IT Focus Area: security
November 2, 2018
Building the Next-Generation SOC
The most critical component in responding to threats is the security operations center (SOC). But SOC teams are understaffed, under skilled, and overworked. Many are forced to ignore alerts that should be investigated further because they can’t keep up with the overall volume. This makes it very difficult—even for companies that do have skilled in-house security talent—to streamline operations and decrease the time it takes to detect and remediate security incidents.
Keeping up with cybersecurity threats is daunting for even the most security-conscious companies. While security budgets and spending are on the rise, simply throwing time and money at your security infrastructure isn’t enough. You have to pick your battles and allocate budget to the technologies and strategy that will mature your security operations now, and in the future.
According to Gartner, the security operations center must become continuously adaptive via analytics
–Gartner, Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats
The Evolution of SIEM
Security Information and Event Management (SIEM) has been at the heart of security operations for years. SIEM technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event, flow, and contextual data sources. While organizations have had a love-hate relationship with SIEM as they struggle to find patterns in data, the technology has evolved from a simple tool designed to facilitate compliance into a security intelligence threat detection system empowering analysts to quickly and effectively respond to security incidents.
Traditional vs. Modern SIEM
Traditional solutions generate alerts to notify analysts about potential issues by pulling together event and flow data from numerous sources, then performing correlation and risk prioritization. They’re great at aggregating data from disparate systems, enabling security teams to write correlation rules on known indicators of compromise (IoCs), and report on results. However, they fall short in detecting unknown attacks, analyzing large volumes of dynamic threat data and providing insight into network and user behavior.
Modern SIEMs take threat detection to the next level, incorporating traditional SIEM capabilities with threat intelligence, advanced historical and real-time analytics, endpoint monitoring, user and entity behavior analytics (UEBA), and AI for cognitive computing-based (i.e. smarter) orchestration and response. They can act as the intelligence and analytics engine behind an organization’s security practice, and have a significant impact on security operations outcomes; the more data we feed it, the more intelligent it becomes. Not only does modern SIEM enable analysts to see North/South traffic at crucial network points, it also facilitates the detection of East/West lateral movement from inside the organization, alerting analysts to active intrusions and providing them with real-time intelligence and forensics to determine next steps for remediation.
From SIEM to SOC
Adding advanced analytics and cognitive capabilities to SIEM deployments augments security teams’ investigative capabilities, increasing the speed and accuracy of security investigations and enabling the creation of a SOC workflow in your SIEM.
It is important to remember that security operations are people-centric. SIEM is a tool, and modern capabilities are aimed not at replacing security analysts, but at helping them quickly analyze, prioritize and respond to threats in minutes, rather than hours or days. Machine teaming assists in the overall analysis and prioritization of the billions of data points received by organizations on a continuous basis. Threats are effectively researched and assisted in neutralization through teaming. This saves time and frustration involved with researching evolving threats and increases the productivity analysts, allowing them to be more strategic and drive further value from security infrastructure.
Without solid processes and skilled staff in place, using the technology effectively can be a struggle, and the amount of data generated may be too much for your organization to handle in-house. It is import to understand what your needs are, what you can do in-house, and what you should outsource. Many organizations are taking a hybrid approach to security operations, keeping their SIEM on-premises and leveraging a managed services provider (MSP) to monitor and manage it.
In order to keep up with today’s threats and attack vectors, organizations need tools that help them overcome cyber fatigue, and understand how they are being targeted. Intelligent SIEM solutions can help us shift the focus of security operations from reactive defense techniques to predictive cybersecurity analysis. By effectively evaluating large volumes of data from a variety of tools, under-resourced security teams can identify anomalous behavior and act on it, reducing the Mean Time to Identify (MTTI) and Mean Time to Resolve (MTTR) attacks, and staying ahead of the most critical threats.
Find out how to mature your organization's security posture. Get your guide to transforming enterprise cybersecurity.