SOC, Security Operations Center, to achieve its best results, and to truly minimize cyber risk, needs to have everyone in place, making security everyone's responsibility.
As early as a few years ago, enterprises began to create SOCs to centralize threat and vulnerability monitoring and response. The goal of the first-generation SOC is to centrally manage, analyze, and respond to alerts and events from multiple disparate edge and endpoint tools. Operators typically sit at the console of a specific tool, such as a DLP, or a SIEM tool that collects all logs into one place. Additional visualization and mapping screens are also prominently displayed for visiting executives to inspect.
SOC was born to integrate response staff, strengthen collaboration between different security domains, and make it easier to "catch the bad guys." However, having employees manually analyze mounds of data to find connections among isolated events and indicators is proving to be inefficient, unsustainable and overwhelming, especially as data volumes continue to explode and qualified analytics The growth of divisions is insufficient to make up for the talent gap.
In addition, attacks are becoming more and more complex and undetectable. Especially since we lack more advanced mechanisms to connect different sensors and behavioral data, it is even more impossible to detect increasingly complex threats.
To keep up with hackers, we need to arm operators with the ability to make decisions as quickly as possible and take the most effective action.
Consolidation or integration doesn't just mean putting data into one centralized place, or even getting it all into one tool. If you want to extract truly meaningful intelligence from the massive data flowing through the SOC, you must put them all into a unified model and change the SOC's perspective from isolated events to interactive entities. The key to integrating all this data in a meaningful way is adding context.
Technical incident data lacks business and risk context and cannot effectively drive prioritized responses. Ultimately, the goal is not to block every attack or respond to every event from every sensor. Just as business continuity planning does not seek to (and cannot) prevent all possible business interruptions and manage risks by ensuring that business-critical processes maintain appropriate operability, the goal of a SOC is to mitigate those risk factors that pose the greatest business risk.
Embedding company and information asset context into integrated data models provides analytical tools and human operators with the necessary business context to prioritize their response actions based on importance from an operational and financial perspective.
The human factor is the biggest challenge in SOC operations. Although we all dream of solving the technical talent shortage problem by completely automating the entire detection and response process, it is unlikely that this will come true in the foreseeable future. Therefore, the current focus should be on using machine learning, artificial intelligence, and automated analysis tools to minimize the knowledge and manual operations required for SOC operators to work. This includes the use of behavioral and value-at-risk analysis tools to minimize false positives, provide operators with “next step” instructions based on business risk, and a set of mechanisms to validate and understand identified risks with a minimum of clicks.
A logical extension of allowing SOC operators to work more efficiently is to add automated response options for verified risks. Once analysts have reviewed and verified the nature of the discovered threat or vulnerability, they should be able to take automated action at the click of a button.
No matter how many SOC operators a company has, they cannot be on all sides at the same time, nor can they fully understand the specific situation of everyone in the company. To achieve the best results from a SOC and truly minimize cyber risks, everyone needs to be on board to make security the responsibility of everyone.
Whether it's individual email users flagging potential phishing emails, or application owners identifying unusual behavior in their own applications, everyone in the company should be considered a conduit to the SOC. This does not mean that everyone is part of the SOC, but everyone should be aware of cyber risks and have the ability to inform the SOC.
Just as every employee can provide intelligence on suspicious incidents within the company, collaboration with other companies and governments will increase the likelihood that one's own company will prevent an attack. The increased sharing and implementation of threat intelligence from vendors, third-party organizations, and government information centers is becoming increasingly critical to success.
An early SOC is a critical first step in taming the cybersecurity beast. Like any other critical business operation, best practices are born out of lessons learned, and technological innovation will more efficiently minimize the business impact of cybersecurity risks.
It’s time to implement SOC 2.0!