December 10, 2020 By James Murphy 4 min read

Security operations center (SOC) teams struggle with an array of challenges. Too many tools can make the work too complex; and recruiting and retaining personnel can be hard amidst a skills shortage. Experts need to focus on using their skills to their fullest. But, an open approach can improve threat management in a way that makes all of these things easier. 

All these challenges complicate some aspect of threat management. Complex tools make it harder for SOCs to gain insight into their landscapes and detect threats. Solving cases thoroughly and responding to incidents quickly is difficult when staff are overwhelmed.

Making tools simpler and connecting teams — both to each other and to threat intelligence landscapes — can help ease these challenges. By allowing everyone in the SOC to access the same data, threat intelligence feeds and workflows create strength in numbers. It also breaks down silos. Teams can be more efficient and work with other departments more easily.

Here’s how an open approach to security draws connections that can benefit team leaders, analysts and incident responders.

Register for the webinar

During our webinar, “Manage Threats Across Tools, Teams, and Clouds with IBM Cloud Pak for Security,” learn more about how to modernize your SOC. We’ll also cover the recently announced capabilities and show a live demo.

For Security Leaders: Connecting Tools and Teams

In light of the skills shortage, leaders are focused on retaining their staff and using their skills to their full potential. Providing everyone on the team insight over data and access to threat intelligence helps break down any silos that might exist. It also improves the way the SOC can detect and respond to threats.

Connecting not just teams, but also tools to each other can help meet work goals. Reducing complex processes keeps teams from having to switch between tools and integrate point products, which take up time. With a more condensed view over the threat management life cycle, leadership can get the high-level overview they need.

An open security landscape also reduces vendor lock-in. Connecting the people and tools of a SOC to third-party threat intelligence feeds and partners gives them more choices.

Providing clarity, triaging workloads and focusing on what you’re trying to protect can help to reduce workloads and dissipate personnel burnout. This also helps the security leaders retain and get the most out of the skilled individuals on their elite team.

Security Analysts: Augmenting End-to-End Hunting

Analysts need practical, trustworthy, insightful intelligence in context to gain insight and assess risk. Providing access to third-party threat intelligence makes ad hoc threat hunting, incident response and threat investigation more effective. With the context provided by that data, analysts have more confidence and clues when they triage alerts.

In addition to opening the SOC to external intelligence feeds, analysts can be more efficient when internal processes are more connected in a threat management workflow. Connecting security intelligence to a SOAR solution, for example, makes incident response workflows more direct.

Automation can also connect different parts of the process. Now, analysts are flooded with alerts flowing into the SOC. Automation can improve the alert triage process, connecting analysts with priority alerts while reducing the need for some manual processes.

Incident Responders: Work Together

Similar to analysts, incident responders need to work with large volumes of data — most of which is noise — and a growing set of different tools to build context. A common set of tools can help analysts and incident responders work with each other, making the SOC more efficient.

Dynamic playbooks, which consist of single or multiple discrete workflows, are one such example. These step-by-step guided response playbooks can enable responders to follow a smart course of action, while allowing them to pivot as events unfold. Having the right procedures in place helps give the incident response team the guidance they need to get started when working to resolve an incident spotted by the analyst team.

Incident responders often need to work through the largely manual process of action and evidence tracking. A SOAR tool can timestamp and log every action throughout an incident response for reporting and auditing purposes. Key metrics help inform strategic decisions and generate reports that can be shared with both their managers and the wider business.

Addressing Threat Intelligence Challenges

One way to achieve open security and connection is with a security platform. With a security platform, you’ll have a set of modules that share common services and user experiences to provide more complete insights and streamlined workflows. The common services share data and information. They encourage reuse across the security team, regardless of role, seniority or niche. This helps to scale the team and let them work efficiently rather than uncovering the same things in parallel workflows.

In the security industry, ‘platform’ is a term sometimes incorrectly used to refer to portfolios — suites of products with some integration — or ecosystems. A platform that offers a set of modular security capabilities can help teams shift away from solving individual use cases.

The sharing of insights across apps and services brings together existing tooling and investments. And it does so without creating vendor lock-in. With a security platform, it’s possible to infuse threat intelligence across use cases like incident response and threat hunting. At the same time, you can enhance end-to-end threat management workflows alongside united searches.

As entities manage hybrid multicloud environments, a platform enables a holistic view across the entire enterprise — on cloud and on premise. This doesn’t just provide confidence through clarity; it also improves on existing investments. A platform can enable those tools that have already been deployed and configured to be connected and infused with threat intelligence. This connection encourages team members to be more productive and provides a more meaningful return on investment.

United Threat Management

As entities evolve to this hybrid multicloud posture, providing everyone in the SOC the same access to more data via connected tools paves the way for more efficient threat management. Rather than making things more complex, the goal of an open approach is to leverage what you have: the skills of your staff, the threat intelligence of your industry peers and the existing tooling of your SOC. Bringing all these elements together with a vendor-agnostic platform can help unite your team against cybersecurity threats.

Register for the webinar

More from Security Services

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today