A security operations center (SOC) should be considered a critical component within any modern security infrastructure. Even so, today’s SOCs are placed under increasing pressure to protect against and effectively respond to a rapidly evolving threat landscape. While a current SOC may be tuned to address the threats of yesterday or even today, it may be ill-equipped to deal with what is next.
When assessing the fitness of your current SOC or planning for the future, the imperatives described below can help position your organization’s security operations for success in 2018 and beyond.
A growing number of organizations, large and small, are now firmly committed to a cloud-first approach to their applications, infrastructure and operations. From a SOC perspective, this has two primary implications.
1. What to Collect
Cloud security requires protecting an expanded and distributed set of access points, data and users, all while continuously demonstrating that the right controls are in place, both on-premises and in the cloud. Defending this expanded perimeter demands that the proper configurations are in place and that these software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and other cloud environments are continuously scanned and monitored for vulnerabilities and potential breaches.
The implication for the chief information security officer (CISO) and the security team is that they must have the right people, processes and tools in place to protect, detect and respond inside of this expanded sphere of influence.
2. Where to Deploy
Security intelligence and analytics can be deployed on-premises, in the cloud or in a hybrid model. With a cloud deployment, organizations can benefit from an extensible way to rapidly provide security operations and response capabilities without tying up capital on physical assets or bearing the ongoing costs associated with infrastructure maintenance.
When deploying SOC capabilities in the cloud, you should expect to retain control of your environment while having an easier way to administer and maintain your SOC infrastructure. You should also expect that, with an agile cloud solution, you will have the ability to elastically extend into managed detection and response (MDR) and/or further managed security services (MSS).
As cloud deployments inevitably expand, organizations need to ensure that their security operations can provide coverage for and from the cloud.
To protect your organization against the threats of today and tomorrow, your SOC needs to collaborate, both externally and internally. Because threats to information security are frequently global in nature, your SOC cannot be limited to observing traffic from only within local domains — your approach needs to be global as well.
Effective external collaboration means leveraging open standards as well as community- and custom-curated intelligence. Open standards such as Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII) and Cyber Observable Expression (CybOX) can help create a common language for ingesting and sharing cyberthreat information. Through these standards, information can be quickly consumed and/or shared. When WannaCry hit, for example, analysts took advantage of the available STIX over TAXII protocols to import from public collections, such as the one maintained by the IBM X-Force Research team, which contained known IP addresses, checksums and security product coverage for this specific campaign.
Effective internal collaboration means that the right policies, practices and playbooks are in place to respond to complex threats. These playbooks need to be dynamic and, wherever possible, automated. If an incident does occur, your teams should not have to waste any time performing repetitive initial triage steps. All relevant intelligence, user data and historical information should automatically form the basis of a case and get escalated to the right teams for further review.
A collaborative, unified approach to information security management can help provide organizations with the leverage they need to fight cybercrime.
In a given year, it is not uncommon for a SOC to experience millions of security events or spend thousands of hours dealing with false positives, all while attempting to stay on top of thousands of software vulnerabilities and over a million security bulletin updates. If 2017 is any indication, these numbers will only rise as we enter a new year. In line with these expectations and amid the effort to keep pace with the rapidly evolving threat landscape, cybersecurity spending is expected to rise further in 2018.
As organizations look to expand their security operations, they can expect to face an increasingly competitive market as well as a shortage of qualified security professionals. Even with skilled analysts and other security practitioners staffed around the clock, organizations and their teams are still challenged to make sense of the expanding corpus of security knowledge that is available across a broadly diversified set of sources, including threat databases, research reports, security textbooks, vulnerability disclosures, popular websites, blogs and other media. The amount of security data and information that organizations process is simply insurmountable by individuals alone.
Cognitive solutions can play an important role in security operations and response. Through the application of machine-assisted learning and intelligence-driven decisions, analysts and other users can augment their efforts, discover paths and establish linkages between data points that may be easily missed by human review. By leveraging the cognitive capabilities of IBM QRadar Advisor with Watson to analyze threat data, SOC analysts can make faster and more accurate decisions.
If you are planning a new deployment or an expansion to your security operations in 2018, demand that cognitive technologies are a part of the solution.
Make Your Security Operations Resolutions Now
Whether you are deploying your own SOC or working with a managed security services provider (MSSP), resolve to advance your security operations and response with the right tools and practices to ensure that your organization is protected and ready for what’s next.