In the Detection and Response Era, a Unified SOC is the Path to Success
This may be cheesy, and half of you reading this may not have been alive at the time to remember, but President Ronald Reagan’s appeal more than 30 years ago to “tear down this wall” is advice security professionals should heed as well. A reunified Germany is now an economic powerhouse, affording its citizens a better quality of life. We can make the Security Operations Center (SOC) a powerhouse too by tearing down walls between the various security groups in an organization. This will allow us to allocate our resources – talent and technology – in new ways, to strengthen security posture. And we need to do this now.
With the recognition that it’s not a matter of if, but when and how we’ll be attacked, the mission of the SOC has shifted to detection and response. SOC teams need the ability to detect, investigate, analyze, proactively hunt and respond to threats. These tasks require highly skilled personnel that are difficult to find, particularly given the global cybersecurity skills shortage of three million and growing. The shortage has a direct impact on SOC efficiency and effectiveness.
Enterprise Strategy Group (ESG) recently surveyed cybersecurity professionals and Information Systems Security Association members on their experiences on the job. The report, “The Life and Times of Cybersecurity Professionals 2018,” concludes that the ramifications of the skills shortage include an increased workload on existing staff, an inability to fully learn or utilize some security technologies to their full potential, and the need to recruit and train junior employees rather than hiring experienced cybersecurity professionals.
Outsourcing is one of the strategies that organizations are using to address the shortage. Gartner predicts that services will represent at least 50% of security software delivery by 2020. Outsourcing is a great way to augment your existing staff and expertise, but you can’t outsource everything. You still need to find a better way to use the resources you have.
I’ve written previously about how SOCs are using automation to offload time-intensive and manual tasks that bog down Tier 1 analysts and result in burnout and human error. This frees them up to transition to Tier 2 and Tier 3 activities. In effect, automation increases your pool of talent to focus on investigation and response and help address the shift in mission.
The next step is to rethink how you allocate this larger team across Tier 2 and Tier 3 tasks, including incident response and hunting, detection engineering, threat intelligence and monitoring and detection. Instead of a traditional escalation model where Tier 2 and Tier 3 analysts work independently and have limited visibility into tasks others are performing, consider flattening the organizational structure and adopting a collaborative model.
With a platform that offers a single collaborative environment, fusing together threat data, evidence and users, analysts can collaborate and share information. Incident response and threat hunting improves because rather than working in parallel, analysts can automatically see how the work of others impacts and further benefits their own work. They can use that knowledge to pivot and accelerate investigations that are separate but related. The platform stores a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. Working together, they can explore every corner of the organization to pinpoint adversary TTPs and find and totally remediate malicious activity.
To improve detection engineering, the SOC can share the internally created intelligence with the rest of the security operations team. For example, the endpoint and perimeter teams can check hashes and reputation lists to block for anything that is known to be similar or associated with the attack campaign.
To support the threat intelligence function, the platform also serves as a central repository of the many external threat feeds you subscribe to. Global threat data is normalized, augmented and enriched with context from internal threat and event data to provide a single source of truth. To reduce the noise, data can be prioritized for relevance using customized risk scores based on parameters you set instead of relying on the global risk scores some vendors provide. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized allowing teams to focus monitoring and detection on high-risk threats.
Finally, a collaboration model releases some of the pressure security professionals told ESG they struggle with as a result of the skills shortage. With more time and resources focused on the mission thanks to automation, and greater visibility across a shared environment, they can start to take full advantage of the security tools and technologies the organization has invested in to strengthen security posture. And junior analysts can learn from others, ramp up more quickly and contribute sooner to furthering the SOC mission.
The time has come for us to tear down the walls, flatten the SOC structure and move to a collaborative model. It’s the next step towards delivering on the detection and response mission.