Security Experts:

Is Your SecOps Solution Keeping Up?

The goal of any SecOps system is to collect, correlate, and assess data gathered from every corner of the network to detect and investigate anomalous behavior and then respond promptly to thwart an attack before its damage is done. And when networks were primarily contained within a clearly defined and static perimeter, this was not just an aspirational goal. It was well within the ability of virtually any SecOps team.

My, how things have changed.

The critical challenges of managing today’s networks

Issues like evolving operational requirements (like digital transformation), the rapid expansion of network edges, the recent inversion of the network due to the transition to a remote workforce, and growing compliance requirements are accelerating the volume and velocity of data and overall complexity for SecOps. Complicating things further has been the transition to an application-based business model, where any user on any device from any location can access virtually any information anywhere. And to do so, workflows, transactions, and applications may cross multiple ecosystems, from an end-user device through multiple cloud environments to the data center and back again—and not always by the same route, as connections often change mid-transaction to address issues like latency. Trying to keep track of the who, what, when, where, and how of today’s network has broken the backs of many SecOps teams.

And that is just half of the battle. The threat landscape has also become more complex and sophisticated. Stealth and evasion technologies, multi-vector attacks, and malware “living off the land” make it harder to detect threats. Ransomware-as-a-Service and similar technologies have amplified the volume of serious threats. And threat actors have turned their attention on compromising under-protected and unprotected home networks so they can ride the VPN connections of remote workers back into the corporate network. Increasingly, SecOps teams are unable to keep up. While supply chain attacks and the interruption of critical infrastructure networks have recently captured our attention, we also witnessed a seven-fold increase (PDF) in the number of ransomware attacks in the second half of 2020.

Adding to the complexity challenge has been the accumulation of security tools deployed to protect the variety of new systems and network edges in place, usually due to digital transformation efforts. Respondents to a Ponemon survey last year estimated their organizations had, on average, more than 45 different security tools in place. And worse, each incident they responded to required coordination across around 19 tools—tools that were never actually designed to work together. 

Rethinking the SOC

To be clear, the trajectory of these trends is only going to accelerate. There is no indication that networks will suddenly cease to expand, that more devices won’t be added to the network, or that cybercriminals will stop looking for new ways to compromise your network. That means that unless a new approach is taken, SecOps teams struggling to keep up will soon be left hopelessly behind in the battle against their cyber adversaries.

[Virtual Event: Security Operations Summit | Dec. 8, 2021

The question is, what does a SecOps strategy designed to keep up with their evolving digital business requirements look like? What are its critical components?

A unified platform: The first issue is to reduce complexity as much as possible. That starts by building your SOC system on top of a single, unified platform—one that can be deployed in any environment, that can scale and adapt as network requirements evolve, and that can operate at the 5G (and beyond) speeds that new networks and their devices require. Of course, there are numerous security platforms out there. However, many aren’t much more than a collection of disparate solutions wrapped in a common box of sheet metal. To start, a proper platform solution must be based on a common OS, so everything functions consistently. Its enterprise-class tools must meet the highest standards (third-party validations and certifications are essential here) and be explicitly designed to interoperate. And it must be an open system, using APIs and common standards so that third-party tools can be easily integrated. And it must support a security-driven network strategy, enabling networking and security systems to function as a single, unified solution.

Strict network and application access control: Next, a SOC must continuously account for every connected device and every application in use. This means developing a zero-trust access (ZTA) strategy that not only authenticates users, devices, and applications based on a variety of criteria but also restricts their access to only those resources they need to do their jobs. And ZTA needs to be augmented with zero-trust network access (ZTNA) so that users are explicitly authenticated every time they access an application. This is the most effective strategy for maintaining visibility across every device connected to the network, restricting their actions, and controlling access to critical resources even by remote workers. Tools like SASE and SD-WAN extend this control further by combining security with connectivity. But the caveat is that users, applications, and devices don’t usually live in a cloud silo. This means that SASE solutions must be seamlessly integrated with the rest of the network so data protections, policies, and access controls can be seamlessly maintained end to end.

AIOps: Another critical component of any effective SOC solution is the ability to detect, investigate, and respond to threats as fast as possible. Traditionally, much of this sort of analysis has been done by hand. But as endpoint devices and network edges multiply, the attack surface continues to expand, and attacks become faster and harder to detect. This process needs to be replaced with AI and automation. AIOps applies artificial intelligence to IT functions to identify significant events and patterns related to system performance, availability, and security issues. 

An AIOps system can do the work of dozens of analysts, sifting through mountains of complex data to identify an abnormal event. But that isn’t enough. A truly effective system can also conduct a thorough investigation of such events, rather than handing that step over to human analysts—which is the case for most detection and response systems out there. And the time wasted on human intervention can mean the difference between a threat intervention and attack recovery. And advanced automation, leveraging the inherent interoperability of a common platform, enables security systems to launch a coordinated threat response, leveraging every necessary tool deployed anywhere across the network to repel attackers and isolate and remove malware.  

Scalability: The last step is to build a system designed to grow as your SOC operations mature. Outgrowing a SOC system can be a painful—and costly—proposition. It is much better to plan for growth from the beginning. Start with a common management and orchestration system so configurations can be easily distributed and policies can be consistently enforced across the network. As SOC operations grow, SIEM tools should be selected to collect data from multiple sources and interoperate with AI systems for enhanced analysis and response. XDR (network detection and response) systems should likewise be chosen based on their ability to use AI to not only detect and respond to threats but also automatically perform that critical middle step of investigation. And all of this should be able to be seamlessly integrated into a SOAR system so one standard view across the network can be maintained, with every device and application accounted for.

Building a SOC designed for tomorrow

SOC strategies are essential for organizations of every size. But they must adapt as networks evolve and scale as the network and its attack surface continue to grow. The critical elements of a common platform, network and application access control, integrated AI and automation, and a scalable system designed to grow and adapt with your business are the foundations of any effective SOC strategy. With such a system in place, organizations can confidently build the network they need to compete effectively in today’s digital marketplace.

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.