5 key elements of the next-gen security operations center
Enterprise Strategy Group (ESG) recently surveyed 372 IT and security professionals about issues surrounding enterprise security analytics and operations processes. The results: Cloud migration, digital transformation initiatives, and the IoT are imposing new requirements on the security operations center (SOC).
A deepening skills shortage is affecting the ability of SOCs to do their jobs, and disconnected security tools are preventing organizations from getting the full picture of their security posture, according to the report, "The Rise of Cloud-Based Security Analytics and Operations Technologies."
Update your security operations center with an understanding the confluence of factors identified in the ESG report. Here are five key elements that should be part of your next-generation SOC.
1. Cloud-based analytics and operations are essential
According to ESG's survey, 82% of organizations are committed to moving the bulk of their workloads and applications to the cloud. On-premises security information and event management (SIEM) and other analytic tools alone will not be sufficient to monitor and analyze cloud workloads.
Increasingly, companies are going to need to supplement or replace on-premises tools with cloud-based products and services. The cloud offers massive processing capabilities and storage scaled to meet enterprise requirements. The attractive pricing models and the opportunity to eliminate operational overhead associated with on-premises technology are two other factors that make cloud-based security technologies attractive, the report states.
Thirty-eight percent of SOCs already use public cloud analytics and operations tools, and 44% don't mind using it in a hybrid environment. Over the relatively short term, a high-percentage of organizations will “lift and shift” on-premises tools to the cloud, replace on-premises tools with cloud-based alternatives, or combine on-premises SOC technologies with additional cloud-based tools. One in three organizations are currently using their on-premises SIEM to monitor and analyze cloud workloads.
The primary use cases for cloud security analytics include real-time threat detection and response, risk management monitoring and analysis, and threat intelligence.
2. Managed services can take pressure off staff
A worsening cybersecurity skills shortage is driving the need for managed threat detection and response services at many SOCs.
Managed security analytics and operations services deliver a range of capabilities, including around-the-clock threat monitoring of networks, endpoints, and applications; incident detection and response; SIEM-to-security orchestration, automation and response (SOAR) integration; and compliance reporting.
According to research firm Markets and Markets, the market for managed SOC services will grow from around $372 million in 2019 to $1.1 billion by 2024. Banking, financial services companies, and insurance firms will be the biggest adopters of managed SOC services, according to the research firm.
About 75% of the organizations in the ESG survey claimed that their security operations capabilities are being undermined by a lack of available personnel, and 70% said it was either difficult or extremely difficult to find and hire qualified SOC staff.
To address the gap, many organizations are using managed SOC services providers. Nearly three-quarters (74%) already use such services, and more than nine in 10 organizations (91%) plan on ramping up the use of managed security analytics services over the next 18 months.
3. Open architectures and layered analytics bring big picture to life
To improve operational and security efficiencies, SOCs will require a next-generation SIEM or a common security analytics and operations platform architecture (SOAPA) to integrate data from multiple security tools. SOCs will need an open architecture and layered SIEM, user and entity behavior analytics (UEBA), and SOAR capabilities. The data management part, the analytics component, and the data pipelining functions will all need to be separate, said Jon Oltsik, an analyst at ESG and author of the new report.
To be effective, next-gen SIEM platforms will require a unified interface, or mission control, that will bring together data from layered analytics tools so analysts won't have to toggle from one interface to another to see what the logs or the network is telling them, Oltsik said. Thirty-six percent of organizations in ESG's survey are actively working on enabling such integration; another 48% are somewhat active but don't consider it to be one of their top priorities yet.
4. Automation and orchestration are key
SOCs seeking to improve capabilities in areas such as threat intelligence operations and incident response will need to automate processes where they can.
Security automation and orchestration help SOC teams manage their responsibilities, analysis firm 451 Research said in a recent report.
"Automation reduces the labor effort by executing scripts to collect and organize evidence gathering from disparate sources."
Enterprises that have automated security processes have reported increased SOC workflow performance because staff can spend more time addressing problems, the report said.
ESG's survey showed that 27% of organizations have already extensively automated key security analytics and operations capabilities, while another 38% have done so on a more limited basis. Eighteen percent are currently piloting an SOC process automation and orchestration project, 7% plan on doing so in the near future, and 6% plan to to do so over a slightly longer-term.
The top use case for process automation is the integration of security and IT operations capabilities, with 35% of survey respondents saying that was their immediate priority. Other use cases include enabling better collaboration between security and operations teams (34%) and automation of incident remediation tasks (29%).
5. Machine learning boosts threat hunting and investigations
As data volumes and security alerts increase, machine-learning (ML) tools will become key to effective threat detection and response.
ML-powered security tools are designed to help organizations spot malicious activity by pinpointing deviations from normal network or application behavior. They come in two flavors—supervised and unsupervised ML. A supervised tool uses existing datasets to "learn" what normal behavior looks like so teams can detect and alert on variations from the norm. Unsupervised tools use algorithms to study network traffic and identify what normal behavior looks like so it can spot deviations.
Many forward-leaning SOCs have already begun using ML-based tools to bolster investigations and to improve their ability to detect and respond to threats. ESG's survey showed that more than half (52%) are already extensively using ML or using it on a somewhat more limited basis. Twenty percent are piloting ML projects, while another 18% are planning to deploy or are interested in deploying ML for threat detection and response.
According to the ESG survey, interest in ML primarily stems from a desire to improve organizations' ability to detect advanced threats (37%), to accelerate investigation (34%), and to improve their ability to identify overall cyber risk (34%).
Despite the surging interest, many organizations are taking a cautious approach to implementing ML, Oltsik said. Initially, at least, organizations are using ML to supplement their defenses rather than to replace anything.
"A lot of ML algorithms are new and immature, but they are getting better."
Rather than blindly trusting ML algorithms, many companies are building their own analytics and comparing them what the ML products are telling them and then fine-tuning the algorithms as required, he said.