Developing your Security Operations Centre
SOC SIEMS, SOARs and security posture...
Every minute, we create more and more data. According to the AllAccess Internet Minute chart for this year, every 60 seconds 197.6 million emails will be sent, $1.6 million will be spent online in the US alone, Twitch will see two million views and there will be another two million people swiping right on Tinder. Each of these digital actions creates data for their creators. For companies outside this group, their activities will create more data too, whether it is digital content created, business transactions completed or messages sent. Tracking all this activity and keeping it secure is a massive challenge, writes Dario Forte, VP and General Manager, Security Orchestration at Sumo Logic. To keep up, companies are looking at their security operations centres (SOCs) and where they can make improvements. So where are changes needed, and what can CISOs do to support their SOC teams better?
More data, more problems
As more data comes in, dealing with it becomes harder. The SOC team will see more data created by their applications and services as they get busier. Similarly, the move to implement applications in the cloud has created more data to be analysed as well. Application developers today build their applications using smaller components that connect together, rather than creating larger monolithic services that run as one overall application. This makes life easier for the developer to spot problems or add new functionality, but it adds to the flow of data coming in that the security team has to deal with. With tens, hundreds, or even thousands of application components all creating their own data and alerts, it is all too easy for the SOC to fall behind.
According to our research, 93 percent of security operations teams find they cannot get around to all the alerts that they have coming in every day, while 83 percent said they suffered from ‘alert fatigue.’ For 70 percent of teams, the volume of security alerts had more than doubled over the past five years. This is a problem that can’t be ignored. The pressure point here is that, with so much data coming in, it is hard to see what is important and what is not. Manually tracking and managing those issues is virtually impossible, so more automation is necessary to keep up.
See also: 7 free cybersecurity tools CISOs should be aware of
Implementing this effectively to support your SOC involves looking at your processes first, and then how your staff can be more effective by automating elements of this work. To lead this, identify where your team has the most analysis work to carry out and which processes support this effort, as well as any analysis tasks that are simple and high volume. This should provide you with a set of potential processes that are candidates for automation - some of these will be things that can be automated quickly and take work off the team, while others can be automated and lead to a bigger level of impact for the team. With your team, pick two or three processes to start with.
Once you have chosen the processes to automate, it is time to look at how to apply a playbook. Playbooks describe common approaches that can be used to automate a process, and in many cases already exist as templates that your security team can use with your technology partners. These playbooks can be amended to fit your specific needs, and then integrate with your systems to automate the process. By re-using what already exists, you can benefit from the experience of others and best practices that have been applied before, while also speeding up your process overall.
Thinking cloud, SIEM and SOAR
Alongside using playbooks, you should also examine how your SOC currently operates and how it handles the flood of data coming in. For SOC teams, traditional Security Incident and Event Management (SIEM) products may suit existing internal applications and networks but they are often unable to scale up and handle all the data that cloud services produce. Looking at Cloud-based SIEM services may therefore be a better option.
However, moving to a new SIEM is not the immediate solution that it may appear to be. While a SIEM does a great job at handling data and carrying out analytics, it is not responsible for automating other aspects of how the SOC functions. For example, SOC analysts may get involved in business risk management or processes that go outside the realm of IT. A good example of this would be how a bank looks at credit card fraud attempts - this goes outside the specific IT service and into how the bank’s business logic and other applications are set up. While the IT security team may get pulled in to help with that process when a specific attack is spotted, it is not their day-to-day responsibility.
To make this easier, automating the human side as well as the IT security element is needed. This involves looking at Security Orchestration, Automation and Response, or SOAR. SOAR is not competitive with SIEM, despite what some vendors claim; instead, it complements SIEM and helps make it easier to automate tasks for SOC analysts over time. By looking at the whole process, you can look at where you can integrate services together and automate all the elements in one playbook, rather than speeding up individual tasks and still having manual hand-offs between them.
This relies on a more open approach to how you bring your services, technology and processes together. In the past, companies had to amend their processes to fit with the technology that was available, which led to problems and more risk of projects failing to deliver. Today, companies don’t have to follow those rules in order to get their automation projects implemented.
Asking better questions
As you implement more automation in your SOC, you improve the performance that your analysts can deliver and make it easier for your team to avoid alert fatigue. The role of automation is to cut down on manual work that delivers little value, and instead have analysts concentrate their efforts where they can make the most difference. This includes looking at new potential risks that have not been experienced before, and where human intervention can prevent problems first.
Alongside this, applying automation in your SOC can also help your team find the time to look at where they can improve security overall. As an example, this includes finding new approaches to work with all the data that they have coming in, and then working on how to answer the right questions around security and analytics. If your team remains focused only on triaging alerts, you run the risk of them missing issues or leading to team burn-out.
By keeping a bigger portion of their time free to concentrate on higher value activities and more real-time risk analysis, you can improve your overall security posture and implement a more forward-looking business risk management approach. That’s for now. The next steps will be using automation in a more sophisticated way, covering a series of additional non cyber use cases which will go from advanced fraud, up to the convergence between IT and SecOps kind of incidents. This is just around the corner.