Organizations are increasingly clustering their skills and capabilities into security operations centers (SOCs). An SOC is a focused facility where security specialists monitor, assess and defend against computer security issues. Introducing virtual reality (VR) and augmented reality (AR) technology into this environment can enhance the team’s performance.

An organization wishing to invest in an SOC typically has two options to accomplish this goal:

  1. Set up an SOC staffed by its own security team, at a site exclusive to them and under their control.
  2. Leverage the skills, technologies and capabilities of an existing managed service.

But with a global skills gap translating to an estimated 1.8 million unfilled cybersecurity positions by 2022, it is critical to find better ways to detect and identify threats and vulnerabilities. Reducing complexity, too, will allow an organization’s security staff to be as effective as possible. SOCs help organizations, chief information security officers (CISOs) and their staffs to successfully analyze, defend and complete their cybersecurity missions. In their current model, however, these security facilities are costly, and difficult to set up and maintain.

Virtual Reality and Augmented Reality: The Future of SOCs?

SOCs’ need for a central geographic site presents a number of technical, logistical and operational challenges. The traditional SOC model also calls for substantial investments in hardware, physical footprint, visual isolation and technical configuration, among other things. For example, SOCs need numerous digital displays and sophisticated servers to facilitate the visualization of security monitoring and the gathering of data via security information and event management (SIEM) software.

VR and AR technologies can help solve some of the problems today’s SOCs face, enabling organizations to rapidly mobilize and scale their centers without excessive monetary and resource investment.


Employing Virtual Reality in a Security Operations Center

Using VR as a platform for security staff allows them to take their SOC anywhere, untethering them from the fixed physical infrastructure and geographic location of a traditional center. Taking action from the virtual world by sending serverside requests from the VR user interface to limit services, run scans and develop systemwide alerts creates an end-to-end story for users where monitoring and control exist in the same virtual space.

In a VR environment, the frontline SOC level-one security analyst role can be performed with the appropriately scoped visual cues, without requiring a seasoned security professional’s depth of knowledge. This allows organizations to adequately staff their SOCs in the face of significant employment competition and high global demand for cybersecurity roles. The addition of services, such as Watson for Cyber Security, further enhances this capability.

Benefits of a Virtual SOC

Undoubtedly, VR represents a paradigm shift in how monitoring solutions are designed, created and employed. VR has extraordinary benefits to an organization’s SOC: It can help reduce costs associated with maintaining the SOC, enable the monitoring of more varied sources and facilitate the analysis of more endpoints. Additionally, the virtual environment can raise internal awareness among the day-to-day requirements of SOC operators, helping them to identify areas of investment for the ongoing maintenance of the defender’s ecosystem.

With its visual impact, the VR experience offers a unique medium through which business-level stakeholders can be kept abreast of their organization’s security ecosystem and posture, improving both their understanding and their ability to ask questions.

With the addition of augmented intelligence and interaction in the form of technologies like threat intelligence, the SOC operator can issue voice commands to interrogate specific network data without needing to exit their virtual environment. This immersive VR space enables security professionals to maximize their time spent observing network activity and mitigating potential threats, in turn providing greater context and consumable intelligence for the C-suite.

Visualizing Potential Threats and Vulnerabilities in Real Time

Visualization is central to understanding security ecosystem data and organizational key performance indicators, as well as to building internal awareness of an organization’s security status in a top-down, consumable way.

An organization cannot react to a cyberthreat that is not manifested in the data — nor one that is hidden in even more data or else is delayed. The Ponemon Institute‘s malware report suggested that the greatest barrier to remediating advanced threat attacks is a lack of visibility of threat activity across the enterprise.

Security analysts are drowning in data, and it is difficult for them to interpret this information when receiving so many security alerts — many of them red — on a daily basis. More dashboards and more displays are not the answer. But a VR solution can help effectively identify potential threats and vulnerabilities as they emerge for oversight by the blue (defensive) team.

Building a Virtual Reality SOC Prototype: A Visual Galaxy of Threats

Our cybersecurity team at IBM Ireland has recently developed a prototype VR solution integrating with the IBM QRadar SIEM product. We built this prototype with the Unity Technologies framework, a cross-platform game engine that can be used to create highly int­­­eractive three-dimensional spaces. In our implementation, the Unity framework was combined with the IBM QRadar SIEM application program interfaces (APIs) to transform the JavaScript Object Notation data feed from the application into the form of a 3-D galaxy inside a VR-capable device (Oculus Rift, for example).

This VR-integrated IBM QRadar app immerses the security professional (blue operator) in a virtual 3-D space featuring planets, stars, nebulae, comets and manmade structures. Each spatial visual element represents the various nodes of the operator’s IT ecosystem from the SIEM solution, including individual IPs, databases, public customer-facing endpoints, or any other facet of the network or service they may wish to monitor. Threats and warnings appear as solar flares, supernova and other visual cues, clearly alerting the observer to any potentially troublesome cybersecurity activity inside their infrastructure scope.

Through our experience in gamification for security education and cyber skill development, we observed the enormous value in using visual metaphors to explain complex issues. Based on this experience, we adopted a visual metaphor approach in our VR prototype.

What Can Augmented Reality Offer an SOC?

The VR experience has the potential to further evolve into the AR space, where digital contexts and layers can be presented on top of the real-world SOC itself.

With AR, any operator at any level can superimpose views on the fly to augment the data presented, improving forecasting, analysis and decision-making. AR is also a prevalent emerging technology with significant advantages over the VR prototype we built. In the case of the SOC, AR could enable a personalized and customizable second virtual screen (or view) for each operator.

While the main drawback of a VR-powered SOC is that it pulls the security professional out of the familiar physical world and into a virtual environment, an AR solution allows the SOC operator to be in two worlds at once.

A well-thought-out, configured and deployed VR SIEM integration toolkit will become an asset for organizations creating or maintaining future SOCs. Although the prototype described above is a virtual solution, enterprise security products will, in time, integrate effectively with a complementary AR utility to facilitate greater engagement, interaction and success inside SOCs.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…