The SOC sits at the beating heart of an organization’s IT and security functions. Its primary goal is to detect, respond, report on and, of course, prevent cyber-threats. In a world where individual data breaches are costed at a global average of nearly $3.9 million today, and ransomware infections can lead to losses in the tens of millions, an effective SOC is essential to minimizing an organization’s financial and reputational cyber risk.
A 2019 Ponemon Institute poll of IT and security practitioners found that 67 percent believed their SOC was “essential” or “very important” to the overall cybersecurity strategy. The SOC’s standing will only grow as threats become more complex and voluminous, and digital infrastructure investments broaden the corporate attack surface. McKinsey claims that some organizations accelerated their digital operations by three to four years in the space of just a few months during the pandemic. This will come at a serious cost if these same companies haven’t invested properly in the four key pillars (people, process, philosophy and technology) of an effective SOC.
What are the key challenges facing SOC managers?
It takes an estimated 280 days to identify and contain a breach today, so we know that things are not working as they should. But why? As above, it comes down to people, process, philosophy and technology. These factors are inevitably interlinked, but the people aspect is perhaps the most pressing. Increasing pressure is mounting on the already stretched team, including SOC analysts—and this only compounds if they don’t have the right tools, processes and philosophy/culture in place to maximize productivity.
This isn’t a case of simply ramping up automation. Ultimately, experienced analysts are needed to respond to the threats security alerts represent. If you don’t have enough in-house skills, this could be a challenge. A recent report claimed that only half (50 percent) of SOC teams were up to par across the entire range of skills needed to do their roles. The pandemic has certainly added to these challenges by slowing down recruitment, making intra-team collaboration harder and adding to the workload of the typical security professional.
Will more budget help?
More financial resources are never a bad thing, and the good news is that 55 percent of tech and security executives plan to increase cybersecurity budgets this year, with 51 percent adding full-time cyber staff. That’s despite most executives expecting revenues to decline. However, it must be focused in the right areas, and appropriately aligned to business context and risk. Too often, spend is calculated as a percentage of overall IT spend, for example. If an organization has good visibility into its cyber risk posture, then in many cases SOC spending would increase due to its key role in helping to tackle the causes of cyber risk.
However, more budget is not necessarily going to result in a new intake of SOC analysts. In fact, the stresses of poor tooling, process and poor philosophy are taking their toll. That Ponemon Institute study claimed many organizations are losing experienced security analysts as a result.
How important is getting the right SOC technology in place?
It’s a crucial piece of the puzzle. A 2019 analyst report found that over three-quarters of SOCs were collecting more security data than they were two years ago and 52 percent were holding that analytics information for longer. But more data doesn’t necessarily equal more visibility or insight. In fact, without taking a step back to first fundamentally understand your business, threat model and risk appetite, more data usually means less visibility/insight! There are so many tools on the market that can help today—SIEM, , NGFW, (N/X/E)DR etc—that analysts can end up with a bunch of siloed products spitting out hundreds or thousands of alerts each day. Combine a lack of in-house skills with the wrong technology, philosophy and processes and you have a recipe for disaster: alert fatigued and overwhelmed analysts unable to prioritize what’s important.
Important alerts will slip through the net (false negatives) whilst valuable analyst time is spent chasing dead-ends (false positives). Organizations need a better approach.
How can SOCs and IT security teams overcome alert fatigue?
Looking at it from the technology lens, SOC managers need a single, unified platform to filter out the noise from these multiple security tools and provide actionable and digestible insight to effectively prioritize remediation efforts. There are several components which IT security buyers should look out for.
Full visibility: with seamless integrations into all your security products, including those hosed on-prem and (multi) cloud environments.
Enriched insight: via integration with third-party threat intelligence data, as well as internal business context. Business context is crucial!
Personalization: the ability to tune/tweak settings to enhance the relevance of results—e.g. being able to tag critical IT assets for closer monitoring (back to the business context piece).
Machine learning-powered analytics: to correlate and prioritize alerts from large data volumes, in order to maximize analyst productivity.
Automation: throughout the platform, to reduce the opportunity for human error and tackle the challenges associated with the sheer volume of threats organizations face today.
An intuitive UI: to enable analysts to quickly identify the “who, what, when and how?” of each incident at a glance, and drill down for more information if necessary. Deloitte’s report puts it nicely: “Machines will be needed to deliver better data to humans…in a more organized form (stories made of alerts)”
David Mareels, CEO & Co-Founder, SOC.OS