By Chris Triolo, Respond Software
The SOC has become a fixture of enterprise cybersecurity. Whether in-house – as it is at over half of large organizations – or outsourced, SOCs have analyzed threats for almost a quarter-century. Despite their ubiquity – and their importance – only a select few are considered “highly effective.” In a recent Ponemon Institute benchmarking report, nearly half of surveyed IT security practitioners indicated that they’re “dissatisfied” with their SOC’s ability to detect attacks and malicious activities.
What’s more, SOCs are expensive. The average total cost for staffing and maintaining one exceeds $2.8 million per year. So, what can organizations do to combat these challenges? I recently spoke with Travis Abrams, founder and CEO of CyberPeak, a leading MSSP, to get his take on this issue.
Why The SOC Is Inefficient
Abrams identified the most significant inhibitors to an efficient SOC. First, as companies move from on-premises technologies to cloud-based technologies, the sources of the events are changing. Often, these applications are not generating the correct logs, or the company's technology cannot ingest these logs. Second, there are simply too many events being generated. SOCs cannot parse through all the events to determine if they represent a true security incident. Compounding this, correlation rules and some threat intelligence are notorious for creating false positives, adding noise, and obscuring real threats. Finally, the shortage of skilled security analysts means that companies will continue to struggle to hire and retain staff.
However, the finite nature of human cognition remains the key factor that keeps most SOCs from performing as well as organizations need them to. No matter how intelligent and well-trained they may be, human security analysts will never get better than they currently are at monitoring enormous amounts of log data streaming across their consoles. The numbers speak for themselves. “Looking at just one client’s environment, in the last five to six hours, the web gateway has sent over 104,000 events,” says Abrams. “There is simply no way we could have looked at all that manually.”
A New Model For Enterprise Security
Organizations need to make a bold move to defeat today’s ubiquitous and highly sophisticated cyberattacks. Instead of the SOC as it now stands, it’s time to transition to a “situation center.” In this model, there is no longer a need for highly formalized, structured workflows. Instead, the situation center will be informal and agile, with processes that are constantly shifting and adapting as attackers change their methods. Fewer humans will work there, but those who do will have more important and interesting roles, as their focus is changed from staring at alerts all day to focusing on the actual incidents or security situations that need to be addressed.
As enterprises migrate from the standard SOC to situation centers, they will see cost savings as well as significantly reduced risk profiles compared to their laggard peers. Abrams started his company based on a strong belief in the power of automation and what it can accomplish in cybersecurity operations. “When someone asks us how many Tier 1 analysts we have, I can say that I have as many as you need,” says Abrams. It’s not so much that human Tier 1 analysts have been replaced, as it is that by the implementation of automation, the company now has near-infinite Tier 1 capabilities.
Abrams offered five recommendations that companies can take to maximize the efficiency of their situation center. First, centralize logging of on-premises and cloud assets. Second, assess whether your current SIEM or logging tools can support the cloud environments we are moving to (API versus Syslog formats) Third, aim to capture logs from workstations; this is more important than ever with the explosion of work-from-home environments. Fourth, implement cloud-based logging and SIEM. With more cloud applications and more remote work, clients should move these tools to the cloud. Finally, you should enhance traditional logging tools and SIEM with machine learning technologies to effectively parse and analyze all logs for threats.
Abrams believes these best practices will lead to quicker, more accurate responses to incidents, allowing clients to minimize their impact and to also see cost savings. The latter is because using human staff to monitor all security data is expensive, in addition to being impossible. Automating the incident review process both increases the amount of data that can be reviewed and releases about eight to 12 full-time employees from drudge work. They will then be free to put their skills toward more satisfying and higher-value tasks. The combination of intelligent automation and no-nonsense processes makes a situation center that better serves the needs of today’s enterprise.
About The Author
Chris Triolo is the vice president, customer success at Respond Software