What is a Security Operations Center (SOC)?
A Security Operations Center (SOC) encompasses a team of cybersecurity analysts who monitor cyber threats 24/7 and respond to incidents as part of a company’s cybersecurity strategy to protect the enterprise. A SOC could be an in-house facility and team, a virtual SOC, or a “SOC-as-a-service” function that’s managed by a third party, called a managed security service provider, or MSSP, such as EnsignInfoSecurity or Unlimited Technology. Whichever way a SOC is housed, configured, or managed, SOCs are integral to preventing, detecting, and analyzing threats, as well as pivoting to triage, response, and recovery when incidents do occur.
Why are Security
so critical right now?
A recent ATT Cybersecurity blog post perfectly sums up why SOCs are so critical: “A well-run security operations center (SOC) stands as the central nervous system of an effective cybersecurity program.” The SOC provides the window to the vast threat landscape, which is marked today by highly organized threat actors whose Tactics, Techniques, and Procedures (TTPs) are constantly changing through both widespread and targeted attacks. Companies are struggling to keep up. The Accenture “State of Cybersecurity Report 2020” points out that 69% of organizations say that “staying ahead of attackers is a constant battle and the cost is unsustainable.”
SOCs are transforming to manage this reality as part of enterprise security at large, calling on skilled analysts or innovative tools to ramp up their detection and response capabilities. Gartner predicts that, “By 2022, 50 percent of all SOCs will transform into modern centers with integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10 percent in 2015.” While SOCs emerged in the 1970s for defense and government agencies (see HP’s Evolution of the SOC), today they are the backbone of many digitally mature companies’ cybersecurity efforts, whether in-house or outsourced, particularly as digital transformation has taken hold across sectors.See how NDR can help.
What are Security Operations Center analysts’ biggest challenges?
What is one of the top challenges every VP of Security Operations, SOC manager, and SOC analyst faces today? The cyber talent gap. The number of unfilled cybersecurity positions has surpassed four million worldwide, up 28% from last year. As a result, the ratio of threats versus the number of cybersecurity specialists on hand to detect, triage, and respond is severely lopsided. All organizations face a daily balancing act of staying steps ahead of hackers with limited human resources. In short, cyber analysts are overwhelmed.
Network defense is an integral part of a broader cybersecurity strategy, and it needs particular attention from the SOC because bad actors have the ability to evade traditional security techniques such as endpoint security, firewalls, and signature-based detection. Network traffic is more and more voluminous as the digital economy accelerates. Specifically, Capgemini reports that, “Global business internet traffic is expected to increase three-fold from 2017 to 2022.”
What specific challenges for SOC analysts emerge from this cyber reality?
In most enterprise networks, anomalies are a standard occurrence, so detection alone is not enough. An NDR solution such as IronDefense can orchestrate the collection of contextual data from multiple sources, automate the application of, apply the collective wisdom of the nation’s top cyber offensive and defensive operators, delivering ranked threats to distinguish the malicious from purely anomalous. Behavioral analytics can improve accuracy and keep the security team focused on high priority threats while also reducing hunt time.
Traditional approaches to network threat detection are not keeping up with the sophistication, frequency, and scale of cyber attacks. Endpoint detection, firewalls, and traditional signature-based threat detection cannot identify unknown threats. By contrast, Network Detection and Response solutions based on network behavior widen visibility of the threat landscape.
Pivoting to triage
As the role of SOC analysts broadens to include response, SOC teams need a way to pivot quickly to triage. Cyber threat hunting expertise and full Packet Capture (PCAP) analysis enable security teams to quickly pivot from anomaly detection and triage to active hunt and remediation. IronDefense threat detection offers a way to transition to triage in SOAR platforms such as Splunk Phantom or Demisto XSOAR.
Multiple cyber tool overload
Even though Gartner projects that spending worldwide on info security will be 2018-2023 CAGR 8.8% worldwide, results have not kept up, as the number and severity of attacks indicate. Most cyber spend is on tools that have limited scope to detect sophisticated threats. SOC teams do not need more tools; instead, they need more effective ones such as behavior-based NDR solutions that streamline their technology portfolio.
Mature enterprise SOCs and MSSPs already have an ecosystem of products they rely on, and they already have a single pane of glass within their SIEM, methods for conducting automated responses within their SOAR, and ticketing and asset management systems in place. No SOC analyst wants to throw aside what’s working. Tools that enhance detection and response, therefore, must integrate easily across the security ecosystem to bring real value.
What are some common
Security Operations Center tools?
