Security Operations Centres (SOCs) are responsible for keeping your infrastructure, applications and data secure over time. For large and mid-sized organisations with significant numbers of applications, the SOC will provide round the clock insight into what is taking place around those systems, checking that they are being kept secure in real time.
However, managing a SOC can be a real challenge: even at the best of times, the sheer volume of threats that exist and attacks taking place can make security hard. In real world scenarios, it can be even more difficult. With COVID planning and more online activity than before, every SOC team faces more pressure due to the volume of data being processed, the need to work remotely for many employees, and the difficulty in finding staff.
These pressures can affect how well SOC teams work, as well as how effective those teams are in practice. If the level of alerts and data coming in becomes overwhelming, the SOC may not be able to perform at all. With a nod to Ennio Morricone, who passed away recently, let’s look at the Good, the Bad and the Ugly around SOC implementations.
The good – getting more data from more sources can improve your work
IT security teams rely on how they manage their SOC in order to function. This means getting data from security products that are implemented and bringing them together, from the perimeter firewalls and IDS / IPS products through to web application firewalls, network monitoring and other solutions that are in place. Security Incident and Event Management (SIEM) solutions bring data from different products together and – so the theory goes – help SOC analysts investigate potential problems faster.
For today’s applications that are developed to run in the cloud, the same process applies. Getting data sets together helps teams see potential faults and attacks taking place. However, this move to the cloud creates much more data – alongside data from the cloud infrastructure elements themselves, the application components will be more numerous and potentially more ephemeral. The use of microservices to build apps, and software containers to host them at scale, means that the volume of data has gone up massively. All this data can provide insight into potential risks and attacks faster, improving your ability to respond to threats.
The bad – trying to deal with that data with smaller teams and fewer skills than required
There is a problem with managing all this data though – traditional SIEM systems are not able to scale up and manage these volumes of data adequately. If you are looking at cloud native applications, then a Cloud SIEM approach may help. Using cloud based security and monitoring tools to track cloud applications means that your architecture can scale as effectively as is needed.
There is also the challenge of getting data on those applications that are not accessed via traditional VPNs, but being used by a remote workforce directly in the cloud. These might include, for example, Office 365, Workday or Google Suite, not to mention developers using the likes of AWS, Azure and Google Cloud Platform. All of these services can hold critical data, but any misconfigurations due to poor set-up could lead to data loss. Getting this information and making it useful involves gathering it in new ways.
However, there is a bigger problem here, and it is to do with people and skills rather than technology per se. According to a recent Dimensional Research survey, around 70 percent of enterprise IT security teams have seen the volume of security alerts they have to manage more than double in the past five years, while 83 percent say their security staff experiences “alert fatigue.”
Responding to this is also more problematic as teams don’t have enough staff at present – 75 percent of enterprises surveyed reported that they would need three or more additional security analysts to address all alerts the same day that they came in.
Alongside this, there is a dearth of skills around cloud native applications and around cloud security. It can take months to find those with the right skills to fill existing roles, putting more pressure on those within SOC teams in the meantime. Getting the right support processes in place for SOC analysts to help them manage workloads is therefore just as essential as any technology investment.
The ugly – getting the right processes in place around all the data involved to work
There is a definite place for automation around security analysis in SOC environments. However, automating a bad process will lead to more problems over time. It can even make your SOC environment worse, as it can remove oversight where it is most needed or lead to poorer performance based on the data available. While some initial false positives or issues are to be expected with any implementation, SOC implementations should rapidly improve and show value to the business.
It’s therefore important to think through how you currently manage your security analysts, what workflows they have and where you can help them be more productive. If you are not careful, then your SOC team can be fighting the wrong fights and putting effort into the wrong places. Team members will require training on how to be most effective within their SOC environments, while they should also understand how their own roles and responsibilities add up within the business’s overall approach to risk.
Automation can help make the most of the skills that your team has, helping them to focus on higher value opportunities that they can perform well rather than rote tasks or manual checking of data. For those teams with higher levels of automation, handling the higher levels of alerts today is easier – in the Dimensional Research report, 65 percent of those teams with high levels of automation stated they were able to resolve most security alerts during the same day, compared to only 34 percent of enterprises where low levels of automation are in place currently.
Getting to this can be a difficult process in itself though. It means looking at your current team, how they work and where they may need to change their processes. This can be hard for teams that are used to working in specific ways or where priorities have to be shifted. This change process can be ugly in itself, as it can involve asking some tough questions around the goals that have previously been set. For teams used to high pressure environments where they can be heroes for their work, this can be challenging.
However, the results should add up to happier teams over time, as they can concentrate on meeting goals effectively and more quickly than they would previously have been able to achieve. Looking at this as the end result – and making sure that everyone on your team understands this too – is the ultimate aim.
What the future holds
As more applications and more services move to the cloud, so SOC environments will have to become more automated and more able to handle cloud native data. From rethinking your approach to SIEM and cloud, through to setting new goals and to implementing more automated processes, the challenge is significant. However, these changes are essential in order for SOC teams to be effective in the future.
George Gerchow is a CISO, at data analytics company Sumo Logic
This article is from the CBROnline archive: some formatting and images may not be present.