From darkweb networks to state-sponsored groups, cybercrime has long outgrown its traditional image. Now, the myth of the lone wolf who carries out complex operations alone has all but disappeared.
As cybercrime methods have become more sophisticated, so has the structure of the organizations behind them. In fact, cybercrime groups have grown so large and so profitable that some analysts have dubbed them “the world’s third-largest economy.’’
Obviously, to repel and dismantle such complex threats, security operations have also expanded, becoming a collective effort. And while some teams are large enough to cover entire countries, the most common and important type of security team remains the security operations center, or SOC.
The Growing Role of the SOC
Whether internally managed or outsourced, the main functions of a security operations center are the same. A SOC has to monitor, detect and respond to cybersecurity incidents, as well as protect a company’s digital assets, from business and employee data to intellectual property. SOCs have now become vital to modern enterprises, and the market is expected to reach $1.1 billion by 2024.
However, while the SOC’s initial role was bound to traditional cyber defense, the increasingly complex nature of cyberthreats has turned security experts into multi-purpose specialists. To diligently perform their duty, the security operations centers of today don’t just handle real-time threat monitoring and incident management. They are also responsible for infrastructure evaluations, employee training, process development, digital strategy and reputation management.
On top of that, most organizations use a growing number of cybersecurity tools, with varying levels of complexity. According to Matt Chiodi, chief security officer with Palo Alto Networks, in 2019, small organizations used on average between 15 and 20 tools while medium ones used from 50 to 60 and large organizations used as many as 130 tools. While these numbers probably include monitoring services and integrated tools, the phenomenon is so widespread that analysts even found a name for it: “security tool sprawl.’’
These stacking functions and burdensome collection of tools explain why, although 73% of companies view SOCs as crucial to security, almost 49% of them are dissatisfied with their effectiveness, and around 44% think their ROI is getting worse, according to a Ponemon Institute study. SOCs are now more important but also more encumbered than ever.
So, what can you do, as an enterprise or an external service provider, to keep your team happy and your security center efficient.
The Challenges of the Modern SOC
As mentioned earlier, SOCs act as a first line of defense and, as a consequence, are overwhelmed by infrastructure and process challenges, as well as personnel shortages.
While some of these issues are caused by security incidents, most are related to inefficient tools or processes. Among these, one can easily notice:
- Alert fatigue, due to the multiple systems your security team has to supervise and the countless indicators of compromise associated with them.
- Poor-quality data, especially in companies where siloed systems are the norm
- Integration and interoperability issues if the team has to work with multiple enterprise platforms
- Vulnerabilities caused by shifting workflows, such as the ones caused by the recent health crisis
- Difficult time management and resource allocation, especially in smaller teams where advanced threats can consume the time of multiple analysts
- Lack of system visibility and inadequate threat context that slow incident response times
- Budget constraints and the lack of a qualified security workforce
- Poor alignment with other departments and their objectives
While a few of these issues cannot be solved overnight and may require additional budget, most can be fixed by streamlining your security platforms.
The following solutions will help your SOC overcome its bottlenecks, improve detection and response times.
Five Trends that Will Reshape Modern Security Operations
- Threat Intelligence
To make the right choice, make sure your provider offers:
- Scalability and integration with your existing systems, to ensure all your tools work for the same goal. Support for industry standards such as STIIX and TAXI is a welcome bonus, as these standards are machine-readable.
- Context on internal, external and historical data that can prevent alert fatigue and reduce false positives.
- A wide security network, which can help you proactively identify potential threats, as well as access the collective detection power of millions of systems.
- Cloud-Managed Security
Cloud-managed security is not just a way to reduce overhead, but also a way to reduce configuration times and allow your security team to focus on more pressing matters.
With a single cloud-based dashboard that gives you real-time information about risks and vulnerabilities, you can drastically reduce response times. Also, the options that would generally require separate platforms to manage, such as user access or traffic and e-mail filtering, can be easily configured and deployed from a single source, which reduces the dreaded “security tool sprawl”.
And the best part? Cloud security is platform-agnostic and allows your SOC to function even if the enterprise infrastructure is siloed and more difficult to supervise using classical on-premise solutions.
- Threat Hunting
Threat hunting is not tied to a particular platform but is rather the result of combining advanced security and threat intelligence with the expertise of your SOC in its fight against Advanced Persistent Threats.
Threat hunting consists of proactive detection and, when possible, isolating vulnerabilities and potentially compromised systems, and anticipating and detecting insider threats.
While regular security tools can offer a decent evaluation of a system’s status, you will need a combination of Threat Intelligence and efficient network security for more advanced features. For example, TI can empower dark web monitoring and allow you to search for PII and company assets that may have leaked on the dark web, as well as understand the most common attack vectors.
Why are such advanced methods important? Because only 32% of SOCs perform constant threat hunting, although it is an incredibly valuable service you can offer to your client or enterprise.
- Machine Learning Algorithms
According to an ESG survey quoted by Techbeacon, many SOCs have begun to use tools based on Machine Learning to better detect and respond to complex threats. In fact, more than half of respondents use such systems extensively.
Machine learning algorithms are a vital enhancement for classical detection methods (often based on patterns and suspicious behavior) as they allow your systems to better isolate potential threats by classifying data and building predictive models in real-time.
Simply put, machine-learning is an extra precaution that, as threats grow in sophistication, allows your detection systems to adapt.
The same ESG survey shows that more than a quarter of organizations have already automated key security analytics and operations capabilities extensively, while 38% have done so on a limited basis. Automation is therefore becoming a capable ally in the fight against cybercrime.
But what security tasks should you automate? The answer is: as many as you possibly can. If a task is repetitive, manual and requires searching through complex data for minor indicators of concern, chances are that a security expert will not be required for it.
Furthermore, automation can also help you anticipate threats, not just search for them. Many tools can automate standard threat response actions to give analysts time to investigate a potential on-going attack.
A partnership between highly trained specialists and efficient algorithms can easily improve important SOC KPIs, such as mean time to detection and response times. It will also give your security team more time for value-added tasks.
Widely available to SOCs, MSSPs and MDRs, as well as to security consulting and investigations firms, Bitdefender’s security solutions are supported by almost two decades of experience, countless awards, and the power of over 500 million connected systems.
Our Advanced Threat Intelligence solution delivers an accurate and up-to-date collection of real-world data about all types of threats, and it supports both the STIX 2.0 and TAXII protocols, allowing easy access to standardized information.
To find out how Bitdefender solutions can augment the capabilities of your security operations center, contact our team.