allow them to plug into existing security infrastructure. So, another requirement are custom connectors to any type of threat intelligence feed that can be written and deployed within hours. This allows the SOC to ingest threat data from new sources quickly into the same repository.

You now have a central repository combining the right internal data with external data – in effect, a single source of truth. However, due to the volume of data, you also have a great bit of noise. To reduce the noise, data can be prioritized according to what is relevant for your organization, instead of relying on the global risk scores some vendors provide. Changing risk scores based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you. Instead of wasting time and resources chasing ghosts, you can focus on what really matters to your organization. This central repository also serves as organizational memory for learning and improvement. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized. 

SOC modernization doesn’t happen overnight. But starting with the data challenge to create a single source of truth, continuously updated with new data and observations, and curated to ensure relevance, helps you fast-track the process. With the ability to focus monitoring and detection on high-risk threats, you’ll gain real and meaningful benefits quickly, and have a solid foundation for more efficient and effective response.

Advertisement. Scroll to continue reading.

Learn More at SecurityWeek’s Security Operations Summit (Virtual)

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...