Organizations are increasingly clustering their skills and capabilities into security operations centers (SOCs). An SOC is a focused facility where security specialists monitor, assess and defend against computer security issues. Introducing virtual reality (VR) and augmented reality (AR) technology into this environment can enhance the team’s performance.

An organization wishing to invest in an SOC typically has two options to accomplish this goal:

  1. Set up an SOC staffed by its own security team, at a site exclusive to them and under their control.
  2. Leverage the skills, technologies and capabilities of an existing managed service.

But with a global skills gap translating to an estimated 1.8 million unfilled cybersecurity positions by 2022, it is critical to find better ways to detect and identify threats and vulnerabilities. Reducing complexity, too, will allow an organization’s security staff to be as effective as possible. SOCs help organizations, chief information security officers (CISOs) and their staffs to successfully analyze, defend and complete their cybersecurity missions. In their current model, however, these security facilities are costly, and difficult to set up and maintain.

Virtual Reality and Augmented Reality: The Future of SOCs?

SOCs’ need for a central geographic site presents a number of technical, logistical and operational challenges. The traditional SOC model also calls for substantial investments in hardware, physical footprint, visual isolation and technical configuration, among other things. For example, SOCs need numerous digital displays and sophisticated servers to facilitate the visualization of security monitoring and the gathering of data via security information and event management (SIEM) software.

VR and AR technologies can help solve some of the problems today’s SOCs face, enabling organizations to rapidly mobilize and scale their centers without excessive monetary and resource investment.


Employing Virtual Reality in a Security Operations Center

Using VR as a platform for security staff allows them to take their SOC anywhere, untethering them from the fixed physical infrastructure and geographic location of a traditional center. Taking action from the virtual world by sending serverside requests from the VR user interface to limit services, run scans and develop systemwide alerts creates an end-to-end story for users where monitoring and control exist in the same virtual space.

In a VR environment, the frontline SOC level-one security analyst role can be performed with the appropriately scoped visual cues, without requiring a seasoned security professional’s depth of knowledge. This allows organizations to adequately staff their SOCs in the face of significant employment competition and high global demand for cybersecurity roles. The addition of services, such as Watson for Cyber Security, further enhances this capability.

Benefits of a Virtual SOC

Undoubtedly, VR represents a paradigm shift in how monitoring solutions are designed, created and employed. VR has extraordinary benefits to an organization’s SOC: It can help reduce costs associated with maintaining the SOC, enable the monitoring of more varied sources and facilitate the analysis of more endpoints. Additionally, the virtual environment can raise internal awareness among the day-to-day requirements of SOC operators, helping them to identify areas of investment for the ongoing maintenance of the defender’s ecosystem.

With its visual impact, the VR experience offers a unique medium through which business-level stakeholders can be kept abreast of their organization’s security ecosystem and posture, improving both their understanding and their ability to ask questions.

With the addition of augmented intelligence and interaction in the form of technologies like threat intelligence, the SOC operator can issue voice commands to interrogate specific network data without needing to exit their virtual environment. This immersive VR space enables security professionals to maximize their time spent observing network activity and mitigating potential threats, in turn providing greater context and consumable intelligence for the C-suite.

Visualizing Potential Threats and Vulnerabilities in Real Time

Visualization is central to understanding security ecosystem data and organizational key performance indicators, as well as to building internal awareness of an organization’s security status in a top-down, consumable way.

An organization cannot react to a cyberthreat that is not manifested in the data — nor one that is hidden in even more data or else is delayed. The Ponemon Institute‘s malware report suggested that the greatest barrier to remediating advanced threat attacks is a lack of visibility of threat activity across the enterprise.

Security analysts are drowning in data, and it is difficult for them to interpret this information when receiving so many security alerts — many of them red — on a daily basis. More dashboards and more displays are not the answer. But a VR solution can help effectively identify potential threats and vulnerabilities as they emerge for oversight by the blue (defensive) team.

Building a Virtual Reality SOC Prototype: A Visual Galaxy of Threats

Our cybersecurity team at IBM Ireland has recently developed a prototype VR solution integrating with the IBM QRadar SIEM product. We built this prototype with the Unity Technologies framework, a cross-platform game engine that can be used to create highly int­­­eractive three-dimensional spaces. In our implementation, the Unity framework was combined with the IBM QRadar SIEM application program interfaces (APIs) to transform the JavaScript Object Notation data feed from the application into the form of a 3-D galaxy inside a VR-capable device (Oculus Rift, for example).

This VR-integrated IBM QRadar app immerses the security professional (blue operator) in a virtual 3-D space featuring planets, stars, nebulae, comets and manmade structures. Each spatial visual element represents the various nodes of the operator’s IT ecosystem from the SIEM solution, including individual IPs, databases, public customer-facing endpoints, or any other facet of the network or service they may wish to monitor. Threats and warnings appear as solar flares, supernova and other visual cues, clearly alerting the observer to any potentially troublesome cybersecurity activity inside their infrastructure scope.

Through our experience in gamification for security education and cyber skill development, we observed the enormous value in using visual metaphors to explain complex issues. Based on this experience, we adopted a visual metaphor approach in our VR prototype.

What Can Augmented Reality Offer an SOC?

The VR experience has the potential to further evolve into the AR space, where digital contexts and layers can be presented on top of the real-world SOC itself.

With AR, any operator at any level can superimpose views on the fly to augment the data presented, improving forecasting, analysis and decision-making. AR is also a prevalent emerging technology with significant advantages over the VR prototype we built. In the case of the SOC, AR could enable a personalized and customizable second virtual screen (or view) for each operator.

While the main drawback of a VR-powered SOC is that it pulls the security professional out of the familiar physical world and into a virtual environment, an AR solution allows the SOC operator to be in two worlds at once.

A well-thought-out, configured and deployed VR SIEM integration toolkit will become an asset for organizations creating or maintaining future SOCs. Although the prototype described above is a virtual solution, enterprise security products will, in time, integrate effectively with a complementary AR utility to facilitate greater engagement, interaction and success inside SOCs.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today