A security operations center (SOC) should be considered a critical component within any modern security infrastructure. Even so, today’s SOCs are placed under increasing pressure to protect against and effectively respond to a rapidly evolving threat landscape. While a current SOC may be tuned to address the threats of yesterday or even today, it may be ill-equipped to deal with what is next.

When assessing the fitness of your current SOC or planning for the future, the imperatives described below can help position your organization’s security operations for success in 2018 and beyond.

Cloud Centricity

A growing number of organizations, large and small, are now firmly committed to a cloud-first approach to their applications, infrastructure and operations. From a SOC perspective, this has two primary implications.

1. What to Collect

Cloud security requires protecting an expanded and distributed set of access points, data and users, all while continuously demonstrating that the right controls are in place, both on-premises and in the cloud. Defending this expanded perimeter demands that the proper configurations are in place and that these software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and other cloud environments are continuously scanned and monitored for vulnerabilities and potential breaches.

The implication for the chief information security officer (CISO) and the security team is that they must have the right people, processes and tools in place to protect, detect and respond inside of this expanded sphere of influence.

Watch the on-demand webinar: What makes IBM a Leader in the Gartner Magic Quadrant for SIEM

2. Where to Deploy

Security intelligence and analytics can be deployed on-premises, in the cloud or in a hybrid model. With a cloud deployment, organizations can benefit from an extensible way to rapidly provide security operations and response capabilities without tying up capital on physical assets or bearing the ongoing costs associated with infrastructure maintenance.

When deploying SOC capabilities in the cloud, you should expect to retain control of your environment while having an easier way to administer and maintain your SOC infrastructure. You should also expect that, with an agile cloud solution, you will have the ability to elastically extend into managed detection and response (MDR) and/or further managed security services (MSS).

As cloud deployments inevitably expand, organizations need to ensure that their security operations can provide coverage for and from the cloud.

Security Collaboration

To protect your organization against the threats of today and tomorrow, your SOC needs to collaborate, both externally and internally. Because threats to information security are frequently global in nature, your SOC cannot be limited to observing traffic from only within local domains — your approach needs to be global as well.

Effective external collaboration means leveraging open standards as well as community- and custom-curated intelligence. Open standards such as Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII) and Cyber Observable Expression (CybOX) can help create a common language for ingesting and sharing cyberthreat information. Through these standards, information can be quickly consumed and/or shared. When WannaCry hit, for example, analysts took advantage of the available STIX over TAXII protocols to import from public collections, such as the one maintained by the IBM X-Force Research team, which contained known IP addresses, checksums and security product coverage for this specific campaign.

Effective internal collaboration means that the right policies, practices and playbooks are in place to respond to complex threats. These playbooks need to be dynamic and, wherever possible, automated. If an incident does occur, your teams should not have to waste any time performing repetitive initial triage steps. All relevant intelligence, user data and historical information should automatically form the basis of a case and get escalated to the right teams for further review.

A collaborative, unified approach to information security management can help provide organizations with the leverage they need to fight cybercrime.

Think Cognitive

In a given year, it is not uncommon for a SOC to experience millions of security events or spend thousands of hours dealing with false positives, all while attempting to stay on top of thousands of software vulnerabilities and over a million security bulletin updates. If 2017 is any indication, these numbers will only rise as we enter a new year. In line with these expectations and amid the effort to keep pace with the rapidly evolving threat landscape, cybersecurity spending is expected to rise further in 2018.

As organizations look to expand their security operations, they can expect to face an increasingly competitive market as well as a shortage of qualified security professionals. Even with skilled analysts and other security practitioners staffed around the clock, organizations and their teams are still challenged to make sense of the expanding corpus of security knowledge that is available across a broadly diversified set of sources, including threat databases, research reports, security textbooks, vulnerability disclosures, popular websites, blogs and other media. The amount of security data and information that organizations process is simply insurmountable by individuals alone.

Cognitive solutions can play an important role in security operations and response. Through the application of machine-assisted learning and intelligence-driven decisions, analysts and other users can augment their efforts, discover paths and establish linkages between data points that may be easily missed by human review. By leveraging the cognitive capabilities of IBM QRadar Advisor with Watson to analyze threat data, SOC analysts can make faster and more accurate decisions.

If you are planning a new deployment or an expansion to your security operations in 2018, demand that cognitive technologies are a part of the solution.

Make Your Security Operations Resolutions Now

Whether you are deploying your own SOC or working with a managed security services provider (MSSP), resolve to advance your security operations and response with the right tools and practices to ensure that your organization is protected and ready for what’s next.

Watch the on-demand webinar: What makes IBM a Leader in the Gartner Magic Quadrant for SIEM

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read