Have we Seen Any Improvement in the Security Operations Center?

This article is available in audio format, click play above to listen to the article. 

We have seen cybersecurity service evolve; Let's ask ourselves: have we seen any improvement in the Security Operations Center? Is there a scope for Improvement / Modernization? 

Jake, the head of cybersecurity at a mid-size enterprise and I were at a DTX conference in London recently where I spoke about the impact on threat levels due to the ongoing geopolitical warfare. I learned from him that he along with many others were happy with the content being discussed and learned a lot about how the critical national infrastructure organizations would prepare and execute their plans.  

Like every other cybersecurity leader in an enterprise, Jake would be required to justify the need for investment into cybersecurity, the board won’t approve any budget without a business justification, so he was on the lookout for some help drafting the business case for a “Cyber Security Service Improvement Program” that involves reviewing the services delivered by the SOC. 

While there are tools for detection and response (EDR and NDR) modern firewalls, Network Access control (NAC), SIEM, Web proxy, DLP, and CASB systems, there is still a gap in understanding the threat landscape and a lack of confidence in your defence capabilities.   

Growing Data logs, worrying about ingestion charges, rise in false positives, having data but very little output from the data. Complex and diverse attack surfaces and skill gaps are some of the challenges to address. Will a modern SOC help?

The Benefits of Having a Modern Security Operations Center

Back in the days when cybersecurity wasn’t a buzzword, within the IT Operations team, excluding the applications team, IT infrastructure teams would consist of server admins, network admins, database admins, service desk and other support teams, they would use enterprise tools to support their day-to-day operations.  

Some IT Teams would also have a level 1 monitoring team called a NOC (Network Operations Center) – which would be comprised of technicians working around the clock with an eye on the glass (dashboard) and emails (notifications) to action alerts based on the Supporting Operations Procedures. The primary goal was to ensure that any downtime or performance degradation were reported immediately to Level 2 (infra or apps support) teams to fix it to avoid major impacts on the business. 

The engineering teams at product companies would design solution to help monitor the “availability” and “performance” of servers, applications, web services, hardware, and network devices. Modernization, coverage, integration, and the need for efficiency pushed IT operations leaders to implement automation to resolve incidents based on a “runbook”.  Products also evolved and helped serve the cause; products now have better monitoring, reporting and dashboard capabilities. 

From an IT Security perspective, the traditional firewall worked on the basic principle (filter) – allow traffic based on the allowed rules and deny network communications across networks as configured. Now modern firewalls are developed to perform intrusion detection and prevention, study traffic patterns across the network and flag anomalies, application and cloud-aware including deep-packet inspection. 

The antivirus: which most of my peers would agree was mostly supported by the server admin as security teams didn’t exist, antivirus software would perform signature-based detection and would flag any suspicious software as malicious and quarantine it for review back then. Now modern antivirus backed by sophisticated Machine Learning (ML) Algorithms and Artificial Intelligence (AI) analyze trends and adapt to emerging threats. There has been a peak of users using the internet and interacting with data and this means potential opportunities for attackers, and this pushes the demands of antivirus software. 

We have seen the antivirus evolve to Next Generation Antivirus (NGAV) and most recently the emergence of Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) which shifted on focusing on a holistic view of threats across the entire technology landscape, thus taking the ability of security defense to the next level. 

Email and web traffic has increased due to digitization, and phishing is the most used attack method, it's important to secure emails using advanced software which helps provide encryption for sensitive email content and helps flag malicious hyperlinks within an email. Web filtering, reverse proxy, CASB and DLP are reducing the risks massively.

The attackers have evolved and there is a rise in organized cyber-attacks by hacktivists and state-sponsored attackers. Insider threats with malicious intents or misconfiguration are also a major contributor towards cyberattacks, this is giving leading cyber security leaders nightmares.  There are so many gaps to address.

A modern SOC, in my perspective, should be able to still address the basic requirements of threat intelligence, threat detection and threat hunting; threat hunting holds importance as it helps to reduce the amount of time to find an adversary within your network “dwell time” and thus reduces the Mean Time to Detect (MTTD) and Mean Time to Contain (MTTC).

Organizations must have a defense-in-depth strategy, implement Zero Trust, micro-segmentation and trust intelligence. I have seen debates around XDR and SIEM and whether either would work, in my view they are not mutually exclusive and they work together to strengthen your security posture, XDR provides a broader scope while SIEM helps you to dive deep into log data for analysis and reporting.

A modern Security Operations Center should consist of a good mix of analysts which includes threat researchers, threat detection and response analysts and threat hunters who achieve more with automation where possible. Modern SOC should promote the culture of learning lessons from past attacks and preparing for emerging threats.

Driving Business Value

It's best to choose a modern SOC that delivers value to your business by dramatically improving threat visibility, collecting, correlating, and analyzing data from various sources using advanced intelligence with automation and Artificial Intelligence (AI), helping to coordinate siloed security tools, conducts threat hunting, streamlining analysis and remediation also reducing the total cost of ownership and eases the security staffing burden.

Remember that attackers don’t just attack during business hours; you know what I mean!