Accelerate your SOC’s ability to respond to threats

Your SOC needs to be aligned with your business across the supply chain. To achieve this goal, your strategy and governance need to be risk-focused and aligned to your enterprise risk. Risk quantification should drive your planning and investments.

Discover more about risk quantification

Likewise, multidimensional risk and efficiency indicators should drive continuous improvement efforts and showcase risk reduction and operational performance.

SOCs also need more collaboration using the adaptive integrated operations strategy as basic concepts, such as Fusion and Agile. A Fusion enabled SOC has the following characteristics:

• A fusion center should include dedicated specialists, rotational involvement and capacity management as part of its governance.
• Core Fusion elements for effective cyberdetection, response and recovery involve your IT, network and DevOps specialists.
• Fusion provides risk management within industry-specific operations that are susceptible to various threats.
• Business risk functions such as consumer fraud and anti-money laundering are integrated within the fusion center.
• Fused competencies within the SOC with fully integrated command chains ensure unified vision, mission and resource dedication to your risk reduction efforts.

An Agile SOC has the following characteristics:

• Promotes adaptive planning, evolutionary development of operational run books, on-demand formation of analysis and response teams and a maniacal focus to rapidly removing obstacles to agility.
• Leverages Agile principles and methodologies, speeding up analysis and response time, thereby substantially reducing duration of risk exposure, such as dwell time, compared to traditional “process-based” siloed methods which take much longer.

Evolve your SOC’s threat intelligence function from just collecting or disseminating feeds and threat bulletins. You want a cross-functional operation performing collection, enrichment, threat hunting and dissemination of threat and business risk intelligence activities across your enterprise’s IT, security and business risk functions.

Use omni source threat intelligence to infuse and inform detection, protection and recovery processes with full lifecycle intelligence capability encompassing cyber and business threat intelligence.

Omni source threat intelligence provides cybersecurity defenders with up-to-date and accurate threat intelligence. It’s more thorough than traditional threat intelligence, which doesn’t drive strategies for detection, protection or both.

Omni source threat intelligence is comprised of numerous sources including human, cyber, social, geographic, business, threat actors, threat vectors, deep web, dark web and Open Source Intelligence (OSINT).

SOC staff can only protect an environment against what they recognize. An omni source intelligence gathering strategy should be supplemented by appropriate technologies that can perform the following tasks:

• Centralize the raw intelligence
• Provide a work bench for intelligence analysts to enrich the intelligence, remove redundancies and add context
• Disseminate enriched intelligence with the appropriate Threat Level Protocol (TLP) designators to the critical functions in the organization to inform protection, detection and response and recovery measures

Get technical research reports and view the threat landscape

Adaptive SOCs have agility, which means the ability to rapidly perform security activities as one of its cornerstones. Integrated SOCs fuse critical IT, business and risk teams and processes for maximum collaboration and sharing. An Adaptive Integrated SOC combines these principles to gain razor sharp focus on achieving quick results by proactively collaborating across critical constituencies without being slowed down by inefficient process-based approaches.

The new operating model redefines the following elements:

• How your talent is assigned
• How those team members converge and work a problem
• What resources are available
• What authority the team members have to act in an adverse event

This new model promotes empowered actions, organic skill development, motivation, cross training and Agile operational enhancements. These changes can result in improved outcomes, retention and surge capability leveraging cross-trained resources.

The Fusion service catalog offers more open communication and collaboration for your team members as well, with such features as catalog management, service requests and service fulfillment. There are mission-enabling services available to Fusion Center constituents from every operations function, such as watchlist addition and custom and compliance reports. Its adaptive integrated model makes it possible to overcome gaps in contextual data sources faster than traditional techniques.

DevOps, the process that expedites application development efficiencies and software release management, and DevSecOps, the process of integrating security practices within the DevOps process, may already be used in your organization.

The principles of Continuous Integration and Continuous Development (CI/CD) in DevOps tool chains and the integration of security testing tools that are prevalent in DevSecOps models that provide quicker, more reliable and secure code to production environments have inspired SOCs to move cyber response integrations deeper into the IT tools chains. Technologies such as Security Orchestration, Automation and Response (SOAR) have been at the forefront of driving these efficiencies in cyber operations.