Endpoint security tools
Endpoint security helps eliminate certain intrusions before they start by identifying activity with signatures and by monitoring the host for unusual endpoint-centric activity. Endpoint Detection and Response (EDR) solutions deliver the additional ability to contain a host should something malicious be detected.
A firewall helps protect the environment from known bad activity. As threat intelligence is created and disseminated, firewalls are updated with the latest indicators of compromise (IOCs) and firewall policies are placed to drop the activity from coming into the network or from leaving the network. Additionally, NGFW have the ability to flag and log certain activity without blocking it using simple logic.
Threat intelligence platforms (TIPs)
Threat intelligence platforms and products serve up evidence-based information around knowing threats, including indicators of compromise (IoCs), implications, and advice for threat mitigation (or threat response). SOC analysts leverage threat intelligence, often via feeds, to inform how they take action when threats are detected.
Network Detection and Response
Network Detection and Response (NDR) is a burgeoning field of cybersecurity that enables organizations to monitor network traffic for malicious actors and suspicious behavior, and react and respond to the detection of cyber threats to the network. NDR tools find more sophisticated and unknown threats than traditional security tools used alone. The rise of NDR systems reflects the growing number of systemwide attacks by criminal actors ranging from hackers to nation-states.
A security information event manager (SIEM) combines security event management (SEM) and security information management (SIM) technologies. SIEM tools allow SOC analysts to review network logs and event data, in turn reporting on that log data. ATT Cybersecurity reports that 76 percent of cybersecurity professionals reported the use of SIEM tools led to reduced security breaches.
Security orchestration, automation, and response (SOAR) technologies such as Splunk Phantom enable organizations to observe, assess, and respond to security incidents from a single interface. Rated IronDefense detections, for example, can feed into Splunk Phantom or Demisto SOAR platforms. Many SOCs look to SOAR platforms to help alleviate alert fatigue.
Large enterprises are driven by ticket management. ITSM integrations in ServiceNow, for example, focus on enabling workflow. With IronNet detections, SOC analysts can create ServiceNow events when triaging the detections, thereby eliminating the significant and tedious tasks of copying information from one product to another.
What types of network threats does a
Security Operations Center monitor?
SOCs can leverage behavioral analytics to monitor threats on the network. By looking for anomalous behavior (instead of just known threats), SOC analysts can gain a bigger picture of the threat landscape, seeing unknown threats.
Examples of anomalous network activity include the following:
Malicious DNS tunneling activities
NDR solutions are engineered to introduce minimal friction into SOCs while still providing network threat detection. NDRs leverage sensors that are deployed off a SPAN or TAP port to passively monitor network traffic.
A user uploading large amounts of data where they’ve never moved this much data before at an exceptionally fast rate.
Malicious use of standard protocols
An adversary using protocols such as DNS, HTTP, or TLS to blend in with benign traffic patterns, usually over ports 53, 80, or 443.
A chain of activity whereby a user starts from one system, and then pivots to a second, creating anomalous traffic chains that occur over common remote access protocols.
A comprised entity calling back to a command and control server - for information from normal software updates in a noisy network. Attackers may randomize the behavior by adding jitter to the beacon timing to obfuscate the activity and avoid detection.
How does Collective Defense support
Security Operations Centers?
Collective Defense, the vision and mission of IronNet, is a new approach to cybersecurity that facilitates real-time knowledge sharing and correlated threat detection with contextual awareness.
IronNet’s IronDome platform pools threat knowledge and intelligence in real-time, enriched with situational analysis, so SOC teams at companies, industries, states, and nations can work together to defend against a threat immediately within and across sectors. Collective Defense makes it more challenging for the attacker to reuse the same TTPs to “cherry-pick” enterprises individually as they do today. IronNet’s Collective Defense platform, IronDome, uses encrypted data, enabling SOCs to securely share anonymized alert data to collectively amplify threat detection, without running afoul of valid legal, IP, and other concerns executives may have around information sharing.
One of the primary values of applying Collective Defense to cybersecurity comes from multiplying the number of data streams analyzed, far beyond what any one company or SOC has access to, or could even sort through on its own. This approach provides troves of information on network traffic characteristics, context, and behaviors that, when analyzed collectively across multiple organizations, give SOCs in the Collective Defense ecosystem wide-scale visibility into pervasive threats. But the human element is just as critical. Human-driven feedback within the collective defense ecosystem prompts analyst-driven insights to enhance and qualify threat intelligence, making threat information more relevant and effective.
Discover how Collective Defense supports and amplifies the work of SOC analysts.