As a die-hard hockey fan and coach, I often like to think of things in terms in sports. When you think about it, cybersecurity teams and professional sports teams aren’t all that different. If you are a fan of a professional sports franchise, you are well-aware of your expectations for your favorite team every year. Without question, you make an emotional investment at the start of the season, cheering your team on to combat the opposition on a nightly or weekly basis.

But what about the team’s perspective? Undoubtedly, the team has expectations as well — namely, to run a healthy business and protect the fan base’s sacred investment. But most fans do not appreciate the complexities of running a successful franchise. Every year, the odds are stacked against teams trying to succeed. They face so many challenges and questions, such as:

  • Do we have the necessary budget to invest in and support our resources?
  • Do we have sufficient skill in our player pool to deliver a winning product?
  • What does our competition look like this year? Are their budgets and talent resources going to be an even greater mountain for us?
  • Are we able to field a competitive team today while simultaneously building for an even stronger team in the future?

The last point is perhaps the least understood concern of a sports franchise among fans. It takes a long-term vision and a strategy to be able to answer “yes” to that question.

Championship or Bust: Building a Winning Security Operations Center

Cybersecurity teams face a similar challenge. Of course, it’s not about franchising security teams, but rather building an effective and enduring security operations center (SOC). There are many parallels in the challenges that each face.

In striving to protect the sensitive data of employees, clients and citizens, security teams are perennially faced with budget limitations. This affects the resources available to combat cyberattacks, leading to long odds to fight back without enough staff. That brings us to one of the biggest issues for security teams: the skills shortage. (ISC)2 recently updated its skills shortage projection to 1.8 million vacant positions by 2022.

Just like a sports team will inevitably meet unexpected challenges such as new and stronger playoff contenders or a rash of injuries, so it goes for our cybersecurity team, which encounters continuously evolving attack methods and ever-widening gaps in staffing. The opposition never lets up, so how can our cyber athletes change the game for a better outcome in the future?

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

Looking Toward the Future With Automation and Orchestration

A modern SOC first needs visibility across your environments, from traditional infrastructure to cloud. A security analytics platform that can ingest millions of data points from hundreds of sources is also a critical backbone to build upon. With the ability to apply network insights, user behavior and artificial intelligence (AI) capabilities, we can better prioritize incidents that require the attention of our limited team of security analysts.

In fact, there is a tremendous amount of automation available to enhance the effectiveness of the SOC. With the complexity and skill of attacks today, a modern SOC must be proactive in attack investigation. IBM i2 provides this capability and is already entrenched in the law enforcement and intelligence communities. Automation is a recurring criterion in a modern SOC and works well when implementing orchestration. A leading incident response platform is essential to drive coordinated response plans, from addressing potential compliance requirements to managing endpoint patches, which is an essential automation capability that helps bridge security and IT operations.

Certainly, there are more functions and services necessary to run a mature and adaptable SOC, but this serves as a quick illustration of the very effective automation and orchestration capabilities already empowering mature SOCs today.

Watch the full session from Think 2018: Building the AI-Enabled Security Operations Center

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…