Light Dark
March 6, 2018 By Paul Dwyer 3 min read
Intelligence & Analytics
Risk Management
Security Services

The mission of the security operations center (SOC) has historically focused on the coordination of a multilayered defense to detect, prevent and manage threats that could compromise the integrity of the technology infrastructure, business services or data. The security operations center framework allows users to stay ahead of emerging threats by analyzing security intelligence feeds, identifying relevant vulnerabilities, building use cases, developing rules, adding data sources, optimizing response procedures, and supporting ongoing rule tuning and management.

However, several key trends are transforming the security operations center mission, processes, functions, staffing and core capabilities. Below are four of the most significant changes driving this evolution.

  1. The migration to cloud-based infrastructure is transforming infrastructure and the associated monitoring into commodities. This approach relies on current technology and leverages automated patching to reduce exposure to known vulnerabilities.
  2. According to IBM X-Force Threat Research, the current threat landscape consists of 58 percent known threats and 42 percent unknown threats. This ratio is changing — in less than three years, the number of unknown threats will likely exceed the number of known threats.
  3. Cybercrime is growing around the world. Fraud and cybercrime are the U.K.’s most common offenses, with an estimated 3.6 million fraud crimes and an additional 2 million related to computer misuse. While other areas of crime, such as theft, are dropping, 1 in 10 adults reported that they had fallen victim to fraud or some other form of cybercrime, including a 39 percent increase in fraud against U.K.-issued cards.
  4. Digital transformation is changing nearly every aspect of business operations. It will require security professionals to be partners in the collaboration, planning, design, deployment and monitoring of these new processes.

Overhauling the Security Operations Center

To adapt to these trends, security teams must update their vision, mission and strategy to manage the transformation of SOC capabilities. Most SOCs begin their journey with a focus on infrastructure monitoring, which has long been considered the minimum level of monitoring for the SOC. As companies move more of their infrastructure to the cloud, however, this monitoring is increasingly the domain of cloud providers. The SOC must shift its focus toward validating the monitoring that is provided as part of the cloud service offering.

As the ratio of known to unknown threats skews toward the latter, the SOC must also find more efficient ways to deal with known vulnerabilities and create new capabilities to deal with unknown hazards. IBM is working with its clients to automate many of the activities related to the management of known threats, including:

  • Threat taxonomy;
  • Use case requirements;
  • Rule requirements and design;
  • Rule tuning and rule performance assessment;
  • Automation of level 1 monitoring functions (e.g., review alert, check for duplicates, check for false positives, public and private contextual data enrichment, classification decisions and disposition decisions);
  • Rule response procedures; and
  • Automation of mitigation steps.

This work must be automated through a combination of scripting, machine learning and cognitive analytics and executed by data scientists who are well-versed in these advanced analytical methods. Investment in this automation will free up SOC teams to identify and analyze unknown threats.

Watch the full session from Think 2018: Security Operations Centers and the Evolution of Security Analytics

The Transformative Power of Advanced Analytics

With these new tools and skills, SOCs can help position clients to use pattern analysis, statistical analysis, affinity analysis and machine learning models to streamline the task of monitoring the infrastructure, application, data and business process logs to detect unknown threats. The addition of big data tools, quantitative analytics and machine learning enables SOC teams to identify not only threats, but also a broader range of key business risks.

These trends will transform the security operations center into a risk analytics center that uses automation to track, manage and prevent both known and unknown threats. In addition, these capabilities will enable the risk analytics center to address a broad range of business risks using advanced data analytics.

The increasingly sophisticated capabilities of the risk analytics center will accelerate changes to security operations center best practices. As the silos within organizations break down to make way for more collaborative approaches to managing risk, the scopes within the SOC and risk analytics center will become broader, allowing them take on a more active role in managing an increasing number of business risks beyond traditional cyberthreats.

Learn more about building your security capabilities across all environments

 |  |  |  |  |  |  |  |  |  | 
Paul Dwyer
Partner - IBM Security

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature