Opinion: how to create a next generation SOC
Haider Pasha, CSO, emerging markets, Palo Alto Networks, on why organisations should automate various functions in their SOCs
For organisations that have already built an effective security operations centre (SOC) and have been running it for several years, the question is: How can you get even greater value and improve your return on investment?
As cyber threats grow, SOCs are becoming ever more resource hungry. Finding highly-trained security analysts is getting tricky with a shortage of qualified staff. Meanwhile, attackers are growing ever more sophisticated. For organisations, this means they must turn to automation to improve the performance of their SOCs.
Start the automation journey
In traditional SOCs, analysts spend way too much time dealing with known threats and too little time hunting down new threats and fending off targeted attacks. With some smart automation to take care of the repetitive tasks, SOC analysts can free up time to work on the more fruitful, intelligence–led side of cybersecurity.
There are three levels of threats that SOCs typically address. The easiest are the known threats such as malware, worms and viruses that may have been around for years. These can be dealt with easily by the SOC as there are plenty of tried and tested patches to fend them off.
Then come the slightly more challenging malware and zero-day attacks which are becoming more frequent. The SOC can resolve these without too much difficulty by following best practice guidelines.
At the other of the spectrum are the most sophisticated threats. These are targeted attacks where a determined criminal group or even a nation state is prepared to patiently coordinate an attack on an organisation over several weeks or months. These targeted attacks are where most of the focus needs to be for the SOC.
But in the traditional SOC setting, security analysts fail to differentiate between these different types of attacks. They tend to spend too much time dealing with the former and not enough on the latter.
SOC analysts deal with threats by following the processes laid out in a playbook which tells them about the steps they must take to neutralise an attack. This can become quite mechanical. They go through the same four or five steps without differentiating between unsophisticated and serious attacks.
A targeted attack often occurs in multiple stages. It might start with a spear phishing expedition – sending emails from a known address to trick a user into clicking on a link and downloading malware. These emails are used to gain access to a network to do initial reconnaissance before a sustained attack takes place. A SOC analyst typically follows the same playbook rules for addressing this as with less sophisticated attacks.
They need to automate the easy stuff and spend more time on the challenging tasks of dealing with targeted attacks and threat hunting.
When in doubt, use the SOC playbook
One reason that SOCs struggle to differentiate between different types of attack is because of the difficulty in processing high volumes of threat intelligence from automated prevention capabilities such as firewalls and endpoint protection programs.
Sometimes organisations turn off these capabilities as they can slow down their networks. But this can leave them exposed to threats. Each program interferes with the smooth running of the network. If all the programs are running at once, this can seriously slow down operations. Switching them off speeds up the network.
But when these prevention programs are up and running, an even greater headache ensues. They produce reams of threat data from across the network which needs analysing manually. SOCs can quickly become overwhelmed by the sheer volume of alerts they process.
The knee-jerk reaction of most companies is to keep on adding more analysts to the SOC to deal with the growing number of alerts. However, a more effective way to deal with this data overload is to integrate all those prevention programs together so they feed data into a central dashboard. This will centrally sort the threats into those which are easily handled – and can be dealt with by automated systems – and those that need human intervention.
You may be wondering about the best way to automate away low-level threats. This can be accomplished by taking the processes laid out in the SOC playbook.
For instance, if a cyber threat is discovered targeting a bank, a security vendor will typically send out an alert warning to similar sized banks. On receiving the alert, their SOC analysts will search through their network to find files with similar characteristics to the threat. If they find one, they resolve it, probably with a patch.
Free up your SOC analysts
But with a next generation SOC, this threat intelligence is automated. A vendor discovering a possible threat sends the information to the client company’s SOC. The next generation SOC automatically scans the company’s computer network to see if the offending file has entered the system. If it identifies an infection with the file, it takes that device off the network, notifies the SOC analyst, and opens a ticket to deal with that threat. This should all happen within seconds of discovering the threat, rather than the hours it takes a traditional SOC to achieve this.
Automation of playbooks is straightforward – and key to creating a next generation SOC. It allows machines to take over laborious manual processes. The next-generation SOC analyst should be freed from low-level work to focus on monitoring threats before they arise and identifying and dealing with targeted attacks.
If you think the cost of running the SOC is increasing without a corresponding boost to security protection, ask your CISO how the SOC can be automated to increase its effectiveness. Offer your support in building a next-generation SOC which takes automation and cyber protection to the next level. Then you’ll really get your money’s worth for your organisation.