Knocks on SOCs are not uncommon: Too many security operations centers are rudimentary, and organizations in almost all industries need to upgrade their capabilities.
Some security operations centers (SOCs) run 24/7; others are 9 to 5. All focus on network monitoring and triage, looking at alerts and indicators of compromise to ensure performance metrics and service-level agreements are met. Coordination with IT or network operations centers (NOCs) may occur through dashboards or other communications, depending on the company.
But security operations centers may not be as common as people think. And those that are operational often focus on detection and remediation with functions dispersed across groups and infrastructure, including the cloud. Security analysts who specialize in network intrusion detection, cyberthreat intelligence, reverse malware engineering, computer forensics, vulnerability scanning, network mapping and discovery and cyber incident response are often far from the reality.
Randy Marchany, CISO at Virginia Tech, said the university’s SOC project has been put on hold for a few reasons. For starters, they switched security information and event management (SIEM) platforms and are ramping up their log analytics with help from the open source Elastic Stack, sometimes referred to by its former name, ELK — Elasticsearch for indexing and searching logs, Logstash for routing them to the data store and Kibana for visualization.
When his team was reviewing the log data requirements for the SOC, they first had to work on identifying the network, system and endpoint logs the SOC needed, then find the on-premises and cloud infrastructure that collect that specific event data and get copies of it.
“We now have about 40 billion queryable events in our ELK stack,” Marchany said. “Some of the data feeds include authentication servers, [intrusion detection systems] like Snort and FireEye, and system logs from a couple of thousand hosts.”
The lack of big data analysis tools that can work with wide varieties of data is a major obstacle. “That’s one of the reasons I think people say SOCs are not very effective yet,” said Marchany, who noted that machine data analysis software Splunk is a great tool but too costly for Virginia Tech.
Bob West, a CISO and founder of advisory firm Echelon One, said SOCs are getting better at integrating information into SIEM tools, and many have staff that can respond to the technical aspects of most security incidents. However, many SOCs lack visibility into endpoints and network traffic.
“Security operations centers have good information on historical traffic through logs,” West said. “But what they really need is insight into what’s happening right now on the network; they need the ability to respond to a zero-day attack.”
The Future SOC: SANS 2017 Security Operations Center Survey released in May by the SANS Institute noted progress but identified similar shortcomings. The survey found that SOCs are maturing and becoming multifunctional. The majority of the 309 IT security professionals surveyed worldwide said they are satisfied with their flexibility of response (67%), overall response time (65%) and containment abilities (64%).
Weaknesses include SOC-NOC coordination and effectiveness, and unknown threat detection; 45% of respondents said they were not satisfied with their SOC’s ability to discover zero-day exploits. “These are clear areas where more automation and integration will help organizations take their SOCs to the next level,” stated Christopher Crowley, information assurance consultant with Montance LLC and author of the SANS study.
Providers such as ServiceNow (cloud computing), Cylance (artificial-intelligence-based threat prevention) and Tanium (endpoint systems management) can help organizations with network visibility and response, West said. And dozens of products automate log management — including Splunk and Elastic Stack, which have been adopted worldwide.
Elastic Stack — an open source technology that became available in 2010 — has become popular with many SOCs as a way to automate some of the tools and visualize the data so the SOC can take action, noted Todd Bell, vice president at Intersec Worldwide, an IT security and compliance services provider based in Newport Beach, Calif.
“Every security organization now realizes that they need to always keep automating,” Bell said. “Because when they start to integrate more of the security tools together, they can obtain a higher ROI and get a better perspective of what’s happening through automation within the enterprise in real time, as opposed to having lots of single-point solutions but no way to correlate the captured data.”
Data has become overwhelming as more security tools come online, he continued. That’s why companies such as machine learning startup Versive have come into the market to take in large amounts of data and start automating the threat hunting process for SOCs.
Higher levels of incident response
Integration of tools and increased automation may help security analysts prioritize security threats, but once a serious security incident has been identified, many organizations lack a sophisticated incident response process. While security analysts and SOC managers are trained to handle the technical side, there’s much more to incident response than merely identifying malware and deleting it from the network. West advises CISOs to take the time to develop better relations with the C-suite and create a plan for how they will present a cybersecurity event to the public. Many organizations — publicly traded companies, small and medium-sized businesses and others — should cultivate relationships with the local and national media so the reporters know what they’ve been doing behind the scenes before a major incident takes place. CISOs should also form relationships with local law enforcement and FBI teams that handle computer crimes.
