The Journey to an Intelligent SOC

May 07, 2018 | by Arthur Fontaine

You CAN Get There From Here
In the RSA intelligent SOC blog series, we’ve examined the characteristics that make a SOC intelligent. An intelligent SOC can be the cornerstone of your organization’s broader effort to manage digital risk.

An intelligent SOC holistically integrates all security tools and activities, positioning an organization to defend against the most sophisticated threats and determined adversaries. This approach is powered by an evolved SIEM, which combines comprehensive visibility, advanced analytics, and rich orchestration and automation capabilities, and extends the value of security with two-way support for the business and risk inputs that drive organizational strategy.  An intelligent SOC makes your organization better at detecting and responding to threats, in less time, while driving maximum value from all your security investments in people, process, and technology.

Of course, the wide variation in SOC styles and maturity makes it difficult to position a single approach as right for everyone. For many CISOs and SOC managers, the principles of the intelligent SOC remain aspirational. While it would be great to have - and to reap all the benefits - there are fires to put out today, and planning, budgeting and evaluation processes required when considering changes in security.

In this sense, it’s a journey for the organization aspiring to achieve an intelligent SOC end state. Which makes sense….just think how much your SOC (and the overall threat landscape) has evolved over the past five years.

So, how does your journey look? You’re probably farther along than you think.  The good news is that an intelligent SOC takes advantage of all of your current security investments, with an evolved SIEM as the centerpiece of your existing SOC.

Let’s take a look at the requirements for an Intelligent SOC.

Visibility, Visibility, and More Visibility
Evolved SIEM ingests and normalizes the data from servers, solutions, and OSs across logs, network, Netflow, and endpoint data sources whether hosted on-premises, in the cloud, and/or in virtualized containers. If that sounds like a lot, it is.

There are two reasons that visibility is so important. Obviously, the first benefit is that you can see activities that are otherwise unavailable to you. For example, if you only monitor logs, you can’t reconstruct sessions to review what actually happened. Similarly, if you can’t access data in the cloud or on endpoints, you’ll miss any indicators that occur there.

A second benefit is in correlating disparate indicators.  Logs remain incredibly important in alerting to an intrusion attempt. However, logs can be augmented with increased visibility from data, such as network packets and endpoint. A standard correlation rule showing five failed login attempts to a Windows server might indicate password guessing or brute force attacks. Adding in network visibility to reveal that the user then zipped a file and sent it to an IP blacklisted by live threat intelligence gives a much clearer and more actionable view of what is taking place.

The basic point is that you need as much visibility as possible in order to effectively identify and respond to threats. In this part of your journey the questions to ask are around the types of visibility you have in place, and the opportunity to improve by adding components, such as network monitoring or endpoint detection and response (EDR).

Analytics that Work
Of course, capturing all that data is not useful if you can’t analyze it appropriately. This is the lament with the first generation of SIEMs: alerts are worthless if there are too many, especially if you can’t prioritize them in a meaningful way.

Data science has stepped in to close this gap. With new, advanced techniques in machine learning, user and entity behavior analysis (UEBA), and real-time threat intelligence, an evolved SIEM can turn data into insight and compress mean time to detection (MTTD) to find threats before they cause damage.

As you plot your journey, review how effective your SOC’s analytics capabilities are. In particular, consider how scalable your SIEM platform is, and whether it’s evolved sufficiently to handle disparate data sources and types in a single engine – because if you have multiple solutions and user interfaces, it’s likely that your correlation capabilities are limited.

Automation and Orchestration is a Security Superpower
Finding threats is important, but it’s just the start. As the volume and velocity of threats increases, an intelligent SOC may find itself still battling alert fatigue. Even with prioritization, many organizations will struggle to effectively triage, investigate, and respond to the continuous threats they face.

The intelligent SOC features security orchestration, automation and response (SOAR) capabilities that dramatically increase the effectiveness of the SOC and its people. Consider that the majority of threats are not unknown, but are repeats (often with slight variation) of known exploits: back doors, ransomware, botnets, etc. Every time one of these is detected, a standard set of investigative and remediation steps is followed. A full SOAR solution will automate these common activities, while orchestration improves your team’s  process of working through the investigations.

In this dimension of the intelligent SOC, examine how your tools and processes aid in the very important process of dealing with threats once you detect them.

Managing Digital Risk with an Intelligent SOC
Lastly, an intelligent SOC has awareness of its critical role in the strategic risk management activities of a modern organization. It breaks down the silos between the security and risk management groups, recognizing that they’re two sides of the same coin. Digital security represents one of the biggest risks faced by any organization, while business risk policies provide a crucial layer of intelligence for your security activities.

A response that ignores the relative value of assets is inherently less complete. For example, a computer holding payroll or pricing information warrants greater attention than a simple HTTP server hosting your cafeteria’s menu and other non-critical assets. You certainly want to monitor both, but for a threat discovered on both, the more critical system will merit higher priority.

In this case, the journey requires an evaluation of the relationship between the business risk and security functions. It’s the next frontier in cybersecurity; in a recent study  , 82% of respondents consider security breaches to be a business risk, not just a security risk, while 73% of respondents agreed that the relationship between IT security and business risk teams can be difficult to coordinate. The intelligent SOC addresses this disparity through thoughtful integration.

A Journey Begins with a Single Step
Actually the Tao Te Ching quote is, “A journey of a thousand miles begins with a single step.” Your journey may be considerably less than that, as components of an intelligent SOC include things you already have.

What’s important is starting the journey. As you evolve your SOC to an intelligent SOC, assess where your dimensions of visibility, analytics, automation, and risk fall. With that knowledge you can build your roadmap in a sequence that delivers maximum impact and cost effectiveness.

# # #

Join RSA for a webinar on June 14 to get tips about mapping your journey to the intelligent SOC.  Learn more about the capabilities of the RSA NetWitness® Platform evolved SIEM on rsa.com.

Author: Arthur Fontaine

Category: RSA Fundamentals, Blog Post

Keywords: Evolved SIEM, Intelligent SOC, Authentication, Orchestration, O & A