July 12, 2017
Use Intelligence to Build SOC
July 12, 2017
In the last three years, the proliferation in the growth of active threat actors such as polymorphic attacks and availability of sophisticated hacking tool has rapidly impacted the security posture and expenditure of any size of the organization. The driving factor for adoption of next generation SOC is constantly changing the environment, adapting more cloud-centric approach, and adopting the Internet of Things (IoT) and mobile technologies. To detect and prevent the environment from such types of attacks, security operations center (SOC) has to be adaptive, context-aware components and intelligent to new realities and taking altogether a new approach to preventing the inevitable breach. Therefore, organizations must switch to a continuous monitoring mindset, where threats and vulnerabilities are prioritized, and focus is given to mitigating and resulting damage from an attack.
That is where a new term was coined “intelligence-driven SOC( ISOC)” which is far beyond the traditional SOC. Incidentally, the idea of ISOC came as many “outdated” SIEM platforms can’t handle the enormous amount of data we are pumping in. Also, recent ransomware attacks such as “Wannacry, Petya” and few other vectors made the situation worse, while at the same time organization has pressure to meet regulatory compliance and data breach coming into the picture creating panicking kind of situation to any organization. Plus, the requirement is to ingest data from unique and different types of platforms that require customized analysis and take proactive steps to detect, respond and mitigate attacks.
Also, a recent report from Gartner shows that, by 2020, intelligence-driven security operations (ISOC) centers will rise from less than 10% to 40%. With an adaptive, dynamic architecture and context-aware components built in, ISOC can evolve as scope changes that focus on security operations activities continuously. Nevertheless, ISOC is much more than the preventive tools & controls such as network-defence, event-based monitoring and more focused towards detection & response. The primary purpose of ISOC is to use intelligence technique for every aspect of security operations and move beyond the traditional defenses.
One of the important aspects of intelligence-driven SOC must be thought through before implementation. Essentially, day-to-day mundane operation task should be automated as much as possible with human augmented decision support systems so that monitoring team can focus more on advanced investigations, threat hunting, mining threat data etc. but this has to handle cautiously. As an instance, an automated system should not block authorized firewall traffic because they see a suspicious behavior in traffic.
My point of view is rather than automation, an organization must think of a blend of automation and human intervention into the whole workflow so that before your automated system take a severe step, such as blocking the authorized traffic which could have a potential business impact or productivity loss. Over and above, your process and workflow must support your operation and continually improve which eventually, will give you an edge in remediation of attack if it infiltrates into your organization.