Several factors are converging to exert pressure on how security operations centers (SOCs) traditionally function. Evolving information technology (IT) infrastructure, such as cloud migration, serverless services and endpoints being off-network, are straining existing SOC methodologies and tooling. The attack surface is expanding as a result of the distributed workforce and adoption of cloud-based infrastructure and services. Furthermore, increasing numbers of organizations need to also secure non-traditional IT environments such as operational technology (OT), the Internet of things (IoT) and the Internet of medical things (IoMT).
Most SOCs are already overwhelmed with data, multiple disconnected workflows and use cases and struggle to keep up with the shifting threat environment. This challenge is already compounded by the skills shortage. However, the problem is now becoming even more acute.
Where Do You Start to Facilitate Change?
At the heart of all these factors are people, arguably the most important element of a SOC. If modernizing a SOC starts with identifying and responding, as quickly as possible, to critical issues faced by your organization, then improvements to tools, processes and reduced risk for your business will follow.
Take analyst burnout, for example. Security system complexity increased the average total cost of a data breach by $292,000, according to the 2020 Cost of a Data Breach Report. Reducing complexity can make analysts’ lives easier by streamlining threat detection to allow them to focus on the most relevant threats and quickly collaborate through unified workflows, therefore reducing the risk of an expensive breach.
No matter where you are in your digital transformation journey, modernizing your SOC should start with breaking down silos and simplifying systems for your security team. Three areas to focus on are data and visibility, measurement and up-leveling skills.
Improve Analysts’ Visibility Over Data to Advance Zero Trust
Security has always had a big data visibility problem. However, this is set to get more complex as data volumes continue to increase and security controls and telemetry data become increasingly embedded in cloud platforms, software as a service (SaaS) services, IoT management systems and others. Much in the same way we’ve seen the evolution of endpoint detection and response, the same is happening around network, cloud, platform as a service and IoT/operational technology (OT).
This makes it challenging to implement a security strategy rooted in Zero Trust principles. First, a large volume of alerts coming from disparate data sources makes it difficult to effectively centralize visibility of data and manage threats. It is also complicated and time consuming to collect, interpret and analyze the raw telemetry from all of these sources. Then, when you add expansion of the remote workforce, like we are experiencing now, the attack surface increases exponentially, making it nearly impossible for security teams to gain the right level of control and visibility over their data.
Zero Trust — good Zero Trust — relies on context to understand and respond quickly to security risks in your environment, which is essential to modernizing your SOC. Without visibility, it’s not possible to get the shared context across security silos to ensure that each user, device or application is granted the right amount of access to data when and where it is needed.
Now, imagine if analysts and SOC operators could quickly look at new types of security data or integrate new controls and use cases without adding overhead to the security team. A more connected approach to threat management unites disparate data sources; uses artificial intelligence (AI) to automatically fuse alerts from multiple systems into an actionable, enriched incident with an automated disposition recommendation; and supports the ability to take action. An integrated threat management program that provides penetration testing, vulnerability management or OT and IoT services can further help the SOC gain visibility into security gaps and all the connected devices on a network. And the more connected threat management and security programs there are, the easier it is to implement a zero trust strategy.
Unite Teams Around Measurement Frameworks and Playbooks
Just as data often flows into a SOC from disparate sources without shared context, security teams themselves can struggle with feeling disconnected from their security colleagues and with integrating the multiple tools they need to accomplish their job. This often leads to additional manual, repetitive labor so that relevant team members are kept updated with pertinent incident information. An analyst who is overwhelmed by data and who doesn’t have an easy way to collaborate across silos within and outside of their own team risks burnout.
Connecting different players in the SOC with a shared measurement framework is one way to bring teams together. Metrics can shed light on the optimal performance for a SOC. As my colleague, Jason Hartley, wrote in a recent blog, “Security analysts need to have the right coverage and the right amount of time to conduct a proper investigation.” Measuring dwell time, work in progress (WIP) time, the life cycle of an incident and more can reveal where there’s room to improve processes and reach that optimal performance.
SOAR (Security Orchestration Automation & Response) integrations can provide playbooks for repeatable response and measurement. Among other benefits, dynamic and adaptive playbooks empower security teams to measure effectiveness of security controls and where analysts are spending their time. An integrated threat management program can help SOCs maximize SOAR technology through methods like running tabletop exercises to test those playbooks — an activity that can save an organization an average of $2 million on data breach costs.
Support Staff on Up-Leveling Skills
As threats and risks change quickly, teams need to be able to adapt and scale, from both the technology and the people sides. Empowering the security team to up-level their skills can help, especially in an industry known for its skills shortage.
As CPO Magazine reports, a recent Enterprise Strategy Group study found that a “majority of the respondents (64%) said their organizations do not invest in cybersecurity professionals.”
One way to invest in teams and shift analysts to doing higher-value work is through automation. In an example from an experience with a client, automating analysis made the output so much more consumable and easily understandable that the security team was able to shift some work to the help desk. That, in turn, empowered the security team to focus on other tasks.
“SOC analysts will use 75% of their reclaimed working hours to contribute to other value-adding tasks within the SOC,” according to The Total Economic Impact™ Of IBM QRadar Advisor With Watson from Forrester Consulting, commissioned by IBM.
Automation can help ensure analysts don’t miss threats or carry out repetitive tasks, opening up new possibilities for honing and applying advanced skills.
Creating the Connections That Support Teams — and Reduce Risk
The initial results of connecting data and people in a SOC impact the day-to-day operations and well-being of those individuals. Downstream, these efforts can lead to a return on investment as visibility into the kind of risk a company is experiencing becomes clearer.
Modern software and processes are far more accurately able to measure and improve operations in a SOC. To implement a modern security approach, based on principles of zero trust, organizations can benefit from both technology and expertise that can bring together their disparate security tools, teams and data.
Learn how IBM Cloud Pak for Security and our programmatic threat management program can integrate security tools to gain insights into threats and risks across hybrid, multicloud environments. Go deeper into the subject by registering for the upcoming IBM Security webinar on modernizing the SOC.Register for the webinar