[By Michael Mumcuoglu, CEO and Co-Founder, CardinalOps]
It is worth remembering; cybersecurity professionals inherently win, only when attackers lose. Although it may feel like a victory, we don’t win when we merely maintain operations or even when we put processes in place and the processes are followed perfectly.
Attackers are constantly thinking of new ways to break into environments and avoid detection. Defending against yesterday’s attacks is important and it will undoubtably make an organization safer, but because it is so challenging to effectively get the right processes followed, it can easily become our only focus. So how do we achieve this goal? One key element is that our SOC teams must evolve.
What is compelling us to evolve?
The global annual cost of cybercrime is predicted to reach $9.5 trillion USD in 2024, according to Cybersecurity Ventures. We are consistently reminded that adversaries behind cyber espionage and breaches are evolving, but there are also internal pressures that are forcing us to adapt.
Let’s look at the top three:
#1 Expanding attack surfaces
The proliferation of data and its protection across an increasing number of environments is a necessity as businesses and organizations are empowered by technological advances and it will only continue to accelerate in the years to come. Mass digitalization of identities, data lakes, as well as cloud and edge computing have each contributed to the exponential expansion of the attack surface.
#2 A shortage of well-trained security talent
Among the most critical concerns in the cybersecurity community is the apparent scarcity of a workforce with the requisite skills and training to keep pace with the expanding attack surface. According to recent research from ISC2, the global industry could benefit from over 3 million additional cybersecurity professionals. The natural growth of IT infrastructure and digital commerce are among the drivers of increased demand for cybersecurity jobs and have consequently broadened the threat landscape while incentivizing cybercriminals.
#3 Excessive alerts from an overwhelming number of tools
A simple – and popular – solution to the security talent shortage has seen cybersecurity providers increasingly implementing automated tools in SOC operations. On a fundamental level, this allows for traditionally monotonous tasks to be maintained while freeing our teams to focus manual efforts on cognitive decision-making. However, these automated tools are relaying a never-ending stream of alerts, some which are false positives, some difficult to identify and successfully triage and others simply informative. The vast quantities of information relayed by automated tools therefore bring SOC teams their fair share of pros and cons.
Ultimately, the modern SOC requires a solid procedural foundation, but also a new set of processes that rely on human innovation.
Striking a balance between human creativity and automation
Examining the strengths and weaknesses of manual vs automated operations results in a conundrum. Is it more effective and efficient to utilize the consistency delivered by automated processes? Or is this consistency sacrificing the advantages of innovation that organically stems from human creativity?
For SOCs, discernment may be found along a continuum. On one side, alert triage as well as reporting and metrics benefit significantly from the consistency of automation, while quality threat modeling and hunting are rewarded with the creativity of human innovation.
Automated and cloud-enabled services have allowed organizations to sift through data at unprecedented volumes, and with proper investment can ensure that SOCs are optimizing their continuous management of detection rules.
Threat hunting often requires “outside of the box” thinking to anticipate and identify potential probes or attacks on cyber assets. This integral role derives benefit from an injection of creativity from experienced cybersecurity professionals. These professionals must be skilled and focused while most importantly, being empowered to conduct threat modelling and hunting without secondary and tertiary responsibilities.
Injecting human creativity into your SOC is a benefit to the human team as well as to the automated operations. This can result in an engaged workforce that is far less prone to being overwhelmed or experiencing burnout. Striking this balance between each set of strengths while remaining cognizant of shortcomings is critical to deploying a consummate SOC.
Utilizing Proactive Threat Intelligence
Presently, SOC teams are fully aware that threat intelligence operations and management are well worth the time and effort. The goal for a superior SOC should be to take advantage of proactivity that drives the creating and tuning of unique security controls. Every organization has different “crown jewel” assets worth defending, and consistently analyzing the potential opportunities for adversaries to exploit fortifications in place is a fundamental tactic to establish security.
The MITRE ATT&CK framework is a fine example of how SOC teams can evolve with a proactive, informed approach to threat-defense. Since its creation nearly a decade ago, the framework has benefitted teams previously using threat intelligence in a reactive mode to dynamically drive the creation and fine-tuning of security controls.
The framework operates with very precise controls, which provides more in-depth recommendations to strengthen and tighten up specific rules. This allows SOC teams to significantly reduce erroneous alerts and focus their time and energy on the alerts stemming from specialized rules meant to protect their organization’s specialized assets.
The Future of the SOC
While the hybrid model of SOCs and the workforce behind them may require evolution, our understanding needn’t follow suit. As defined by Gartner,
“A security operations center provides centralized and consolidated cybersecurity incident prevention, detection, and response capabilities.”
SOC modernization extends far beyond technology alone, providing organizations with an opportunity to reassess skills and roles and support a distributed workforce – while incorporating human creativity and innovation as a strategic force multiplier.
