August 7, 2023 By Sue Poremba 4 min read

Cloud computing and IT modernization have created a more complex threat landscape, and security analysts are struggling to keep up. Security operations centers (SOC) are in need of an upgrade. The proliferation of cloud and hybrid environments simply creates more to protect, said Andie Schroeder, program director of product management at IBM Security, at RSAC 2023.

As the threat landscape expands, it is taking longer to discover possible cyber incidents. In an IBM study, nearly half of the respondents said the average time to detect and respond to a security incident has increased over the past two years, and SOC teams stated they spend about a third of their typical workday investigating incidents that are false positives or low priority.

And today’s SecOps doesn’t always lend itself to help analysts. It focuses on technology and relies on tools rather than focusing on the human element of cybersecurity. At the same time, the skills shortage has burdened SecOps teams with more work and fewer employees. It doesn’t help, either, that security efforts are often isolated, and analysts work in a closed ecosystem.

It’s little wonder that analysts are overwhelmed. The solution is to look at moving out of a siloed security approach to a unified security environment.

Recognizing the challenges in the SOC

Before you can fix a problem, you have to identify your greatest challenges. According to Schroeder, these are the four biggest problems facing the SOC today:

1. Poor visibility. Two out of three organizations say their attack surface has expanded in the last year. A growing lack of visibility creates blind spots that attackers can then exploit.

2. Disconnected tools. Disconnected tools give all the advantages to attackers. “I feel like over the past five or so years in the security industry, we saw and talked about trends around vendor consolidation, organizations trying to consolidate tools,” Schroeder said. “And yet, this past year, 80% of organizations use at least 10 disparate solutions to manage security hygiene.”

3. Keeping up with the attackers. Too many organizations have outdated, noisy or ineffective manual detection methods that attackers can bypass. Now the number of security personnel needed to handle the volume of work simply isn’t available. More sophisticated tools require more skilled workers to operate them.

4. Information overload. Between expanding threat landscapes, growing attack surfaces and a huge volume of alerts, sometimes security feels like constant firefighting.

From the analyst’s point of view, a single threat could result in dozens of alerts requiring a cumbersome manual investigation. This time-consuming process benefits the threat actor, who now has more time to do damage undetected inside the network.

Automation will go a long way to improve the analyst’s ability to detect, investigate and respond to threats faster.

“You want to automate the repetitive, manual tasks that analysts have to do, which means they can contain incidents faster and spend their precious little time on higher value work, which is often also more fulfilling and leads to less burnout,” said Schroeder in an email interview.

Explore the QRadar suite

A three-pronged unified approach

Automation is a key element in developing a unified approach within the SOC. There are three parts to a unified approach:

  1. Unifying workflows. A unified workflow offers solutions that correlate alerts from different security tools and different vendors and can pull in any additional context the analyst needs.
  2. Infusing automation and ML to reduce those repetitive, manual tasks. Some of the ways AI/ML improves workflow in the SOC include automating information gathering, enriching assets with threat intelligence, creating timelines or visualizations, mapping MITRE TTPs or recommending responses. With AI/ML-powered automation, analysts can work through an incident exponentially faster. This improves efficiency and reduces burnout, said Schroeder.
  3. Leveraging open standards. Open-source standards let you utilize what the community has already built instead of having to start from scratch to put together your system. “That automated investigation could go out and pull in the latest open detection rules, like Sigma rules, and use those to drive the automated detection,” said Schroeder. “And your analyst doesn’t have to worry about outdated detections driving false positives, nor do they have to worry about even writing or tuning rules.”

Using a unified approach makes it much easier to pivot during an investigation. Automation has weeded out many of the most tedious processes, and now it is easier to build a single workflow within the SOC, such as writing one query in one common language to create searches across different data sources.

Finding the right tool for a unified approach

Siloed systems and poor collaboration with other teams slows down the overall threat response. Moving to a unified approach improves the security analyst experience, which helps reduce investigation and response time.

But a unified approach needs the right tool. Using security information and event management (SIEM) tools offers the SOC analyst a real-time look into potential threats and anomalies so they can be addressed before they do damage. Like many tools, however, the SIEM can’t meet all the challenges the SOC faces in this expanded threat landscape.

IBM’s QRadar Suite takes the unified analyst experience to the next level. It’s a suite of products — so it includes our QRadar SIEM, but also QRadar Log Insights, QRadar SOAR, QRadar EDR and QRadar XDR.

The big differentiator of the QRadar suite is its unified analyst experience, meeting the three key elements mentioned above. Not only does it create a single, unified workflow for the analyst, but the tool also uses AI and automation to prioritize incidents, pull in threat intel and other important context, create powerful visualizations and recommend responses.

“And it’s all open,” said Schroeder, “so it works not only with IBM tools but also third-party tools that security teams may already be using.”

Schroeder pointed out that organizations need a continuous learning methodology and framework aimed to orient, onboard, explain, educate and cultivate new resources into high-functioning power users. Without an automated, unified approach to threats, the SOC will not be able to keep up with threat actors.

More from Security Services

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today