SOC Modernization: Building a Strong Foundation

Woman in glasses looking at computer screen

Editor’s Note: This a partnered sponsored guest blog written by Cadre.

The core paradigm of today’s security operation center (SOC) is having the right tools paired with the right technologies and using automation to make sense of the mountain of data. It is almost unfathomable that SOCs used to be one analyst in front of a single computer to detect and investigate threats — so too is our current norm of hundreds of thousands of attacks on large organizations each day.

While automation is part of the big three of SOC modernization, it is not going to magically disappear the uphill battle of hybrid work, hybrid environments, and intrepid hackers. Many chief information security officers (CISOs) have invested in machine learning (ML) or automation to streamline operations and help offload mundane tasks from security analysts. But the reality is, machine learning today is table stakes. Most vendors includes ML in their offerings and yet we still struggle to modernize the SOC.

If technology, tools, and automation are not sufficient, what will it take to finally return harmony to the SOC as attackers favor ransomware, extortionware, and sophisticated malware? It starts with architectures and frameworks to restore much needed order to respond to threats efficiently and effectively.

Transition from on-prem to cloud

As organizations transition from primarily on-premises architectures to a hybrid of on-prem and in-cloud infrastructure, the SOC needs a new strategy. Network-centric security like intrusion detection system (IDS) once allowed analysts to view all traffic coming and going, but now traffic is coming from everywhere and on any device, requiring a new layer to meet varying needs.

It is said that cloud is not inherently less secure than on-prem solutions, but it still requires separate security protocols and requirements compared to bare-metal server-based applications or even those running within a virtualized server.

Ongoing auditing for Zero Trust policies and actions

If we bring together the need for architectures and frameworks with the transition to cloud, there is one clear path — Zero Trust. Now, without a perimeter in the hybrid world, it makes the most sense to protect resources (e.g., data, identities, and services) regardless of location.

The essential truth of Zero Trust is “never trust, always verify.” Using this approach, implicit trust is removed and replaced with continuous validation of digital transactions. While SOCs typically do not set these types of security policies, they do play an integral role in its success. As an additional layer of verification to further reduce risk, the SOC becomes an ongoing auditing function to detect and stop attacks across the cyberattack lifecycle.

Assume breach, proactively hunt

With the Zero Trust principles in place, if the organization always assumes there is a breach, it makes the most sense to proactively hunt for threats. To do this, many organizations leverage the MITRE ATT&CK™ framework alongside standards like the National Institute of Standards and Technology (NIST).

This recommendation alone can seem out of touch for SOCs already bombarded with a massive amount of log and event data from point products, but that is not to say adopting frameworks like MITRE ATTACK™ are out of reach. Based on the capabilities of your security operations, you can ensure the framework will not become yet another source of underutilized threat data by mapping it to your stage of maturity.

  • Reference data and enrichment: Through a tool that makes it easy to access and share across teams, security analysts can use the data from the framework as a detailed source to manually enrich their analysis of events and alerts.
  • Indicator or event-driven response: Analysts can incorporate capabilities in their operational workflows like automatically correlating events with indicators from the framework. This shines a light on the who, what, when, why, and how of an attack to speed up the prioritization process.
  • Full-fledged, proactive threat hunting: Sophisticated SOCs can take full advantage of the framework, rather than narrowly focusing on bits and pieces of suspicious data. By starting from the organization’s risk profile and understanding the attacker’s tactics, techniques, and procedures (TTPs), analysts can proactively hunt for attacks that could hurt the business most.

To improve accuracy and scale threat detection, SOCs can use a SIEM solution like LogRhythm for visibility into ATT&CK TTPs. With prebuilt content mapped to the framework, SOCs gain deep visibility into adversaries so that SecOps can take action.

Read more resources from Cadre

Comments are closed.