Security Operations Center (SOC) teams face anywhere from 50 to 100,000 threat alerts a day, many of which are false positives. Even the most sophisticated teams struggle to combat the sheer barrage of information and alerts they must sift through daily. Not only can alerts and events be hard to prioritize and manage, but real-time detection continues to be a major challenge as many sophisticated adversaries use “living off the land” techniques to blend in as insiders. One thing is clear – SOCs need to continue to evolve in order to keep pace with modern-day threats. And, utilizing the right combination of technology, intelligence, and people is critical to this evolution.
Technology – As a first step, SOCs need to leverage platforms that support data analytics, automated tool orchestration, and enable efficient operations. Adversaries today are getting faster and smarter, and often companies opt for layering on more tools to their cybersecurity arsenal with hopes of keeping pace. But these disparate solutions introduce increased complexity, data siloes and a tsunami of data that must be triaged. Instead, security leaders should focus on improving operational efficiency and using tools that substantially reduce risk for their organization. These tools should enable rapid response, automated containment for high fidelity security alerts, and streamlined collaboration.
Intelligence – Threat intelligence is critical in informing SOC teams’ detection capabilities and enabling them to effectively prioritize alerts. In order to operationalize threat intelligence, SOCs need to identify existing intelligence gaps and formulate an intelligence priorities framework based on these gaps. They then need to incorporate and consolidate their intelligence sources, and develop a process for effectively disseminating information internally. With a structure in place that prioritizes and consolidates intelligence, SOCs can improve upon their response strategy, saving themselves time and enhancing their organization’s overall defense.
People – Also key to the successful use of threat intelligence and overall security operations is the talent behind the defense. SOC teams should have intelligence analysts in place who can review inbound intelligence and produce analysis relevant to the organization. They also need people to proactively hunt for threats in their environment to augment their monitoring efforts. As threats continue to advance and adversaries get faster and smarter, even the most advanced SOC teams will need to ensure they have 24/7 coverage and the ability to execute their cyber crisis response plan on short notice.
The evolution of today’s threats and adversary tactics mandates that organizations’ cyber defenses evolve. SOCs are at the heart of any company’s defense and need to evolve along with the threat landscape so that teams can efficiently manage alerts and detect adversary activity as quickly as possible. As SOC team leaders look to drive operational effectiveness and enhance the productivity of their teams, a combination of proactive technology, intelligence, and people is critical. With this trio, SOCs of the future will be more efficient and effective at stopping or containing breaches.
Jerry has worked in the security industry for almost twenty years in both government and commercial operations. His experience includes, US Department of Homeland Security National Cyber Security; Director, Incident Response, Cisco Systems Division and most recently prior to CrowdStrike, Vice President, Cyber Threat Intelligence & Incident Response American Express (News - Alert).