Blog Spain

Evolution of the SOC in the face of the new threat model

Manel Álvarez, Head of Cybersecurity

Today, many companies are adopting hybrid SOC models, within which they delegate some security functions to service providers that have sufficient capacity to allow them to operate 24/7.

Manel Álvarez

Manel Álvarez, Head of Cybersecurity

In recent years, the figure of the SOC as the central focus of operations has played a leading role in the management of security threats. However, the increase in the number of attacks, coupled with the sophistication of the threats, highlights some of the limitations of today’s security equipment, which can in turn reduce the effectiveness of this equipment.

In spite of the fact that event management technologies have evolved considerably, the finesse of the attacks and the wide variety of tools that can be used to manage them generates a huge amount of data. This leads to gaps in the analysis and in the prioritization of alerts. As a result, it is not feasible for security teams to effectively manage response and escalation.

Strategy of automation in hybrid SOC models

While this measure solves some of the main problems of maintaining an internal SOC, nowadays, it is important to focus on achieving the following milestones, in order to establish an effective threat management model:

In addition to the above objectives, deploying an optimal SOC model presents some further challenges that must be part of the business strategy:

  1. Reduction in personnel rotation: Maintaining a sufficiently qualified team that is able to respond 24/7 is made more complicated by the difficult of attracting talent. In addition, the salaries of experts in the field are usually high.
  2. Reduction in costs: The exponential increase in the volume of data, combined with the reliance on information to maintain competitiveness in the market, requires much more complex infrastructures and more qualified teams. This leads to an increase in associated costs.
  3. Optimization in the management of Security operations: In the same way as an economy of scale model, creating synergies with external security providers can help optimize the use of available resources.

How does a hybrid SOC model with automation capabilities improve incident detection and response?

The hybrid SOC model is not new. As previously mentioned, this is the solution that many companies have adopted as a means of outsourcing security operations, as it offers flexibility, scalability and profitability. However, it requires a complex structure and effort from the organization to ensure that the established objectives are achieved.

The hybrid SOC model is based on one main premise, wherein some aspects of the operation remain within the company, while others are delegated to a Managed Security Service Provider (MSSP). This structure offers significant advantages over internal SOC models:

In spite of this model’s effectiveness, the scenario in question presents a new challenge; the automation of security in the SOC, responding to possible threats, taking advantage of existing tools and reducing the effort required from the teams.

In order for an automation model to be effective and to enhance and optimize the coordination of events, it must be structured according to the following premises:

Main benefits of the hybrid SOC model with automation capabilities

Transferring artificial intelligence and machine learning introduces speed, cost efficiency and response accuracy. These advantages are part of the added value that security automation can bring to a SOC team. But the benefits of security automation go much further that.

An integrated and coordinated SOC becomes much more effective when automation is incorporated into its capabilities. Collecting data faster, correlating it more efficiently, automatically deploying patches, and detecting cybersecurity threats more effectively are all features of security automation services.

But how exactly do these capabilities benefit a SOC?

The increased analytical capabilities of automation, driven by AI, help to:

  1. Minimize response times: With automation in security, the goal is not to replace human analysts. Automating tedious, time-consuming, non-cognitive tasks gives analysts more freedom to focus on higher priority incidents that will add greater value to the platform. This affects response times in two ways. Firstly, automation tackles the tedious tasks faster than humans would be able to. And secondly, it can respond to higher level threats more quickly, as the SOC team can access more contextual information about the activity of the attackers.
  2. Reduce human error: It is widely known that human error is the main cause of cyberattacks. A study by Kaspersky found that humans are the cause 90% of security breaches in the cloud. These errors often occur when security analysts try to balance all the tasks required within a SOC team that has already reached capacity. When so many tasks are required to simply monitor activities, there is not much time left to be proactive.
  3. Eliminate alert fatigue: While it was once true that prevention and detection capabilities were sufficient to keep up with attackers, this is no longer the case. Now, context is key to protecting an organization. With no means of contextualising the data, analyst teams will be inundated with more alerts than they can handle. This can cause alert fatigue, and then threats are allowed to penetrate the perimeter, increasing response times. When automation provides context for the data, alerts are precise and responses can be prioritized accordingly.

For me, the real challenge is to introduce automation into the SOC in a way that makes use of existing tools, without introducing added complexity for the SOC team. This will also ensure that the benefits can be identified and quantified in a clear and simple way. That’s why, here at CyberProof, UST’s cybersecurity unit, we have created a managed detection and response platform that will help you deal with the most advanced and persistent cybercriminals.