The 3 Biggest Challenges Faced by Today's SOCs & One Smart Solution
Published 06/14/2022
This blog was originally published by LogicHub here.
Written by Kumar Saurabh, CEO and Co-founder, LogicHub.
As a security operations professional, you've put in your fair share of late nights. You know what it's like to wake up to a deluge of alerts and the need to assess the situation — fast. Your SOC team probably already has a number of formal or informal playbooks that outline the steps to take in a security event.
First, you need to gather all the relevant data. That can be a tall order — because if you're like most SOC teams, you're using dozens of security tools. There's a lot of both interdependent and disparate information to parse. Some kinds of files, like access logs, are incredibly dense. It's difficult to put the data in context quickly and efficiently.
Then you must make a conclusion: whether the event that triggered the alert presents a real threat and what action(s) you need to take. It might be an all-too-frequent false alarm. But it could be an imminent threat that puts your organization at risk.
How much time has elapsed? Chances are, it's too long — either way. Here are three of the biggest challenges SOC teams face and the best way to meet them right now.
1. Data (and Alert) Overload
Most SOC operations begin with collecting large amounts of data using a SIEM system or a security data lake (SDL). These systems use rules-based automation to look for known threats and are very often signature based, but the inherent flaw is that the decision process does not evolve.
SIEMs weren't designed to handle the massive quantities of data most enterprises generate now — at least with the speed and efficiency to do it without triggering an overabundance of alerts. It's incredibly difficult to separate the signal from the noise, so many alerts are not examined at all.
2. False Alarms are Truly Problematic
With so much data overwhelming a SIEM (and so many alerts), the security events that aretriaged are overwhelmingly "false positives." The problem is unavoidable whether they're triaged by people or automation. If you are relying on rules-based automation, it is often stretched beyond its native capabilities.
But if the situation requires no real response, human alert fatigue increases exponentially. And in a competitive marketplace where tech workers demand a premium, it's not the best way to leverage their skills and frankly - keep them incentivized to stay.
3. We're Only Human
Even as innovations in automation disrupt nearly every industry, they can't replace humans in the realm of creative endeavors (like inventing new technologies). People can do many things machines cannot. But they do need more time to process data. They can't work constantly. They can't be on alert around the clock. What can? Intelligent bots. Think of them as always-on assistants you configure to your exact specifications.
Security is a 24/7 job. You can’t afford to leave your SOC unstaffed or under-resourced, but your team will never be large enough to review the massive amounts of data that pours in at the speed of machines. So you need to counter it with machines. It's a "fight fire with fire" strategy — one that still depends on people to build, evaluate and adjust the AI, and take action at any step in the playbooks it uses.
Humans are undoubtedly more inspired than their bot assistants, but they're much more inconsistent, too. They have varying skill sets, backgrounds, experience, schedules and energy levels. Consistency, however, is crucial in order to stay ahead of the threat landscape.
How decision automation can transform your SOC
Though SIEMs are still the standard in many organizations, they are over 20 years old. The need to move toward more advanced technology is both imperative and inevitable.
Next-generation intelligent automation is based on a progressive learning model that adapts based on your organization's data — as well as your analysts’ feedback. As the artificial intelligence (AI) learns, it applies those lessons to its future work. That’s the difference between a rules engine and a decision engine. It doesn't require a trigger; instead, it's able to do both detection and response.
If the event requires a nuanced decision or weighty, uniquely consequential action from a security analyst, they're able to review a concise, clear summary that includes both an aggregated final threat score along with a suggested plan of action. It's just what you need in a crisis.
It's also what you need to stop the next crisis in its tracks.
Most SOCs deal with so much data — and limited resources, human or financial — that they are putting out fires instead of preventing them. Alert triage and incident response take center stage as a matter of necessity, and threat hunting becomes a “nice to have.” Very few small security teams have a member dedicated to threat hunting. It's not just time-consuming; threat hunting specialists are highly skilled, sought-after and paid accordingly. So threat hunting is a luxury for many businesses.
Intelligent automation can turn that into an accessible reality. Skilled threat hunters can encode their techniques, capturing and turning their expertise and decision processes into scoring and decision playbooks. As an automated detection and response system carries out those playbooks and learns from them, its ability to spot (and prevent) trouble will continuously improve. As will your organization's ability to scale, innovate and meet whatever challenges come its way.
About the Author
Kumar Saurabh is the CEO and co-Founder of LogicHub. A leader in intelligence automation and analytics, Kumar has more than 15 years of experience in the enterprise security and log management space and lead product development efforts at ArcSight, SumoLogic, and Mint.com.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024