It’s 3 a.m. in the security operations center (SOC). The coffee is already cold and stale. The eyes of team analysts are getting heavier by the minute. But the alerts keep coming.
If their organization is like most others, these analysts are seeing thousands of alerts a day. They’re juggling tickets and triaging on one screen, and assessing new, potential exploits on another.
Then, they discover a suspicious connection that could impact essential applications for their company – including mission-critical enterprise resource planning (ERP) tools. They try to track down the origin of the potential compromise, but there’s no quick way to confirm it, despite having a plethora of tools – 83 on average, from nearly 30 different vendors.
They don’t know if this could have potential to disrupt HR, payroll and customer-focused operations.
They need to scramble while making tough calls, knowing every minute counts: Do they keep searching for more clues, like tampered fake or missing logs? Do they call in the CISO for guidance? Do they consult with an outside partner to help identify the possible threat?
This is the daily reality that SOC analysts face. They’re forced to make decisions while – if not flying entirely blind – stuck in a fog. That’s because they simply do not have access to baseline data points from business-critical application telemetry to confidently confirm system-impacting sources and stop the “small stuff” from elevating into a full-blown company crisis.
In such cases, the missing link remains business application-level visibility.
One contributing factor is the longstanding ownership divide between business units and IT/security departments. As a result, SOC teams are walled off from the day-to-day monitoring of these applications. SAP, Oracle and other large vendors behind the tools require highly specific knowledge with architectures and logs, which are difficult to learn.
At a broader level, business applications have historically not been a primary target for threat actors, leading overburdened SOC teams to focus on more immediate threats. But with attackers now going after business-critical applications at alarming rates, organizations can no longer afford to ignore this blind spot.
What they really need is more useful data, and a better way to understand it – to navigate it with a contextual perspective that enables them to make the right decisions. Otherwise, they are making crucial choices about security without grasping whether key systems are actually affected.
The stakes are high: After hackers compromised contact details, dates of birth, online order histories and additional customer-related data in spring, fashion, beauty and home products company Marks & Spencer suspended all online orders for 46 days at a projected cost of $404 million, to cite just one example.
How do SOC leaders and their teams close the data context gap? We recommend the following three strategies:
Identify – and integrate – business-critical telemetry. This serves a vital role in SOC workflows. Without it, security analysts will remain in the dark as to what business is doing, and which logs exist and how to interpret them. SOCs need to first identify relevant logs and work with subject matter experts to map them to the actual threats those logs may signal, and why. Once mapped, those signals should be correlated against other log sources and enriched with threat intelligence. That context is what transforms raw data into actionable insight.
Establish operational baseline metrics. Teams should define and then continuously monitor what’s “normal” for data points in critical systems. With this, they can more readily flag deviations, and begin to understand them. However, baselining can also generate overwhelming amounts of data that risks burning out analysts if not applied strategically. The key is to use baselines not for endless review, but for rapidly surfacing abnormal activity in business apps.
Start by mapping application use cases: Which functions touch sensitive data like bank accounts, SSNs, financial reports, etc.? Build telemetry around what normal access to those areas looks like – who is accessing, from where, on what device, what time? Then weigh anomalies against that profile. For instance, if a user who usually checks a payroll page once a week suddenly accesses it 10 times a day from a new device at midnight, that should immediately elevate the risk score. These anomaly detection approaches already exist in other spaces. Now, it’s time they’re applied in the business application domain.
Invest in training. Developing contextual awareness/comprehension among team members involves a steep learning curve. Thus, CISOs must commit to ongoing training to help them navigate data from system logs and see the “true picture” that the activity is telling them. This is where understandable playbooks become indispensable, because they don’t just guide analysts, but also fuel automation. Tier 1 and 2 analysts are already inundated with alerts – they need contextualized, correlated, risk-weighted information packaged up by content intelligence teams. Playbooks should distill log data into clear escalation paths so analysts can make decisions quickly and with confidence.
Closing the Gap Before Attackers Do
Security analysts are modern cyber detectives – constantly scouring for clues at suspected crime scenes on their monitors. But, without proper context, a detective will likely make a false conclusion. The same applies to SOC teams working without visibility into business-critical applications.
To stop attackers before small anomalies escalate into crippling incidents, SOC teams must access and understand telemetry from business-critical applications to distinguish normal activity from harmful deviations. With training investments sharpening these skills, they’ll gain the vision required to stop cyber criminals in their tracks – and keep business operations running.
Closing the visibility gap between the SOC and business-critical data goes beyond faster incident response. It’s a confidence boost for decisive action, without second-guessing if the most important business data is in play. Analysts no longer need to track down architects or other stakeholders to understand what’s at risk. Giving analysts this power cuts hours of lag, contains threats before they escalate and prevents small compromises from destroying the business. I encourage you to put this business-critical context directly into analysts’ hands, before the next breach decides the outcome for you.
Join our LinkedIn group Information Security Community!
