Facing the constant changing tactics of
attackers and the endless growing number of log data, the SOC need to evolve to better anticipate the threats
The main structuring points of the Augmented SOC: rethink the bricks of operational security
In 2000, early SIEM systems, main component, of traditional Security Operational Centers were a real deliverance for security officers. With the increasing number of tools and endless expanding logs from those tools, SIEM solutions were allowing them to collect all this data and conduct security intelligence and analytics on it. Today the reality is different and the SOC managers have seen the limitations of those solutions.
The Return on Investment
Maybe more than anywhere else, in cybersecurity, time is money and the efficiency of an incident response team will be mainly related to its ability to act fast against cyberthreats. In this context, the latency between your different engine can be a real disadvantage for security teams. That’s why, instead of measuring the efficiency of your system by the number of events processed by second, the « mean time to remediate » and the « mean time to identify » are far better proof of effectiveness according to Microsoft Experts.
The False Positives
Writing rules for security analytics is not an easy job. Designed to enable analysts to examine the incoming data, the smallest error can lead to large amount of false positive, that keep analysts from investigating. The result is that instead of finding useful signals to prevent threat, many threat intelligence feeds are often overlapping and cause more inertia than they eliminate. The SOC managers are aware that the problem comes from a lack of the right tools to help. Basically, we are very good at identifying patterns but very bad at noticing details, especially when overwhelmed by similar data.
The analysts bore-out
On the human level, the result is a bore-out of many SOC analysts. Overwhelmed by a tremendous amount of data to examine, it keeps out of added value tasks of their job such as threat hunting and investigation. As a result, many analysts feel underestimated and have a lack of perspective on the job evolution which can lead drop of productivity and vigilance. Unsurprisingly, experts recommend freeing analysts from the most redundant task of the job by providing them with automation and orchestration tools, that can allow them to spend more time on more fulfilling task. The analyst bore-out has a more insidious consequence for the organization: the risk of seeing talents leaving the organization. This risk should not be neglected when Forrester announce a real skill shortage with up to 1.8 million cybersecurity jobs unfilled by 2022.
The Data Collection Challenges
If the originations are unfit to get all critical log data into the system, the risk of false negative is significantly increased as well as costly weak spot. It is not unusual to see SIEM system being overwhelmed by the volume of data. As explained in the part above, those events might not even be investigated because the analysts are also overwhelmed. The circle comes back around!
What are the security bricks of tomorrow?
Facing the endless changing tactics of the bad guys, tomorrow’s SOC will need to anticipate the threat. Companies realize that at some point they will be compromised. Protection is essential, but it is not enough. The key to prevent from a large breach is anticipation and detection. It must be able to detect quickly and accurately and to be able to block and clean the threat.
It will need to better evaluate the low risk episode missed by current solutions.
Increase the incident contextualization
More and more cyberthreats come from unknown sources, so collecting contextual data is a crucial point to evaluate the level of priority of an incident. The analysts have to deal with so many different alerts that they need to prioritize their response. Threat intelligence tools allow analysts to increase their knowledge around threat indicators and better understand the attack steps. All good SOC analysts know it: in threat intelligence, context is the key!
Value the people through automation
Collecting all the data you can, has no value without the ability to analyze it. Analysts need to have the time and the capability to investigate and focus on tasks with more added value. It might seem paradoxical but valuing the people will go through the automation of the tasks with least added value. The whole goal of automation is to gain in velocity, whether in detecting incidents or in contextualizing threats. Where fully automated systems might be inefficient or even dangerous, choosing the right perimeters to automate in your cyber defense strategy might be the answer!
If you need one more reason to start using automation, the bad guys already do: very recently researchers have revealed two tool that automate phishing attacks!
- Read our article on the IACD framework to guide security operational teams on the path towards security automation
Embrace the Machine Learning
Automatic alert detection and enriched monitoring becomes unavoidable. The future is therefore to the “augmented” analyst. The need for reduced human intervention in detection is real. Even more when Forrester announces a huge security skills shortage by 2020. Therefore, the focus of the learning curve for AI engines should be placed on the activities of qualification, contextualization, response and remediation.
Adopt a cloud-based security
Many of the company’s IT unit or system are turning to the cloud, analytics-driven security is growing there too! We speak here about solutions that are defined as platforms empowering organizations to stay ahead of ever-changing cyberthreats and quickly remediate breaches when they happen, while still being able to focus on critical business needs. You need faster tools to give to your analysts every insight they need in the minimum possible time. Latency is a real problem in security. The law of data gravity introduced a decade ago, explain that bigger the data mass will be, bigger the inertia will be. Therefore, it is not to the data the come the system but the system to come where the data is in order to reduce de minimum response time. SOC vendors should focus on creating those platforms embracing the data gravity law. As Gartner predicts: “By 2022, 50% of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10% in 2015.”
Are you ready to get a glimpse of tomorrow’s SOC? Try SEKOIA.IO today!