Why SOCs need urgent modernization [Q&A]
Security Operations Centers (SOCs) aim to detect, investigate, remediate, and restore organizational systems to a fully functional, secure state, whether it's defending against insider threats, data exfiltration attempts, or malware attacks.
However, examining the daily issues faced by many SOCs reveals a concerning array of challenges that place increasing pressure on the work of SOCs and the dedicated professionals who manage them.
We spoke to Richard Orange, vice president EMEA at Exabeam, who explained how these challenges highlight the need for SOC modernization.
BN: What are the current challenges for SOCs?
RO: There are three key concerns which come to mind:
- A 'log everything' mentality -- Compliance is a crucial contributor to the shift towards logging all data, even if it's not valuable. Numerous organizations collaborate with hyperscalers to log and store their data without clearly understanding how to draw insights from it. This 'store now, use later' mentality, however, overlooks essential questions that security teams should consider beforehand - “Why are we logging everything, and how are we going to identify risks in real time?" Failing to address these questions results in the 'log everything' approach, inadvertently creating a massive scaling challenge.
- Cornered by complexity -- Security teams employ an array of tools which significantly add to the levels of technical and operational complexity they must contend with daily. In addition, many have layered SIEM on top of SIEM due to either acquisition inheritance or in the pursuit of addressing tactical objectives around specific applications. As a result, keeping track of or updating each SIEM solution becomes too complex, with end data being unconsolidated.
- A shift in decision-making -- The responsibility for extensive security modernization, including SOC, is increasingly shared throughout the organization. C-level executives not directly involved in cybersecurity progressively incorporate cyber risk into their KPIs and job descriptions. This heightened cyber visibility at the board level represents a positive change, transforming security perceptions and holding the broader organization accountable. However, this shift presents an inherent challenge for CISOs and security teams to navigate the new political landscape for security within the organization whilst striking a balance between risk reduction and cost reduction.
BN: How should a SOC operate from the technology and mindset perspectives?
RO: From a mindset perspective, starting with 'why' is the key to making the right decisions and achieving the outcome an organization needs. Unfortunately, security decision-makers often don’t think about this, instead focusing solely on the need for SIEM and visualizations. As a result, SIEM becomes the answer to the wrong question. Therefore, if the SOC is about asking and answering questions, then SOC modernization means asking and answering those questions faster, even the ones that SOC leaders and their teams don’t know they need to ask.
Taking a look then at the technology perspective, the fundamental aspect of SOC modernization lies in consolidation, primarily because organizations require a unifying element to connect data points and technology solutions. Essentially, they need a central nervous system for their SOC that acts as the presentation layer, encompassing everything beneath it, regardless of individual circumstances. However, we recognize that, in the current scenario, SOC teams cannot achieve this degree of modernization without assistance. Consequently, reaching this goal requires incorporating semi-supervised or unsupervised machine learning.
BN: Should businesses switch to the cloud for their cybersecurity needs, and how can they include their on-premises IT in cybersecurity management?
RO: Today's cybersecurity tooling is much easier to consume as cloud-based services. This means organizations with cloud tooling can adapt much faster to the looming threats than the on-premises ones. Gone are the days of 'patch Tuesdays' and 'hack Wednesdays'. The shift to the cloud is happening rapidly, irrespective of the segment and size of the business or compliance requirements. Whilst some businesses would be reluctant to abandon their on-premises IT solutions due to the money already spent on these tools, the shift must happen for an organization to face the looming cyber threats quickly.
Many organizations have an environment split down the middle, half in the cloud and half on-premises. Both environments are very different, with many organizations having developed two distinct security strategies by looking at multiple tools. The problem is that very few tools are bridging this infrastructure gap. Therefore, security teams need a comprehensive perspective of their entire domain, covering both on-premises and cloud environments, with a unified viewpoint across all aspects.
BN: What does SOC modernization look like to key stakeholders?
RO: Within the diverse SOC stakeholders and their personas, various priorities and critical questions dictate the SOC's functioning. Typically, each stakeholder finds answers to their questions without first determining if they're addressing the right ones, and there is a unique set of 'why' questions they're not currently asking. For example:
CISOs pose business-level questions about risk. They might answer this based on the information provided by the SOC management team through the analysts. However, if the SOC lacks the ability to comprehend the broader context, the questions posed further down don't provide accurate answers.
SOC Management inquires whether a threat is contained. If so, this information is passed on to the CISO to help address the question of business risk.
SOC Analysts respond to tactical, detailed questions about their environment -- where has malware traveled, and has data been exfiltrated? This information contributes to SOC management's inquiry about threat containment. However, for an analyst to be effective, they need visibility across all data points. Instead, they might spend 30 hours removing malware but fail to contain the threat that has spread to an unseen part of the network.
BN: What would you advise businesses to do when looking to modernize their SOC?
RO: The volumes of data companies deal with compared to 10-15 years ago have dramatically changed. While reviewing all data during an incident is beneficial, organizations must also weigh the costs of storing that data and, more importantly, their ability to analyze and utilize it effectively. Therefore, cloud-scale tooling is required to monitor and manage the on-premises tools in a way that will allow organizations to quickly find and address the threats in their environment.
Consolidating data points and technology solutions is critical, however, before attempting to do so, businesses must ask themselves the right questions. With 'why' being at the heart of each decision, SOC modernization can truly bring the Return-on-Investment that each organization seeks.