Erik Devine, the chief information security and technology officer at Riverside Healthcare, based in Kankakee, Ill., said that one of his first moves when he took the job was to develop a relationship with the local FBI security team.
“We have been very proactive on this front: In the first two years I was on the job, I had them come in and do a presentation for us,” he said. “Now, I have a connection at the FBI. They know me; they’ve met our CEO and are comfortable with our organization. That was a huge win for us. If we have an incident, we won’t be working from scratch; that’s very important. I’m not saying that hospitals should turn over everything to the FBI. On the other hand, the FBI has some of the top performers in the security industry, and they can be very valuable during an attack.”
Jon Oltsik, a senior principal analyst at the Enterprise Strategy Group and founder of its cybersecurity practice, said SOCs need to do a better job developing three-year plans so they can better target technology and manpower needs for the years ahead.
“CISOs should assume that the skills shortage will impact all security operations for the next few years,” Oltsik said. “This means that SOC strategies should focus on items such as technology integration, automation [and] orchestration, and security analyst productivity.”
Forticode, a software provider in Melbourne, Australia, that specializes in mobile authentication, has numerous playbooks that are predetermined courses of action to ensure that the company has a consistent and reliable form of incident response. The playbooks are constantly updated and feed into the strategic objectives for how the SOC will operate one, three and five years from now.
Bell, who provides CISO executive services to Forticode and serves as a member of the company’s advisory board, said he developed the plan based on the following concepts:
- Improved data analysis. Data collection has expanded rapidly, and it’s getting harder to sift through the massive amounts of data.
- Visibility. With more data, speed to respond becomes more critical, and having a single pane of glass has become paramount to see how events are unfolding.
- Network monitoring. Most SOCs have blind spots, which means they need to improve monitoring.
- Artificial intelligence. The industry will see more opportunities for AI to make cognitive decisions and automation through machine learning that follows programmatic functions.
“I do see a future where we use ‘template-driven outcomes’ in which future security events such as a zero-day RAM memory attack will become fully automated and will ‘operationalize’ the SOC within seconds, performing incident response much faster than humans,” Bell said.
Erik DevineChief information security and technology officer, Riverside Healthcare
Riverside Healthcare’s Devine said he’s interested in the potential of AI to automate log data analysis, mainly to eliminate manual work and to generate more precise documentation of network trends.
“In the future, AI could become the third-party SOC for a lot of organizations, but it’s not proven yet,” Devine said. “We’d also like to develop better documentation so we understand it and especially so the clinical people understand better what’s happening on the network.”
SOC as a service
The concept of a SOC is a great idea, but the costs are enormous, and it requires hiring, dedicating resources and purchasing a lot of tools with heavy monitoring to have a successful operation.
Bell said he tries to make the cybersecurity positions interesting within the organization, and he likes to keep the higher-level functions in-house and outsource the lower-level functions to a third-party vendor that can usually perform the work for a fraction of the cost of the in-house team.
“I am seeing a shifting trend to outsourcing a SOC because of cost and resource constraints,” he added. “For instance, ServiceNow has a SOC that takes all the security operations data and can scale a solution that’s nearly half the [cost] of starting up a SOC in-house. Not having to deal with the hiring pains, working with lots of vendors for all the tools and updates, the required training and testing for all the SOC staff and having people who actually know what to do in a crisis is a monumental task.”
Security operations centers ultimately need a person who will be a “cool operator” in a crisis and not treat every high-alert event as if it’s the big security incident the SOC has been waiting for.
“I used to be a wildland firefighter, and every time the pager-radio would sound the emergency tone, we were always hoping for a big fire because we’d get to put all of our skills and experience that we had been trained for to work,” Bell said. “Being in an idle mode of operation does get boring. The same is true for SOCs. The SOC work can get boring at times, and it’s hard to strike the right balance of being prepared and not being overreactive.”
Of course, knowing how tense SOCs are these days, a little bit of boring may be welcome.