Organizations are evolving to support new business applications and processes across a wide range of technologies—cloud platforms, microservices, the Industrial Internet of Things, and more. While these technologies help companies accelerate their businesses and compete in an increasingly automated and digital world, they also create larger and more complex defense surfaces.
Attackers are adept at finding and exploiting vulnerabilities in new and old technologies and targeting individual users, making it easier to bypass traditional security infrastructure and tools. At the same time, adversaries are using new technologies such as machine learning to access data. Next-generation attacks can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs.
Security operation centers (SOCs) are grappling with the demands of this growing threat landscape. Most analysts only have limited access—just weeks or months—to their companies’ data due to the high cost of analysis and storage. Workflows are often rules-based or manual, leading to an ad hoc approach to threats instead of a proactive, multifaceted SOC.
Together, these factors are holding many SOCs back from joining the modern age of security.
To meet the demands of data growth and threat sophistication, the SOC must evolve to encompass these four core components:
- Real-time and historical data analysis Sifting through data is a time-consuming task and shouldn’t require someone with the expertise of a data scientist to query it. With data breaches taking mere seconds, analysts can no longer rely on a monitoring system that doesn’t track all data and provide full visibility into the environment. Using both real-time analytics and historical data, SOC analysts can optimize their time and speed time to detection.
- A complete line-of-sight across the data landscape In order to drive analytics and transform insight into real-time visualization of all threats, the modern SOC needs to have the ability to see all threats. Attackers are now using all available data—not just security telemetry data—and legacy security information and event management (SIEM) architecture approaches can’t handle the volume of structured and unstructured data available to the SOC. Managing a growing number of advanced modern attacks with only part of the threat story is impractical. SIEMs remain an important piece of the puzzle, but you need more.
- Consumption of business-critical endpoint data As adversaries grow smarter and stronger, tools must evolve along with the newest threats of the moment. Security teams are collecting volumes of endpoint data, and start by processing the alerts, but often don’t have the raw data for additional analysis due to constraints such as legacy architecture or economics. Modern cloud SIEM architectures can consume all data, and conduct anomaly detection or behavioral analytics to better combat adversaries. Static indicators are no longer strong enough for SecOps, and every tool available must be used to keep company data safe.
- Comprehensive knowledge sharing and support Analysts are well trained and highly skilled at threat hunting and intelligence; transferring that hard-won experience among analysts is tough and requires platforms with built-in knowledge-sharing capabilities. Today’s SOCs can share knowledge in a number of ways—through communities such as MISP that enable threat information-sharing and through features such as query trees and other means of capturing analysts’ logic as they execute complex investigations.
The SOC is under ever-increasing pressure to meet the demands of data growth and threat sophistication and must evolve to support analysts’ creativity with data analytics and automation. Looking toward the future, it’s critical that analysts hone their skills to combat the next phase of adversarial targeting through AI and machine learning.
Understanding that malicious adversaries are now hiding in plain sight means threat hunting must evolve to look for tactics, techniques, and procedures, instead of focusing purely on static indicators of compromise. To achieve a modern SOC and maintain a view toward the future, analysts should collaborate to enrich their security postures with true data visibility and robust threat hunting and intelligence.