Welcome to the final installment in our blog series detailing the case for change and best practices for creating and maintaining Security Operations Centers (SOCs). Catch up by reading last week’s post on the four-step process to handle identification, triage, and investigation in your SOC.
In the past few weeks, we’ve given you the blueprint for building a successful SOC: documenting the right requirements, hiring the right people, and establishing a comprehensive process for finding the true threats amidst all the white noise.
Recent studies find companies that incorporate Security Information Events Monitoring/Management and Security Operations Center solutions as part of their cybersecurity portfolio save nearly $2 million with a 23 percent return on investment. Consequently, many organizations deploying these tools expect that they will resolve their IT service problems and stop cyberattacks.
We purposely saved technology for last because deploying tools for the sake of deploying them will do nothing. Without the right people or process, hackers will win every single time. Now that you’ve had the chance to put the right people and process into place, you can empower your SOC with the right technology to stay one step ahead of hackers.
An enterprise-wide data collection, aggregation, detection, analytics, and management solution is the core technology of a successful SOC. An effective security monitoring system incorporates data gathered from the continuous monitoring of endpoints (PCs, laptops, mobile devices, and servers) as well as networks and log and event sources.
With the benefit of network, log, and endpoint data gathered prior to and during the incident, SOC analysts can immediately pivot from using the security monitoring system as a detective tool to using it as an investigative tool, reviewing suspicious activities and then responding to them accordingly.
Ensuring any technologies employed in a SOC is vital in order to avoid data silos and confusion. In order to try and break down these silos and provide a single dashboard for security analysts to monitor the enterprise, SOCs generally use a security information and event management (SIEM) system which aggregates and correlates all of the data from security feeds, including:
- Network discovery and vulnerability assessment systems
- Governance, risk and compliance (GRC) systems
- Website assessment and monitoring systems
- Application and database scanners
- Penetration testing tools
- Intrusion detection systems
- Intrusion prevention systems
- Log management systems
- Network behavior analysis
- Wireless intrusion prevention system
- Enterprise antivirus and unified threat management
When you funnel information from all these data points into your SOC, you’ll enjoy three important benefits:
- Adding context to security incidents. Often, an alert to the SOC is associated with network or host-based activity. Many times, it may only initially contain the suspicious endpoint’s IP address. For a SOC analyst to properly investigate, other information like the owner and hostname of the machine or DHCP-sourced records for mapping IP and host information at the time of the alert is needed. If the security monitoring system incorporates asset and identity information, the analyst has a huge time and effort advantage, not to mention having the ability to prioritize just how important this security incident is to the business.
- Defining “normal” through baselining. Earlier, we noted that especially in the beginning of a SOC implementation there will be many “false alarms”. The ability to have a clear understanding of activity for users, applications, infrastructure, network, and other systems is an advantage of aggregating data from multiple enterprise sources. This way, analysts can more easily detect suspicious behavior that falls outside normal “business as usual” activity and reduce these false positives.
- Evolving threat intelligence. SOCs are never “once and done”. The SOC must stay ahead of evolving threats. By operationalizing threat intelligence and using it to spot patterns in endpoint, log and network data – as well as anomalies with past alerts, incidents, or attacks – will enhance companies’ ability to quickly detect, protect, and respond.
Visit our website to learn how US Cyber Vault’s managed security services deliver security operations center, analyst, intelligence and incident response capabilities rapidly, enabling companies to save up to 90 percent on traditional cybersecurity costs.