Security Experts:

As You Modernize Your SOC, Remember the Human Element

As Security Operations Centers (SOCs) mature, they need to tackle some tough challenges with respect to data, systems and people

As Security Operations Centers (SOCs) mature and transition to become detection and response organizations, they need to tackle some tough challenges with respect to data, systems and people. To begin with, many SOCs are dealing with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. So, the first step is to capture the right data to create a single source of truth, continuously updated with new data and observations, and curated to ensure relevance.

Utilizing that data also presents challenges because systems are disconnected and disparate, workflows are not orchestrated nor automated, and each system uses its own specific language which makes it difficult, if not impossible, to get them to interoperate. Passive collaboration, sharing curated threat intelligence with teams and tools as part of existing workflows, improves data utilization and is a major step towards enterprise-wide risk management. 

But there remains yet another significant challenge SOCs face as they modernize – the lack of skilled resources to get things done and ineffective use of the staff they do have who are bogged down by repetitive, manual tasks and operate in silos. 

How to unleash the power of the human element.  

Detection and response is predicated on having the right intelligence. This encompasses all the internal threat and event data created by each layer in your security architecture, augmented and enriched with external threat data from the multiple sources you subscribe to. But one of the most important sources to also bring into the process is human intelligence – intuition, memory, learning and experience. What better way is there for organizations to validate data and findings and then determine the right action to take within their own environment than through their own people? Empowering the human element is vital to effective and efficient detection and response.  

This is where active collaboration comes in – engaging with another person to accomplish a shared goal through tasking and coordination. It’s what typically comes to mind when we think of collaboration, but traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead end or key information just falls through the cracks. 

Having a single collaborative environment that fuses together threat data, evidence and users breaks down these barriers. Team members can automatically see how the work of others impacts and further benefits their own work and, importantly, they can share and benefit from all sources of intelligence, including the human intelligence they each bring to the table. Embedding collaboration into operations, validating data and sharing their collective insights and understanding, breeds confidence in the intelligence that is being used and drives detection and response effectiveness.

This confidence in the data and the decisions made based on that data should lead to automation. Working together, teams know what needs to get done and start to understand how to do it better and take the right actions faster. Over time and with multiple successes, confidence builds. Teams realize they don’t have to continue to do processes manually that they have recognized to be repetitive and low risk. They have the confidence they need to move forward with automation – either automating an entire process or just select aspects – for efficient detection and response.  

Back in 2013, Neil McDonald of Gartner projected this SOC metamorphosis in his paper, Prevention is Futile in 2020: Protect information Via Pervasive Monitoring and Collective Intelligence. Today, we’re seeing real and measurable progress towards this transformation. As new concepts have emerged, security organizations and teams have demonstrated an eagerness to embrace them quickly. In the SANS 2020 Threat Hunting Survey, 85% of organizations reported they had adopted some level of threat hunting. And, increasingly, the vulnerability management function is moving from Governance, Risk and Compliance (GRC) to security operations where teams have the skills and tools for proactive risk mitigation. 

But there is still much work to be done. A case in point, months after the SolarWinds Orion security breach, 63% of organizations surveyed by DomainTools remain highly concerned, 60% of those directly impacted are still trying to determine if they were breached, and 16% of organizations are still wondering if they were even impacted. Fortunately, with the wave of new product categories and services aimed at delivering the capabilities SOCs need to address the data, systems and people challenges, organizations have what it takes to make SOC modernization happen.

Learn More at SecurityWeek's Threat Intelligence Virtual Summit

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.