As security operations centers (SOCs) continue to evolve, enterprises are challenged with enhancing their ability to detect cyberthreats and keep themselves from harm, according to a recent report about building successful SOCs from the Information Security Forum (ISF).
The reality is, SOC teams are struggling from limited resources compounded by a skills shortage. In fact, some organizations don’t even know whether they have a SOC, according to Michael Coates, CEO and co-founder of Altitude Networks.
“For a lot of organizations, the SOC consists of a person, but having a dedicated security person you call a SOC is not a SOC,” he says. “A SOC is people, but it’s also process and technology.”
Because organizations are having a hard time recruiting and retaining talent, they often rely more on technology than people. And because these businesses vary in size and hail from different industry sectors, it also is difficult to definitively say how a SOC should be constructed and run.
But fear not. as businesses look to the future and invest in next-generation tools, here are some considerations for more effective planning.
If They Build It, Visibility Will Come
The question of, “What’s the right way to do it?” is a natural inquiry when building pretty much anything. When it comes specifically to a SOC, focusing on the elements that can drive a program’s maturity should be the foundation from which a security team starts, says Amos Stern, CEO and co-founder at Siemplify.
“Security operations is basically an operation, and the maturity of your SOC is basically a derivative of the investment in your people,” Stern says. “How well is the process of running the SOC understood? Rather than relying on individual heroics of different analysts or engineers, an organization needs to have a very well-defined process of how to respond to different types of threats and how to do vulnerability management and work with threat intelligence.”
Organizations are all too familiar with the risk of financial loss, customer attrition, and reputational damage that comes from a data breach, which is why they can no longer afford to rely solely on reactive measures, says Steve Durbin, managing director of the Information Security Forum.
The security operations priority must be to identify threats, resolve security issues, and prevent adversaries from disabling or degrading business operations. “Without a SOC, organizations lack real-time visibility of threats, impeding their ability to protect business critical assets and effectively manage information risks,” Durbin says.
A number of practical considerations, including understanding the capabilities that can be provided by a SOC and whether a business case to initiate a SOC implementation exists, should frame an organization’s approach to investing in its operations center. The challenge, however, is that each new system then requires expertise to configure and use it.
“A significant issue for today’s as well as next-gen SOC teams is dealing with alert fatigue stemming from wading through large volumes of incidents with inconclusive threat scores and false positives,” says Atif Mushtaq, CEO at SlashNext.
Accuracy of Detection
As solutions continue to evolve, SOC teams will demand better, more accurate performance from their systems so they can focus on preventing and dealing with real threats, Mushtaq says. “One area that is seeing marked improvement is with anti-phishing controls,” he says. “Improved email security plus accurate, real-time phishing threat intelligence are being employed.”
Key technologies currently in use in the modern SOC include intrusion detection/prevention systems, security information and event management systems, data loss prevention software, and threat intelligence and vulnerability management platforms. Looking forward, the next-gen SOC will be heavily integrated with artificial intelligence and machine-learning systems, says Larry Johnson, CEO of CyberSponse.
Still, technology should not replace people. Instead, it should be used to enable experienced security staff so they can be faster, more efficient, and less error-prone.
“This will be transformative technology, but it won’t be effective without experienced staff to operate it,” Johnson says. “The SOC of the future will do three things far better than today: efficiency, standardization, and visibility, particularly for non-technical leadership so that they better understand the nature of the threats facing their organization and how their security staff is responding.”
On, In, or Out?
Part of building a SOC also requires organizations to decide whether it will be an internal, external, or hybrid. Each has its pros and cons. The upsides to an internal SOC include the assurance that comes with it being staffed by employees who are familiar with the organization’s infrastructure and understand its security posture. That said, making an internal SOC successful comes at a cost.
A more cost-friendly route could be contracting an external party to deliver SOC services, according to Durbin.
“An external SOC has the advantage of minimal initial outlay costs and reduced running costs due to the economies of scale associated with outsourcing,” he says. “However, it is also important for organizations to recognize that they retain responsibility for the SOC and therefore need to keep SOC governance in-house.”
Members of ISF have expressed to Durbin that a hybrid SOC offers “the best of both worlds” by addressing some of the limitations that can encumber the performance of an internal or external SOC, he says.
“A hybrid approach combines the benefits of an in-house SOC, including greater control and specific business domain knowledge, with the technical expertise and operational experience of an external provider,” Durbin says.
Square Peg, Round Hole
While organizations should be aware of industry best practices (NIST, MITRE), Johnson warns that companies should avoid the “best practices trap.”
“Organizations often screw up by only pegging their programs to those broader standards and practices,” he says. “Every company is unique in size, industry, and scope, and you have to cater your SOC to your own specific needs and risks. There is no one-size-fits-all plan for this.”
Image Source: Ico Maker via Adobe Stock
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio