Break Down Walls in the SOC for Better Data Security

December 8, 2020
| |
5 min read

Data provides businesses the edge they need to unlock their full potential. In turn, employees seek access to data to drive better customer outcomes, become more efficient and increase profits. As these demands for access increase, so too does the need for matching data security controls.

It is a strategic imperative for modern businesses to migrate to the cloud to unlock their full potential — to increase their edge, keep costs down and scale. As a result, IT infrastructure is changing at a rapid pace. Data that was once shielded is now subject to a fading perimeter, making the protection of data in the cloud a vital concern.

It’s a sad truth that the changes that come with this growth are so drastic that older methods for securing data cannot be employed. Without adapting to this change, entities will not be able to discover and respond to threats before they disrupt the business.

So, what can be done? Recently, I guided a discussion between three experts from IBM Security on how to modernize your security operations center (SOC). Their advice highlighted three areas where SOCs can optimize by meshing different elements of data security: through people, processes and technology.

Watch the webinar on demand

Unite Data Security and SOC Teams

In order for businesses, their customers and partners to safely work together well, a foundation must be laid regarding the right levels of data access. Breaking down barriers between the SOC team and data security experts is key.

With data moving all across the different teams, there should be “a common control plan between data security and the SOC so that they fundamentally can really work as one team and share insights,” says Chris Meenan, director of threat management offering management and strategy at IBM Security.

The SOC needs real-time insight into data, including keeping track of who should have access to it and detecting strange behavior in the landscape. Without the barrier of silos, the data security team can take action quickly when the SOC detects threats.

Breaking down silos between data and security can start with a shared belief in the outcomes of the group.

“It’s easy to get lost in the day-to-day of making sure that the systems are up and running,” says Reed Shea, program director, data security offering management at IBM Security.

Instead, you should focus on common concerns that a database admin and SOC analyst might share: the confidentiality, integrity and availability of your system; regulatory constraints and proactive compliance; and making sure the right people have access to the right data. Database admins may not be sure how to rank these items when working with their colleagues in the SOC. Shea offers advice on how to turn that data into action. Elevating it into intelligence with enough context helps the SOC team take the next steps.

Bring Together Key Business Stakeholders

It’s also critical to work with the right stakeholders across the business to determine which data must be crunched.

When it comes to log sources, “you don’t want to grab everything,” says Matt Shriner, global security intelligence and operations consulting partner for IBM Security Services. “You want to grab the right things, and you do that by working with the key stakeholders.” In other words, you want to pull in the log sources that will help you achieve the right use cases that align to business priorities.

The SOC manager and chief information security officer can work with the chief risk officer, chief information officer and chief financial officer to gain a top-down view of the most important cyber risks to the business. Involving all critical stakeholders helps create a list of use cases that serve as inputs to the required security architecture and rank them by importance.

By “monitoring for exactly what matters most to your business from day one,” Shriner says, the time to return on investment is much faster.

Know Compliance Standards and Industry Frameworks

Knowing where your data resides is critical. This is more true than ever in light of government regulations, which in turn impact incident response. Giving the SOC the facts around breach response needs and laws helps ensure they can follow the right processes in the event of a data breach. Threat actors are moving fast, so responders working on critical incidents need to move even faster.

A framework outlining a top-down approach to use cases can also help SOCs establish processes. Creating a SOC best practices blueprint or target operating model is a starting point for knowing your risk. The National Institute for Standards and Technology (NIST) offers one of the most commonly adopted industry frameworks.

Leverage The Right Tools, Not More Tools for Data Security

In addition to the challenges above, knowing which tools to use is also key. As IT’s domain becomes more dispersed and varied, more systems are being introduced to SOCs. With more tools come more data silos with separate workflows. Maintaining all these controls is a substantial and costly task for teams who are already overwhelmed with raw readings from a whole host of endpoints.

Instead of making SOC workers’ lives more complex, there are ways tools can connect systems and simplify data. For instance, a federated data security architecture can help the SOC get an end-to-end view of what’s happening in the landscape. When the SOC team is able to access a common control pane and conduct federated searches, they can see data without having to spend time logging into multiple tools. Building orchestration and automation on top of federated data access means analysts can focus on a streamlined workflow, obtain the practical insights they need and quickly execute across a multicloud architecture.

Focus on People

Folding data defense into all the areas of a SOC ties back to return on investment for a business. But it’s also about people. Breaking down silos between teams and providing the SOC support in the face of rules and too many tools can change the way people work and respond to incidents.

By going back to the beginning of the people, process and tech loop, we can see tools must serve people, not the other way around. Adding automation is one way to make this happen. It can level up work, organize alerts and provide user behavior analytics to offer SOC teams the insight they need into data without being overwhelmed.

Not only that, but it affects people’s lives.

“It’s really important, of course, to ensure that your business can continue to be effective and to compete in the marketplace,” Shea says. But as an example: “Appropriate security and data security has ramifications to [things like] patient health.”

Data Security Across Teams, Tools and Workflows

To keep up with the threat landscape, SOCs need to focus on always improving and evolving their tactics, including their approach to data defense. Including the right people, refining tactics and using the right tools create chances to define use cases as you go and monitor the data that matters for your business.

Find “the right content, the right alerts, rules and dashboards that give you value from day one,” Shriner advised.

For a modern SOC — in terms of the enterprise, the people working there and the customers or patients whose personally identifiable information is in question — data access and speed to recovery are of the essence.

For more on how your SOC can modernize its approach to data and other crucial security operations, watch the full conversation with experts from IBM Security.

Watch the webinar on demand
Carry Resor Hawes
Product Marketing Manager, IBM Security

Carry leads product marketing for IBM Cloud Pak for Security, IBM Security's open, hybrid multicloud platform. She has expertise in marketing strategy, posit...
read more