Intelligence & Analytics March 6, 2018
By Paul Dwyer 3 min read

The mission of the security operations center (SOC) has historically focused on the coordination of a multilayered defense to detect, prevent and manage threats that could compromise the integrity of the technology infrastructure, business services or data. The security operations center framework allows users to stay ahead of emerging threats by analyzing security intelligence feeds, identifying relevant vulnerabilities, building use cases, developing rules, adding data sources, optimizing response procedures, and supporting ongoing rule tuning and management.

However, several key trends are transforming the security operations center mission, processes, functions, staffing and core capabilities. Below are four of the most significant changes driving this evolution.

  1. The migration to cloud-based infrastructure is transforming infrastructure and the associated monitoring into commodities. This approach relies on current technology and leverages automated patching to reduce exposure to known vulnerabilities.
  2. According to IBM X-Force Threat Research, the current threat landscape consists of 58 percent known threats and 42 percent unknown threats. This ratio is changing — in less than three years, the number of unknown threats will likely exceed the number of known threats.
  3. Cybercrime is growing around the world. Fraud and cybercrime are the U.K.’s most common offenses, with an estimated 3.6 million fraud crimes and an additional 2 million related to computer misuse. While other areas of crime, such as theft, are dropping, 1 in 10 adults reported that they had fallen victim to fraud or some other form of cybercrime, including a 39 percent increase in fraud against U.K.-issued cards.
  4. Digital transformation is changing nearly every aspect of business operations. It will require security professionals to be partners in the collaboration, planning, design, deployment and monitoring of these new processes.

Overhauling the Security Operations Center

To adapt to these trends, security teams must update their vision, mission and strategy to manage the transformation of SOC capabilities. Most SOCs begin their journey with a focus on infrastructure monitoring, which has long been considered the minimum level of monitoring for the SOC. As companies move more of their infrastructure to the cloud, however, this monitoring is increasingly the domain of cloud providers. The SOC must shift its focus toward validating the monitoring that is provided as part of the cloud service offering.

As the ratio of known to unknown threats skews toward the latter, the SOC must also find more efficient ways to deal with known vulnerabilities and create new capabilities to deal with unknown hazards. IBM is working with its clients to automate many of the activities related to the management of known threats, including:

  • Threat taxonomy;
  • Use case requirements;
  • Rule requirements and design;
  • Rule tuning and rule performance assessment;
  • Automation of level 1 monitoring functions (e.g., review alert, check for duplicates, check for false positives, public and private contextual data enrichment, classification decisions and disposition decisions);
  • Rule response procedures; and
  • Automation of mitigation steps.

This work must be automated through a combination of scripting, machine learning and cognitive analytics and executed by data scientists who are well-versed in these advanced analytical methods. Investment in this automation will free up SOC teams to identify and analyze unknown threats.

Watch the full session from Think 2018: Security Operations Centers and the Evolution of Security Analytics

The Transformative Power of Advanced Analytics

With these new tools and skills, SOCs can help position clients to use pattern analysis, statistical analysis, affinity analysis and machine learning models to streamline the task of monitoring the infrastructure, application, data and business process logs to detect unknown threats. The addition of big data tools, quantitative analytics and machine learning enables SOC teams to identify not only threats, but also a broader range of key business risks.

These trends will transform the security operations center into a risk analytics center that uses automation to track, manage and prevent both known and unknown threats. In addition, these capabilities will enable the risk analytics center to address a broad range of business risks using advanced data analytics.

The increasingly sophisticated capabilities of the risk analytics center will accelerate changes to security operations center best practices. As the silos within organizations break down to make way for more collaborative approaches to managing risk, the scopes within the SOC and risk analytics center will become broader, allowing them take on a more active role in managing an increasing number of business risks beyond traditional cyberthreats.

Learn more about building your security capabilities across all environments

 |  |  |  |  |  |  |  |  |  | 
Paul Dwyer
Partner - IBM Security

Mr. Dwyer leads IBM’s Global Security Intelligence and Security Operations competency (SIOC) with ~750 staff worldwide and more than 500 clients across a w...

More from Intelligence & Analytics
Intelligence & Analytics   May 30, 2023

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read
Intelligence & Analytics   May 26, 2023

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read
Intelligence & Analytics   May 4, 2023

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read
Intelligence & Analytics   April 28, 2023

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature