A proven way to improve an organization’s security posture, operational efficiency and incident responsiveness is to consolidate security data, staff and operations in a single group and (virtual) location via a security operations center (SOC). SOCs, which combine talented IT security and specialists of various disciplines, require the best people, process and technology to protect an organization. But in reality, SOCs are often saddled with legacy software and processes inadequate for today’s constantly evolving threats.
SOCs handle security monitoring, threat and vulnerability management, incident response, post-hoc security forensics, attack reverse engineering and analysis, and security compliance management. It’s a broad charter that needs software automation to handle information streams from many different systems, constantly changing threat signatures and complex workflows.
The Legacy SOC
SOCs often use legacy security incident and event management (SIEM) platforms, which result in significant operational overhead, steep learning curves and cumbersome user interfaces. This “legacy” approach to a SOC runs counter to the agile, multi-platform, continuous delivery DevOps environments that most leading IT organizations have adopted.
A legacy SOC can only handle limited data sources, and has rudimentary and rigid data search, reporting and analytics capabilities. Anomaly detection and risk scoring are limited. As a closed, proprietary platform, a SIEM point product is difficult—if not impossible—to extend with new features via SDKs and APIs.
Legacy SOCs use traditional prevention technologies that are reactive and not analytics-driven. When the security protection fails by missing a previously unseen threat, the affected organization is often left waiting and exposed, while the vendor develops a security update.
Legacy SIEMs are designed around monitoring, rather than investigative and response capabilities. They tend to be log collection and event-driven, rather than proactive. They can’t tap into distributed threat intelligence or global repositories for real-time threat information. And they leverage a variety of point products, rather than being designed around end-to-end security management.
The Lean SOC
We think it’s time for security teams to rethink SOC design. A lean SOC provides agility, flexibility and scalability, while improving the efficiency and effectiveness of security staff and tools.
A lean SOC has four defining characteristics:
- Real-time threat intelligence - A lean SOC can automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources and support multiple threat databases, including STIX/TAXII, OpenIOC, Facebook and custom-defined sources. Real-time threat intelligence ensures that organizations aren’t left exposed to attacks that others have already seen, characterized and developed mitigation steps for.
- Advanced analytics and data visualization – A lean SOC summarizes activity with intuitive dashboards that prioritize, contextualize and analyze threats and suggest appropriate remediation steps. Threat detection can be automated with data analysis that incorporates machine learning and user behavior analysis toolkits. Together, machine-learning algorithms and visualizations minimize false positives, which lets security analysts focus their attention on real threats, not chasing false alarms.
- Advanced data search and filtering – A lean SOC can proactively flag actual security incidents to help security analysts investigate and understand their scope and methods. By incorporating advanced search and data filtering, analysts can reduce time spent sifting through endless volumes of log data, spread across dozens of systems. Search and filtering help analysts correlate seemingly unrelated activities that are part of a single advanced attack.
- Advanced automation - Security teams can programmatically collect intelligence, aggregate data from a broad set of security products and data sources and take response actions across the security ecosystem. By automating whenever possible, organizations can create the security equivalent of continuous delivery by constantly monitoring, reporting and acting upon security incidents from across the entire infrastructure. To increase detection and staff efficiency, automation capabilities should include both prescriptive rules and machine learning that can handle routine aspects of detection and investigation.
Force Multiplier: The Agility of a Cloud Service
Shifting to the cloud can further streamline a lean SOC. Using a SaaS platform for a SOC significantly reduces OpEx and eliminates CapEx. And it ensures that more of an organization’s security spending goes to actual security people and processes, not infrastructure and maintenance.
SaaS dramatically speeds SOC deployment. And with the right provider, SaaS delivers reliable, secure, customer-proven implementations that leverage hardened, scalable cloud infrastructure and the collective expertise of a SaaS provider. A cloud-based lean SOC allows security teams to focus on security-related tasks, not infrastructure administration.
A SOC That Fits
In today’s complex threat landscape, it’s nearly impossible to maintain tight security and rapidly respond to cyber-incidents without a SOC that’s designed for a dynamic, multifaceted and data-rich IT landscape. A lean SOC that enables data collection, analysis and automation provides organizations with real-time threat detection, security reporting and incident response. And that allows security pros to focus on prevention and rapid remediation, not system administration and chasing false positives.