December 10, 2020 By James Murphy 4 min read

Security operations center (SOC) teams struggle with an array of challenges. Too many tools can make the work too complex; and recruiting and retaining personnel can be hard amidst a skills shortage. Experts need to focus on using their skills to their fullest. But, an open approach can improve threat management in a way that makes all of these things easier. 

All these challenges complicate some aspect of threat management. Complex tools make it harder for SOCs to gain insight into their landscapes and detect threats. Solving cases thoroughly and responding to incidents quickly is difficult when staff are overwhelmed.

Making tools simpler and connecting teams — both to each other and to threat intelligence landscapes — can help ease these challenges. By allowing everyone in the SOC to access the same data, threat intelligence feeds and workflows create strength in numbers. It also breaks down silos. Teams can be more efficient and work with other departments more easily.

Here’s how an open approach to security draws connections that can benefit team leaders, analysts and incident responders.

Register for the webinar

During our webinar, “Manage Threats Across Tools, Teams, and Clouds with IBM Cloud Pak for Security,” learn more about how to modernize your SOC. We’ll also cover the recently announced capabilities and show a live demo.

For Security Leaders: Connecting Tools and Teams

In light of the skills shortage, leaders are focused on retaining their staff and using their skills to their full potential. Providing everyone on the team insight over data and access to threat intelligence helps break down any silos that might exist. It also improves the way the SOC can detect and respond to threats.

Connecting not just teams, but also tools to each other can help meet work goals. Reducing complex processes keeps teams from having to switch between tools and integrate point products, which take up time. With a more condensed view over the threat management life cycle, leadership can get the high-level overview they need.

An open security landscape also reduces vendor lock-in. Connecting the people and tools of a SOC to third-party threat intelligence feeds and partners gives them more choices.

Providing clarity, triaging workloads and focusing on what you’re trying to protect can help to reduce workloads and dissipate personnel burnout. This also helps the security leaders retain and get the most out of the skilled individuals on their elite team.

Security Analysts: Augmenting End-to-End Hunting

Analysts need practical, trustworthy, insightful intelligence in context to gain insight and assess risk. Providing access to third-party threat intelligence makes ad hoc threat hunting, incident response and threat investigation more effective. With the context provided by that data, analysts have more confidence and clues when they triage alerts.

In addition to opening the SOC to external intelligence feeds, analysts can be more efficient when internal processes are more connected in a threat management workflow. Connecting security intelligence to a SOAR solution, for example, makes incident response workflows more direct.

Automation can also connect different parts of the process. Now, analysts are flooded with alerts flowing into the SOC. Automation can improve the alert triage process, connecting analysts with priority alerts while reducing the need for some manual processes.

Incident Responders: Work Together

Similar to analysts, incident responders need to work with large volumes of data — most of which is noise — and a growing set of different tools to build context. A common set of tools can help analysts and incident responders work with each other, making the SOC more efficient.

Dynamic playbooks, which consist of single or multiple discrete workflows, are one such example. These step-by-step guided response playbooks can enable responders to follow a smart course of action, while allowing them to pivot as events unfold. Having the right procedures in place helps give the incident response team the guidance they need to get started when working to resolve an incident spotted by the analyst team.

Incident responders often need to work through the largely manual process of action and evidence tracking. A SOAR tool can timestamp and log every action throughout an incident response for reporting and auditing purposes. Key metrics help inform strategic decisions and generate reports that can be shared with both their managers and the wider business.

Addressing Threat Intelligence Challenges

One way to achieve open security and connection is with a security platform. With a security platform, you’ll have a set of modules that share common services and user experiences to provide more complete insights and streamlined workflows. The common services share data and information. They encourage reuse across the security team, regardless of role, seniority or niche. This helps to scale the team and let them work efficiently rather than uncovering the same things in parallel workflows.

In the security industry, ‘platform’ is a term sometimes incorrectly used to refer to portfolios — suites of products with some integration — or ecosystems. A platform that offers a set of modular security capabilities can help teams shift away from solving individual use cases.

The sharing of insights across apps and services brings together existing tooling and investments. And it does so without creating vendor lock-in. With a security platform, it’s possible to infuse threat intelligence across use cases like incident response and threat hunting. At the same time, you can enhance end-to-end threat management workflows alongside united searches.

As entities manage hybrid multicloud environments, a platform enables a holistic view across the entire enterprise — on cloud and on premise. This doesn’t just provide confidence through clarity; it also improves on existing investments. A platform can enable those tools that have already been deployed and configured to be connected and infused with threat intelligence. This connection encourages team members to be more productive and provides a more meaningful return on investment.

United Threat Management

As entities evolve to this hybrid multicloud posture, providing everyone in the SOC the same access to more data via connected tools paves the way for more efficient threat management. Rather than making things more complex, the goal of an open approach is to leverage what you have: the skills of your staff, the threat intelligence of your industry peers and the existing tooling of your SOC. Bringing all these elements together with a vendor-agnostic platform can help unite your team against cybersecurity threats.

Register for the webinar

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today