By Adam Vincent
With the proliferation of attack types and the reality that threat actors are getting smarter, faster, and more efficient at compromising networks, today’s Security Operation Centers (SOC) must be more flexible and agile to detect and stop threats. However, whether a SOC team of one or many, the majority of teams are falling behind due to fragmentation between tools and teams – causing response times to lag and even the simplest processes to become overwhelming. In order to drive the efficient operations required in our modern cybersecurity landscape, teams must enhance collaboration, automate tasks and actions where possible, and get the most out of existing security tools.
The first step to improving SOC efficiency and effectiveness is by reducing fragmentation through aligning critical roles and systems within the team. If employees or technology aren’t collaborating, the ability to detect and respond to an alert or threat can be dramatically slower, if not completely halted. In order to unite people and processes across the SOC, there are a few internal steps to take:
- Develop and utilize a process for data analysis and workflows across the SOC team.
- Defragment the team by creating clear roles and responsibilities as well as a centralized workflow.
- Find the right mix of sources to correlate the best threat data for the organization – this may be a combination of intel feeds with internal threat data.
- Build and share knowledge across technologies to remove ineffectiveness and inefficiency.
While collaboration is key for SOCs, automating tasks is equally as important. Today, most SOC teams rely on manual analysis – according to a recent SANS survey, 39 percent of respondents collected and stored data and performed analyses mostly or completely manually. Whether you’re automating mundane tasks or blocking and alerting, automation takes care of tasks that often slow teams down so that events can be triaged faster and false positives can be removed. This automation means teams can then spend more time on analyzing the intelligence and insights that directly affect the organization and thus lead to better insights and defenses.
Finally, in order to be more efficient and effective SOC teams must ask themselves – “Am I orchestrating across my tools enough to close the gaps?” From firewalls to threat intelligence and endpoint protection, it’s critical to not only have the tools needed to protect your organization’s network and data, but for these tools to be able to work together when needed. All too often SOC teams are dealing with security tools that are siloed due to issues with interoperability or lack of communication between technologies – this creates more tasks, reduces response times, and can thus leave a gap in the overall security posture. When looking to improve SOC efficiency ensure that tools can collaborate and communicate – enabling one single source of truth and reducing duplicate efforts across tools and teams.
As organizations prepare for 2018 and a more cyber secure year ahead, it’s important to ensure your SOC is working efficiently and effectively without gaps. Opportunities for missed alerts and potential incidents can happen at the seams between tools and teams. Because of this, it’s important for SOCs of any size to make sure their team members can easily work together. On top of this, the ability to automate tasks has the promise to improve response times and enable analysts to focus on potential issues rather than mundane tasks. And, as we tie the need for collaboration and automation together, ensuring that the SOC team is getting the most out of its security tools will enable efficient aggregation, analysis, and later actions on the intelligence, data, and outputs each tool provides.
About Adam Vincent
Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security.