Security Operation Centers (SOCs) are struggling to meet the demands of the evolving threat landscape. Today, most analysts only have access to a portion of their companies’ data due to the high cost of analysis and storage. Workflows are still rules-based or manual, leading to a reactive approach to threat intelligence instead of a proactive, efficient SOC. These factors compounded are keeping many SOCs out of the modern age of security.
Still, it’s important to remember that threat intelligence and hunting has come a long way in response to the adversaries at the door. With that in mind, what does a truly modern SOC look like? What are the pillars propping it up?
Key pillars of the modern SOC
Modern SOCs need to consider a huge volume of data and a broadening attack surface, and balance these factors with the need to shift toward a proactive threat hunting culture while keeping the bottom line in check.
- Move towards analyzing real-time data – it is more necessary than ever. Without live, hot data available to search, you need to search months of data in a data lake; this process can take hours or days, and requires an exact search and syntax criteria that’s unlikely to happen without a data scientist present at all times. This data lake approach is much too time-consuming when the potential for data breaches can take mere seconds, and analysts are relying on an alert system that may not track all machine data.
- Gain full visibility of the attack surface. Business expansion has created an almost incomprehensible number of endpoints that serve as attack vectors for breaches. This means that while security information and event management (SIEM) is the widely-used solution for historical security data, attackers are now using all available data from endpoints, not just security data. SIEMs can no longer handle the volume of structured and unstructured data available to the security operations center, and the landscape is changing. In other words, all data is security data. SIEMs are an important piece of the puzzle, but you need more.
- Utilize valuable endpoint data. Today, endpoint detection and response (EDR) solutions record all activity taking place on the endpoint and stream it in real time to a local repository, empowering your SOC to enhance the data with rules to achieve stronger threat intelligence and detection. If, for example, an employee visits a known bad site, the “response” part of EDR can immediately respond to a rule, such as “shut the network connection down” on visits to the known site.
- Conduct thorough employee training. Analysts can be highly trained and skilled at threat hunting and intelligence, but every business’ data security starts with employees. Without regular training to review security best practices and policies, a modern SOC is at risk.
Underscoring all of this, however, is always cost. In the past, TCO for collection, analysis, and storage of all data was prohibitive; the cost for centralized log management solutions to log all data could be astronomical based on the high levels of machine data digital businesses generate. To keep costs in check, businesses tend to keep a few weeks’ worth of historical data in their logs, and back the rest up to tape or another backup storage type. But the problem with this approach is the inability to threat hunt tape – or any other cold storage format. However, security analytics tools today deliver full capabilities at a much lower cost, thanks to innovations in data ingestion, so cost constraints no longer need to dictate security posture.
The future of the SOC
Unfettered visibility is important in any SOC. But it’s also critical to keep an eye on the future, and analysts must hone skills to combat the next phase of how adversaries are targeting companies: through artificial intelligence and machine learning. Attackers are beginning to dynamically shift on the fly; they no longer require an employee to click a phishing email to gain access to data. Next-generation attacks can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder threat intelligence.
To achieve a modern SOC and to maintain a look towards the future, analysts should continue to enrich security posture with full data visibility and robust threat hunting and intelligence. Understand that malicious adversaries are hiding in plain sight – such as in Windows Powershell designed for sysadmins – so threat hunting must evolve to look for tactics, techniques, and procedures (TTP), instead of focusing purely on static indicators of compromise.
Julian Waits, GM Cyber Security Business Unit, Devo Technology