Learn more about DevOps tools and software

Operations teams often redundantly deploy and underutilize existing enterprise IT and corporate security technologies. As a result, core technology is straining to handle data ingestion and correlation. To address this situation, take the following steps:

• Develop a security technology roadmap linked to maturity that aligns with enterprise strategy to leverage advanced technology
• Leverage existing initiatives for enterprise data aggregation to serve cross-functional needs

The adaptive integration operations concept discussed previously require SOCs to consider evolving technologies based on open platforms. These technologies can connect across an ecosystem of security and IT technologies to provide single pane of glass visibility and use federated searches to discover and hunt for threats in a multicloud hybrid IT environment. Concurrently existing tools may need to be configured differently to allow the on-demand, collaborative approach required for adaptive integration to work.

By extending or reconfiguring existing ticketing tools, you have one parent security ticket with response sub-tasks for cross-functional fusion team members. This change removes the notion of working tickets by Service Level Agreements (SLAs) defined for various corporate functions.

Also, use emerging class of technologies and tools such as data security platforms to combine or analyze data, or both, from sources spread across technologies to perform the analysis. You avoid redundancies proliferating in a single repository that way.

As many organizations continue to expand these areas of growth, an increasing number of threats are appearing. Operational Technologies (OT) infrastructure includes systems that focus on physical devices related to Industrial Control Systems (ICS), which involve technologies working with equipment in manufacturing processes such as automobiles. Manufacturing and oil and gas firms, among others, deal heavily with OT environments for safety and reliability. OT systems include industrial components and critical infrastructure such as equipment at refineries and power plants.

OT is popular but faces a number of security challenges. While perceived by some as safe, many traditional security tools don’t work with the traditional OT environment. Visibility into OT networks can be limited. OT can run on antiquated protocols and software. These situations all encourage targeting attacks on OT environments to exploit their vulnerabilities.

SOC teams who account for these systems and add them to enterprise monitoring programs ensure better protection for these unique components. The same applies to Internet of Things (IoT) devices such as wireless inventory trackers, streetlights, civil sirens and biometric security scanners.

41 billion

Estimated number of IoT devices in operation by 2027³

These systems and more create new opportunities for attackers to leapfrog from these components to more critical systems in the environment. Defenders who inventory, track, monitor and update these devices just as if they were standard corporate endpoints stay ahead of the attackers.

Infusion of artificial intelligence (AI) and machine learning (ML) can increase the efficiency and effectiveness initiatives for SOCs. The following activities are examples of this process:

• Auto closing noise tickets
• Auto escalating of alerts to relevant teams
• Prioritizing analyst workload

Using statistical techniques, algorithms, AI and ML, teams can take advantage of security analytics to identify and remediate threats. Security analytics components are applied with real-time or historical data or both to detect anomalous behavior, discover novel insights and automate threat detection.

These capabilities, brought forth through analysis, optimize productivity while reducing costs. Analytics are mostly applied to high-velocity, veracity and volume data, or big data, where traditional correlation methods are inadequate. Adopting these processes allows L1 analysts to do more “knowledge work” instead.

The presence of data lakes virtually everywhere — both on premises and in the cloud — has led some leaders of SOCs to think Security Intelligence and Event Management (SIEM) solutions are unnecessary. They leverage data lakes and their own architecture for their security use as well. This approach can adversely affect their technical plumbing and ability to write use cases. Generally, it’s recommended to have an SIEM and a threat hunt capability looking at a data lake.

Learn more about data lakes

A variety of strategies exists among established SOCs as their teams try to scale with these environments. There’s a lack of investment in technologies to secure these strategies even as more organizations implement multicloud, hybrid cloud and container usage.

Learn more about multicloud

Learn more about hybrid cloud

Regulatory requirements are increasing through new rules and modifications to existing regulations worldwide. Two major privacy regulations are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data in the European Union. The CCPA requires a company that does business in the state of California and collects personal information about a consumer to disclose the consumer’s right to delete personal information.

The GDPR and CCPA have major impacts on data security and privacy, two areas that SOCs have requirements to monitor. SOC teams who understand how to comply with the terms of the GDPR and CCPA can help their enterprises avoid costly fines for violating these regulations.