The mission of the security operations center (SOC) has historically focused on the coordination of a multilayered defense to detect, prevent and manage threats that could compromise the integrity of the technology infrastructure, business services or data. The security operations center framework allows users to stay ahead of emerging threats by analyzing security intelligence feeds, identifying relevant vulnerabilities, building use cases, developing rules, adding data sources, optimizing response procedures, and supporting ongoing rule tuning and management.
However, several key trends are transforming the security operations center mission, processes, functions, staffing and core capabilities. Below are four of the most significant changes driving this evolution.
- The migration to cloud-based infrastructure is transforming infrastructure and the associated monitoring into commodities. This approach relies on current technology and leverages automated patching to reduce exposure to known vulnerabilities.
- According to IBM X-Force Threat Research, the current threat landscape consists of 58 percent known threats and 42 percent unknown threats. This ratio is changing — in less than three years, the number of unknown threats will likely exceed the number of known threats.
- Cybercrime is growing around the world. Fraud and cybercrime are the U.K.’s most common offenses, with an estimated 3.6 million fraud crimes and an additional 2 million related to computer misuse. While other areas of crime, such as theft, are dropping, 1 in 10 adults reported that they had fallen victim to fraud or some other form of cybercrime, including a 39 percent increase in fraud against U.K.-issued cards.
- Digital transformation is changing nearly every aspect of business operations. It will require security professionals to be partners in the collaboration, planning, design, deployment and monitoring of these new processes.
Overhauling the Security Operations Center
To adapt to these trends, security teams must update their vision, mission and strategy to manage the transformation of SOC capabilities. Most SOCs begin their journey with a focus on infrastructure monitoring, which has long been considered the minimum level of monitoring for the SOC. As companies move more of their infrastructure to the cloud, however, this monitoring is increasingly the domain of cloud providers. The SOC must shift its focus toward validating the monitoring that is provided as part of the cloud service offering.
As the ratio of known to unknown threats skews toward the latter, the SOC must also find more efficient ways to deal with known vulnerabilities and create new capabilities to deal with unknown hazards. IBM is working with its clients to automate many of the activities related to the management of known threats, including:
- Threat taxonomy;
- Use case requirements;
- Rule requirements and design;
- Rule tuning and rule performance assessment;
- Automation of level 1 monitoring functions (e.g., review alert, check for duplicates, check for false positives, public and private contextual data enrichment, classification decisions and disposition decisions);
- Rule response procedures; and
- Automation of mitigation steps.
This work must be automated through a combination of scripting, machine learning and cognitive analytics and executed by data scientists who are well-versed in these advanced analytical methods. Investment in this automation will free up SOC teams to identify and analyze unknown threats.
The Transformative Power of Advanced Analytics
With these new tools and skills, SOCs can help position clients to use pattern analysis, statistical analysis, affinity analysis and machine learning models to streamline the task of monitoring the infrastructure, application, data and business process logs to detect unknown threats. The addition of big data tools, quantitative analytics and machine learning enables SOC teams to identify not only threats, but also a broader range of key business risks.
These trends will transform the security operations center into a risk analytics center that uses automation to track, manage and prevent both known and unknown threats. In addition, these capabilities will enable the risk analytics center to address a broad range of business risks using advanced data analytics.
The increasingly sophisticated capabilities of the risk analytics center will accelerate changes to security operations center best practices. As the silos within organizations break down to make way for more collaborative approaches to managing risk, the scopes within the SOC and risk analytics center will become broader, allowing them take on a more active role in managing an increasing number of business risks beyond traditional cyberthreats.