Evolution of the SOC in the face of the new threat model
Manel Álvarez, Head of Cybersecurity
Today, many companies are adopting hybrid SOC models, within which they delegate some security functions to service providers that have sufficient capacity to allow them to operate 24/7.
Manel Álvarez, Head of Cybersecurity
In recent years, the figure of the SOC as the central focus of operations has played a leading role in the management of security threats. However, the increase in the number of attacks, coupled with the sophistication of the threats, highlights some of the limitations of today’s security equipment, which can in turn reduce the effectiveness of this equipment.
In spite of the fact that event management technologies have evolved considerably, the finesse of the attacks and the wide variety of tools that can be used to manage them generates a huge amount of data. This leads to gaps in the analysis and in the prioritization of alerts. As a result, it is not feasible for security teams to effectively manage response and escalation.
Strategy of automation in hybrid SOC models
While this measure solves some of the main problems of maintaining an internal SOC, nowadays, it is important to focus on achieving the following milestones, in order to establish an effective threat management model:
- Reduction in false positives: The excessive volume of alerts that detection tools generate can cause security analysts to look in the wrong direction.
- Response prioritization: Limited access to information sources and attack vectors can lead to a significant reduction in the visibility of new threats, which can distort the criteria for classifying the severity of each incident.
- Reduction in detection, response and remediation time: When a SOC team is overwhelmed by alerts, and false positives become a common occurrence, attackers can enter a network more easily, without being detected. This is one of the main reasons why it takes an average company more than 180 days to detect a security breach.
- Anticipating attacks: One of the biggest problems with traditional SOCs is that their work is limited to reactive surveillance. As a result, new capabilities and proactive strategies need to be incorporated in order to help minimize exposure to these threats.
In addition to the above objectives, deploying an optimal SOC model presents some further challenges that must be part of the business strategy:
- Reduction in personnel rotation: Maintaining a sufficiently qualified team that is able to respond 24/7 is made more complicated by the difficult of attracting talent. In addition, the salaries of experts in the field are usually high.
- Reduction in costs: The exponential increase in the volume of data, combined with the reliance on information to maintain competitiveness in the market, requires much more complex infrastructures and more qualified teams. This leads to an increase in associated costs.
- Optimization in the management of Security operations: In the same way as an economy of scale model, creating synergies with external security providers can help optimize the use of available resources.
How does a hybrid SOC model with automation capabilities improve incident detection and response?
The hybrid SOC model is not new. As previously mentioned, this is the solution that many companies have adopted as a means of outsourcing security operations, as it offers flexibility, scalability and profitability. However, it requires a complex structure and effort from the organization to ensure that the established objectives are achieved.
The hybrid SOC model is based on one main premise, wherein some aspects of the operation remain within the company, while others are delegated to a Managed Security Service Provider (MSSP). This structure offers significant advantages over internal SOC models:
- Permanent availability of professionals who specialise in cybersecurity.
- Overall visibility of the threat environment.
- Reduced exposure to threats despite periods of low activity or no activity.
- Updated procedures and workflows that are tailored to the business model.
- Reduction in costs with the development of new rules or use cases.
- Integration of solutions based on the experience of other clients.
- 24/7 monitoring capability at a reduced cost, without the risks associated with maintaining this type of equipment internally.
In spite of this model’s effectiveness, the scenario in question presents a new challenge; the automation of security in the SOC, responding to possible threats, taking advantage of existing tools and reducing the effort required from the teams.
In order for an automation model to be effective and to enhance and optimize the coordination of events, it must be structured according to the following premises:
- Alert enrichment: The essence of automation is the enrichment of alerts by linking them to a context, rather than working with a long list of disparate alerts. The alert enrichment automatically adds context to an alert, so that those alerts can be prioritized and potentially correlated as a single incident, allowing a possible attack scenario to be linked together.
- Attack visibility: Automation should focus on grouping alerts together based on probability and aligning them with different types of attacks. These attack patterns are a chain of events that employ discrete measurement techniques to optimize the expected outcome for the cybercriminals. The automation of these cases allows the spectrum of possible derivations associated with each type of attack to be widened.
- Proactive management: The speed and efficiency of automation can deter cybercriminals who are looking for an easy target. A SOC that is more proactive and continually updated on the latest threats in cybersecurity, is able to level the playing field to make it a fair fight. Knowing that there are a number of steps that an attacker must take to deploy a complex attack, a proactive approach can anticipate the next step, look for the evidence needed to correlate the information, and automate the type of response, preventing the attacker from achieving their objectives.
Main benefits of the hybrid SOC model with automation capabilities
Transferring artificial intelligence and machine learning introduces speed, cost efficiency and response accuracy. These advantages are part of the added value that security automation can bring to a SOC team. But the benefits of security automation go much further that.
An integrated and coordinated SOC becomes much more effective when automation is incorporated into its capabilities. Collecting data faster, correlating it more efficiently, automatically deploying patches, and detecting cybersecurity threats more effectively are all features of security automation services.
But how exactly do these capabilities benefit a SOC?
The increased analytical capabilities of automation, driven by AI, help to:
- Minimize response times: With automation in security, the goal is not to replace human analysts. Automating tedious, time-consuming, non-cognitive tasks gives analysts more freedom to focus on higher priority incidents that will add greater value to the platform. This affects response times in two ways. Firstly, automation tackles the tedious tasks faster than humans would be able to. And secondly, it can respond to higher level threats more quickly, as the SOC team can access more contextual information about the activity of the attackers.
- Reduce human error: It is widely known that human error is the main cause of cyberattacks. A study by Kaspersky found that humans are the cause 90% of security breaches in the cloud. These errors often occur when security analysts try to balance all the tasks required within a SOC team that has already reached capacity. When so many tasks are required to simply monitor activities, there is not much time left to be proactive.
- Eliminate alert fatigue: While it was once true that prevention and detection capabilities were sufficient to keep up with attackers, this is no longer the case. Now, context is key to protecting an organization. With no means of contextualising the data, analyst teams will be inundated with more alerts than they can handle. This can cause alert fatigue, and then threats are allowed to penetrate the perimeter, increasing response times. When automation provides context for the data, alerts are precise and responses can be prioritized accordingly.
For me, the real challenge is to introduce automation into the SOC in a way that makes use of existing tools, without introducing added complexity for the SOC team. This will also ensure that the benefits can be identified and quantified in a clear and simple way. That’s why, here at CyberProof, UST’s cybersecurity unit, we have created a managed detection and response platform that will help you deal with the most advanced and persistent cybercriminals.