2. NEXT-GEN INTELLIGENT SOC
Building Next-gen Intelligent SOC
Before starting to build a Next-gen Intelligent SOC (Security Operations
Center)
What is a SOC?
SOC (Security Operations Center) is the central unit of an organization
and is responsible for monitoring and detecting the security posture of
the organization.
Traditional SOC is where the organizations’ security posture detection is
based on analyst’s skills and time. Also, SOC is limited to traditional SIEM
(Security Information & Event Management) tools, threat feeds and
limited/critical assets in monitoring scope.
3. NEXT GEN INTELLIGENT SECURITY
OPERATIONS CENTRE CONT….
In a Next Gen Intelligent SOC, monitoring
extends beyond critical assets to
organization’s whole assets, including cloud
assets, mobile, end user machines, CCTV,
door access, WIFI etc. This is because
attackers are becoming more sophisticated
in their methods and the tools that are
used to attack.
5. What does SOC really do?
Provides services which could include:
Security Administration
System and Event Monitoring
Management of malware
Incident Response
Security investigations
Vulnerability Assessment and
penetration Testing
Security Engineering
Support services
6. 5 KEY ELEMENTS OF THE NEXT-GEN
SECURITY OPERATIONS CENTER
1. Cloud-based analytics and operations are essential
2. Managed services can take pressure off staff
3. Open architectures and layered analytics bring big picture to life
4. Automation and orchestration are key
5. Machine learning boosts threat hunting and investigations
7. 1. CLOUD-
BASED
ANALYTICS
AND
OPERATIONS
ARE ESSENTIAL
According to ESG's survey, 82% of organizations are
committed to moving the bulk of their workloads and
applications to the cloud. On-premises security information and
event management (SIEM) and other analytic tools alone will
not be sufficient to monitor and analyze cloud workloads.
Increasingly, companies are going to need to supplement or
replace on-premises tools with cloud-based products and
services. The cloud offers massive processing capabilities and
storage scaled to meet enterprise requirements. The attractive
pricing models and the opportunity to eliminate operational
overhead associated with on-premises technology are two
other factors that make cloud-based security technologies
attractive, the report states.
Thirty-eight percent of SOCs already use public cloud analytics
and operations tools, and 44% don't mind using it in a hybrid
environment. Over the relatively short term, a high-percentage
of organizations will “lift and shift” on-premises tools to the
cloud, replace on-premises tools with cloud-based
alternatives, or combine on-premises SOC technologies with
additional cloud-based tools. One in three organizations are
currently using their on-premises SIEM to monitor and analyze
cloud workloads.
The primary use cases for cloud security analytics include real-
time threat detection and response, risk management
monitoring and analysis, and threat intelligence.
8. 2. MANAGED
SERVICES CAN
TAKE PRESSURE
OFF STAFF
Managed security analytics and operations services
deliver a range of capabilities, including around-the-clock
threat monitoring of networks, endpoints, and
applications; incident detection and response; SIEM-to-
security orchestration, automation and response (SOAR)
integration; and compliance reporting.
According to research firm Markets and Markets, the
market for managed SOC services will grow from around
$372 million in 2019 to $1.1 billion by 2024. Banking,
financial services companies, and insurance firms will be
the biggest adopters of managed SOC services, according
to the research firm.
About 75% of the organizations in the ESG survey claimed
that their security operations capabilities are being
undermined by a lack of available personnel, and 70% said
it was either difficult or extremely difficult to find and hire
qualified SOC staff.
To address the gap, many organizations are using managed
SOC services providers. Nearly three-quarters
(74%) already use such services, and more than nine in 10
organizations (91%) plan on ramping up the use of
managed security analytics services over the next 18
months.
9. 3. OPEN
ARCHITECTURES
AND LAYERED
ANALYTICS
BRING BIG
PICTURE TO LIFE
To improve operational and security efficiencies,
SOCs will require a next-generation SIEM or a
common security analytics and operations platform
architecture (SOAPA) to integrate data from multiple
security tools. SOCs will need an open architecture
and layered SIEM, user and entity behavior analytics
(UEBA), and SOAR capabilities. The data
management part, the analytics component, and the
data pipelining functions will all need to be
separate, said Jon Oltsik, an analyst at ESG and
author of the new report.
To be effective, next-gen SIEM platforms will require
a unified interface, or mission control, that will bring
together data from layered analytics tools so
analysts won't have to toggle from one interface to
another to see what the logs or the network is telling
them, Oltsik said. Thirty-six percent of organizations
in ESG's survey are actively working on enabling
such integration; another 48% are somewhat active
but don't consider it to be one of their top priorities
yet.
10. Enterprises that have automated security processes
have reported increased SOC workflow performance
because staff can spend more time addressing
problems, the report said.
ESG's survey showed that 27% of organizations have
already extensively automated key security analytics
and operations capabilities, while another 38% have
done so on a more limited basis. Eighteen percent are
currently piloting an SOC process automation and
orchestration project, 7% plan on doing so in the near
future, and 6% plan to to do so over a slightly longer-
term.
The top use case for process automation is the
integration of security and IT operations capabilities,
with 35% of survey respondents saying that was their
immediate priority. Other use cases include enabling
better collaboration between security and operations
teams (34%) and automation of incident remediation
tasks (29%).
4. AUTOMATION
AND
ORCHESTRATION
ARE KEY
11. As data volumes and security alerts increase, machine-
learning (ML) tools will become key to effective threat
detection and response.
ML-powered security tools are designed to help
organizations spot malicious activity by pinpointing
deviations from normal network or application behavior.
They come in two flavors—supervised and unsupervised ML.
A supervised tool uses existing datasets to "learn" what
normal behavior looks like so teams can detect and alert on
variations from the norm. Unsupervised tools use algorithms
to study network traffic and identify what normal behavior
looks like so it can spot deviations.
Many forward-leaning SOCs have already begun using ML-
based tools to bolster investigations and to improve their
ability to detect and respond to threats. ESG's survey showed
that more than half (52%) are already extensively using ML or
using it on a somewhat more limited basis. Twenty percent
are piloting ML projects, while another 18% are planning to
deploy or are interested in deploying ML for threat detection
and response.
According to the ESG survey, interest in ML primarily
stems from a desire to improve organizations' ability to
detect advanced threats (37%), to accelerate investigation
(34%), and to improve their ability to identify overall cyber
risk (34%).
5. MACHINE
LEARNING
BOOSTS THREAT
HUNTING AND
INVESTIGATIONS