The Emergence of Virtual Reality and Augmented Reality in the Security Operations Center

Organizations are increasingly clustering their skills and capabilities into security operations centers (SOCs). An SOC is a focused facility where security specialists monitor, assess and defend against computer security issues. Introducing virtual reality (VR) and augmented reality (AR) technology into this environment can enhance the team’s performance.

An organization wishing to invest in an SOC typically has two options to accomplish this goal:

  1. Set up an SOC staffed by its own security team, at a site exclusive to them and under their control.
  2. Leverage the skills, technologies and capabilities of an existing managed service.

But with a global skills gap translating to an estimated 1.8 million unfilled cybersecurity positions by 2022, it is critical to find better ways to detect and identify threats and vulnerabilities. Reducing complexity, too, will allow an organization’s security staff to be as effective as possible. SOCs help organizations, chief information security officers (CISOs) and their staffs to successfully analyze, defend and complete their cybersecurity missions. In their current model, however, these security facilities are costly, and difficult to set up and maintain.

Virtual Reality and Augmented Reality: The Future of SOCs?

SOCs’ need for a central geographic site presents a number of technical, logistical and operational challenges. The traditional SOC model also calls for substantial investments in hardware, physical footprint, visual isolation and technical configuration, among other things. For example, SOCs need numerous digital displays and sophisticated servers to facilitate the visualization of security monitoring and the gathering of data via security information and event management (SIEM) software.

VR and AR technologies can help solve some of the problems today’s SOCs face, enabling organizations to rapidly mobilize and scale their centers without excessive monetary and resource investment.

Employing Virtual Reality in a Security Operations Center

Using VR as a platform for security staff allows them to take their SOC anywhere, untethering them from the fixed physical infrastructure and geographic location of a traditional center. Taking action from the virtual world by sending serverside requests from the VR user interface to limit services, run scans and develop systemwide alerts creates an end-to-end story for users where monitoring and control exist in the same virtual space.

In a VR environment, the frontline SOC level-one security analyst role can be performed with the appropriately scoped visual cues, without requiring a seasoned security professional’s depth of knowledge. This allows organizations to adequately staff their SOCs in the face of significant employment competition and high global demand for cybersecurity roles. The addition of services, such as Watson for Cyber Security, further enhances this capability.

Benefits of a Virtual SOC

Undoubtedly, VR represents a paradigm shift in how monitoring solutions are designed, created and employed. VR has extraordinary benefits to an organization’s SOC: It can help reduce costs associated with maintaining the SOC, enable the monitoring of more varied sources and facilitate the analysis of more endpoints. Additionally, the virtual environment can raise internal awareness among the day-to-day requirements of SOC operators, helping them to identify areas of investment for the ongoing maintenance of the defender’s ecosystem.

With its visual impact, the VR experience offers a unique medium through which business-level stakeholders can be kept abreast of their organization’s security ecosystem and posture, improving both their understanding and their ability to ask questions.

Related to this Article

With the addition of augmented intelligence and interaction in the form of technologies like threat intelligence, the SOC operator can issue voice commands to interrogate specific network data without needing to exit their virtual environment. This immersive VR space enables security professionals to maximize their time spent observing network activity and mitigating potential threats, in turn providing greater context and consumable intelligence for the C-suite.

Visualizing Potential Threats and Vulnerabilities in Real Time

Visualization is central to understanding security ecosystem data and organizational key performance indicators, as well as to building internal awareness of an organization’s security status in a top-down, consumable way.

An organization cannot react to a cyberthreat that is not manifested in the data — nor one that is hidden in even more data or else is delayed. The Ponemon Institute‘s malware report suggested that the greatest barrier to remediating advanced threat attacks is a lack of visibility of threat activity across the enterprise.

Security analysts are drowning in data, and it is difficult for them to interpret this information when receiving so many security alerts — many of them red — on a daily basis. More dashboards and more displays are not the answer. But a VR solution can help effectively identify potential threats and vulnerabilities as they emerge for oversight by the blue (defensive) team.

Building a Virtual Reality SOC Prototype: A Visual Galaxy of Threats

Our cybersecurity team at IBM Ireland has recently developed a prototype VR solution integrating with the IBM QRadar SIEM product. We built this prototype with the Unity Technologies framework, a cross-platform game engine that can be used to create highly int­­­eractive three-dimensional spaces. In our implementation, the Unity framework was combined with the IBM QRadar SIEM application program interfaces (APIs) to transform the JavaScript Object Notation data feed from the application into the form of a 3-D galaxy inside a VR-capable device (Oculus Rift, for example).

This VR-integrated IBM QRadar app immerses the security professional (blue operator) in a virtual 3-D space featuring planets, stars, nebulae, comets and manmade structures. Each spatial visual element represents the various nodes of the operator’s IT ecosystem from the SIEM solution, including individual IPs, databases, public customer-facing endpoints, or any other facet of the network or service they may wish to monitor. Threats and warnings appear as solar flares, supernova and other visual cues, clearly alerting the observer to any potentially troublesome cybersecurity activity inside their infrastructure scope.

Through our experience in gamification for security education and cyber skill development, we observed the enormous value in using visual metaphors to explain complex issues. Based on this experience, we adopted a visual metaphor approach in our VR prototype.

What Can Augmented Reality Offer an SOC?

The VR experience has the potential to further evolve into the AR space, where digital contexts and layers can be presented on top of the real-world SOC itself.

With AR, any operator at any level can superimpose views on the fly to augment the data presented, improving forecasting, analysis and decision-making. AR is also a prevalent emerging technology with significant advantages over the VR prototype we built. In the case of the SOC, AR could enable a personalized and customizable second virtual screen (or view) for each operator.

While the main drawback of a VR-powered SOC is that it pulls the security professional out of the familiar physical world and into a virtual environment, an AR solution allows the SOC operator to be in two worlds at once.

A well-thought-out, configured and deployed VR SIEM integration toolkit will become an asset for organizations creating or maintaining future SOCs. Although the prototype described above is a virtual solution, enterprise security products will, in time, integrate effectively with a complementary AR utility to facilitate greater engagement, interaction and success inside SOCs.

Share this Article:
Maria Hyland

Security Program Director, IBM

As a Security Program Director, Maria is responsible for an ethical hacking team that performs penetration testing across a range of IBM cloud and on-premise offerings. Additionally, Maria and her team conduct cyber Red/Blue & CTF exercises for cyber skills development and cyber incident response management. In addition to working with clients and IBM internal teams, her team host cyber workshops with K-12 students, colleges, and universities.