The First Building Block for the SOC of the Future is Data
Data is the lifeblood of security because it provides context from a wide range of internal and external sources
Previously, I discussed the concept of the SOC of the future, with a mission to be a detection and response organization. Entirely new solution categories have emerged to support this mission, including Security Orchestration, Automation and Response (SOAR) and, more recently, Extended Detection and Response (XDR). Thousands of reports, articles and research papers have been written on each.
As a security professional it’s important to remain informed about security innovations and update your tools and technologies. But you risk limiting the value you can derive from your next security investment without first thinking about your top use cases and the capabilities needed to address them. Threat detection and monitoring, investigation, incident response and hunting are all use cases aimed at detection and response. And the starting point for each of these use cases is to focus on data.
Data is the lifeblood of security because it provides context from a wide range of internal and external sources, including systems, threats, vulnerabilities, identities and more. When security is data-driven, teams have the context to focus on relevant, high-priority issues, make the best decisions and take the right action. Data-driven security also provides a continuous feedback loop that enables teams to capture and use data to improve future analysis.
A data-driven approach to security challenges earlier process-driven approaches that take the tack of accelerating response by defining a process and automating the steps needed to complete that process. Instead, data-driven is based on the premise that you need to start by analyzing data to determine that the right criteria are met and once something meets the criteria, then the appropriate process is triggered. Automating and orchestrating noisy data just amplifies the noise. And in a dynamic and variable environment, the operational reality is that you need to continuously ensure you have the right data to focus on what really matters to your organization, use that data to ensure the right actions are taken faster, and capture feedback to learn from actions taken for improvement.
So, how do you help your SOC to focus on data?
Start by aggregating events and associated indicators from inside your environment, for example from your SIEM system, log management repository, endpoint detection and response (EDR), case management system and other security infrastructure. Then, correlate this data to connect the dots and understand how events may relate to one another as well as augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors, as well as frameworks like MITRE ATT&CK. Normalizing all this data from different sources, formats and languages allows you to make it useable. You can correlate events and associated indicators from inside the environment with external data on indicators, adversaries and their methods, contextualizing information from internal systems to understand relevance to the organization and the who, what, where, when, why and how of an attack.
With an understanding of relevance to your organization, you can determine the right data to focus on first and which can be kept as peripheral, so you can work efficiently and effectively. The ability to assign risk scores allows you to prioritize data based on your environment and your company-specific risk profile. With parameters you set around source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for your organization and prioritize what really matters. For instance, data from trusted sources around attacks and vulnerabilities specific to your industry and geography, or to your business model and supporting infrastructure, or that may impact third parties your organization works with, coupled with sightings of indicators or vulnerabilities within your environment, require immediate attention. Once analysis happens and decisions are made, prioritized data is translated into the format and language different tools in your security infrastructure can understand to drive detection, prevention and response.
A data-driven approach comes full circle, delivering feedback that continues to enrich the data. Results of actions taken provide additional context. And priorities, threats, campaigns and vulnerabilities are updated as they evolve, so that data remains dependable. You can learn and adjust to all these dynamics, collecting more data and context throughout the process and analyzing and applying it to update prioritization and scoring for continuous improvement.
The ability to focus on data is just one core capability the SOC of the future needs to be efficient and effective. But there’s more to it. Human involvement is crucial to learning and effectiveness. And we haven’t touched on the architecture required to get data in and send data out efficiently. These are topics for next time.