The mission of the security operations center (SOC) has historically focused on the coordination of a multilayered defense to detect, prevent and manage threats that could compromise the integrity of the technology infrastructure, business services or data. The security operations center framework allows users to stay ahead of emerging threats by analyzing security intelligence feeds, identifying relevant vulnerabilities, building use cases, developing rules, adding data sources, optimizing response procedures, and supporting ongoing rule tuning and management.

However, several key trends are transforming the security operations center mission, processes, functions, staffing and core capabilities. Below are four of the most significant changes driving this evolution.

  1. The migration to cloud-based infrastructure is transforming infrastructure and the associated monitoring into commodities. This approach relies on current technology and leverages automated patching to reduce exposure to known vulnerabilities.
  2. According to IBM X-Force Threat Research, the current threat landscape consists of 58 percent known threats and 42 percent unknown threats. This ratio is changing — in less than three years, the number of unknown threats will likely exceed the number of known threats.
  3. Cybercrime is growing around the world. Fraud and cybercrime are the U.K.’s most common offenses, with an estimated 3.6 million fraud crimes and an additional 2 million related to computer misuse. While other areas of crime, such as theft, are dropping, 1 in 10 adults reported that they had fallen victim to fraud or some other form of cybercrime, including a 39 percent increase in fraud against U.K.-issued cards.
  4. Digital transformation is changing nearly every aspect of business operations. It will require security professionals to be partners in the collaboration, planning, design, deployment and monitoring of these new processes.

Overhauling the Security Operations Center

To adapt to these trends, security teams must update their vision, mission and strategy to manage the transformation of SOC capabilities. Most SOCs begin their journey with a focus on infrastructure monitoring, which has long been considered the minimum level of monitoring for the SOC. As companies move more of their infrastructure to the cloud, however, this monitoring is increasingly the domain of cloud providers. The SOC must shift its focus toward validating the monitoring that is provided as part of the cloud service offering.

As the ratio of known to unknown threats skews toward the latter, the SOC must also find more efficient ways to deal with known vulnerabilities and create new capabilities to deal with unknown hazards. IBM is working with its clients to automate many of the activities related to the management of known threats, including:

  • Threat taxonomy;
  • Use case requirements;
  • Rule requirements and design;
  • Rule tuning and rule performance assessment;
  • Automation of level 1 monitoring functions (e.g., review alert, check for duplicates, check for false positives, public and private contextual data enrichment, classification decisions and disposition decisions);
  • Rule response procedures; and
  • Automation of mitigation steps.

This work must be automated through a combination of scripting, machine learning and cognitive analytics and executed by data scientists who are well-versed in these advanced analytical methods. Investment in this automation will free up SOC teams to identify and analyze unknown threats.

Watch the full session from Think 2018: Security Operations Centers and the Evolution of Security Analytics

The Transformative Power of Advanced Analytics

With these new tools and skills, SOCs can help position clients to use pattern analysis, statistical analysis, affinity analysis and machine learning models to streamline the task of monitoring the infrastructure, application, data and business process logs to detect unknown threats. The addition of big data tools, quantitative analytics and machine learning enables SOC teams to identify not only threats, but also a broader range of key business risks.

These trends will transform the security operations center into a risk analytics center that uses automation to track, manage and prevent both known and unknown threats. In addition, these capabilities will enable the risk analytics center to address a broad range of business risks using advanced data analytics.

The increasingly sophisticated capabilities of the risk analytics center will accelerate changes to security operations center best practices. As the silos within organizations break down to make way for more collaborative approaches to managing risk, the scopes within the SOC and risk analytics center will become broader, allowing them take on a more active role in managing an increasing number of business risks beyond traditional cyberthreats.

Learn more about building your security capabilities across all environments

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today