The Right Technology Can Make Any SOC Model More Effective
I periodically like to provide a response to information published about the cybersecurity industry and technology. In this blog post I’ll provide our response to a recent report and point out some specific aspects where I have a somewhat different response, including the importance of moving beyond detection to response and how the right technology can take some of the pressure off of hiring. I’ll also provide some strategies for overcoming the risks, which cannot be refuted.
Gartner recently published the Selecting the Right SOC Model for Your Organization(1) report. According to the report, “SOCs’ main mission is focused on the following functions, with threat detection and response being the most common across SOCs. The SOC needs to be clearly aligned to its target operating model. If a set of functions is not delivered out of the SOC, this could indicate that these functions are performed by another internal structure, an external service provider or are not aligned to the organization’s security use cases:
- Security event monitoring, detection, investigation and alert triaging
- Security incident response management, including malware analysis and forensic analysis
- Threat intelligence management (ingestion, production, curation and dissemination)
- Risk-based vulnerability management (notably, the prioritization of patching)
- Threat hunting
- Security device management and maintenance (for the SOC technology stack)
- Development of data and metrics for compliance reporting/management.”
In the figure below, Gartner describes the main functions of an SOC across all SOC models:
The report goes on to describe the five primary operational SOC models for typical organizations.
- Virtual SOC
- Multifunction SOC
- Hybrid SOC
- Dedicated SOC
- Command SOC
The report further notes the following benefits and uses of SOC models:
- Improved threat management
- Reduction in MTTD and MTTR incidents
- Centralization and consolidation of security functions
- Regulatory compliance
Moving Beyond Prevention
Many organizations still think their goal is to prevent cyberthreats. At Lastline we have witnessed and agree with Gartner when they state that “SOCs are becoming more ubiquitous as organizations large and small shift security efforts from prevention only to a blend of prevention and detection.” What this recognizes is that the perimeter is porous and some attacks do get through the “prevention” barriers. This means threats are on your network, moving laterally, and remain in place for an average of 200 days. So, among the tools needed is something that not only can detect anomalous network activity, most of which is benign, but also discern malicious network traffic.
However, I’d argue that expanding from prevention to detection is still not enough. Our customers have also been very vocal about their SOC’s need to also be able to respond and hunt; to take action. To be effective at this SOC analysts need complete visibility into what is taking place on their on-premises network, in the cloud, and in hybrid environments, with enough detail to guide efficient and complete remediation.
Any Model Requires People
Regardless of your preferred SOC model, somewhere along the line a company needs to have a security analyst on staff. Whether outsourced, managed in house, or using a hybrid model, someone needs to hire someone. And there just aren’t enough of those people to fill all of the available positions. According to InfoSecurity Magazine, today there are over 4 million unfilled cybersecurity positions.
If you can never hire enough people, you need to fill the gap with technology, ideally with AI-powered solutions that can do a better job of discerning between benign network anomalies and malicious network behaviors, and enable security analysts to “punch above their weight class.”
As for the specific technology needed, I agree with Gartner’s recommendation to “expand the SOC’s capabilities beyond just SIEM solutions to provide greater visibility into the IT, OT and IoT environment where appropriate, but do not expect a full SOC/NOC function. Likewise, plan for SOC functions beyond reactive incident monitoring and into threat detection and response, and even proactive threat hunting.” What I believe a SOC needs, especially in light of inadequate staffing, is a Network Detection and Response technology that consolidates network security controls, analyzes network activity, recognizes novel malicious behavior, and can actively block and respond to intrusions.
The Risks Can be Overcome
Gartner names several risks that must be taken into consideration and managed. One is that “organizations adopting the SOC model should carefully evaluate how this investment translates to less frequent and severe breaches, and compare it to their own pre-SOC state. Furthermore, security technologies are not silver bullets. SOCs may become overwhelmed by the vast number of alerts generated by an expanding number of security tools.”
I agree, but only if the SOC is not deploying the right technology. By merging network traffic analysis, intrusion prevention systems with file analysis that detects malicious behaviors, Lastline Defender minimizes false positives. It not only reduces the likelihood of too many alerts, it actually makes SOC analyst more efficient and productive by merging isolated alerts into comprehensive intrusion evidence and focusing their efforts on the highest risk threats.
The report goes on to say, “better SIEM tuning to minimize noise, use of advanced analytics for better detection, and use of automation for alert triage and faster response are often used to reduce the alert flood.” Certainly, some of these techniques help. However, I believe that what typically happens when tuning a SIEM solution to reduce the number of alerts is that a SOC trades off false positives (detected, but it’s benign) for false negatives (a real threat that is not detected). And I would argue that a real threat that is missed could be far more damaging than wasting time investigating red herrings. This is why higher fidelity insights from your network security controls is paramount and solutions like NDR are better equipped to provide it.
Another risk they name is skills, expertise and staff retention, noting that “an understaffed SOC or one staffed with inexperienced analysts will be ineffective and will struggle to achieve its objective of rapid detection and response to threats and incidents, despite all the spend on technology and data collection.” Generally, I agree, but believe this too can be mitigated with the right technology. The CSO at one of our customers testified to this as follows: “Lastline makes it possible to complete a cleanup action within 10 to 15 minutes, whereas before it could have taken hours.”
Network Detection and Response Can Make Any SOC Model Better
In closing, having the right technology can go a very long way towards improving the productivity and ultimate success of any SOC, regardless of the model deployed.
Lastline Defender, a Network Detection and Response platform, supports nearly all of the functions and components of a SOC described earlier, from network detection and malware analysis to threat intelligence and threat hunting. To learn more, please see our website or contact us to schedule a demonstration.
(1) Gartner “Selecting the Right SOC Model for Your Organization,” Gorka Sadowski, et al, 24 February 2020