By Dan
Pitman, Principal Security Architect, Alert Logic
As an
organization's first line of defense, a high-performing Security Operations
Center (SOC) is essential for security incident detection. But the confluence
of increasingly complex IT environments, a shortage of skilled security
professionals, and a consistently changing and expanding attack surface is
creating a bigger challenge for SOCs than ever.
Ultimately,
the success of a SOC is defined by its ability to prevent or mitigate
cyberattacks. While no organization is immune to attacks, meeting some benchmarks
can put SOCs in a better position to achieve successful outcomes. SOCs may
struggle to meet these benchmarks due to resource and talent constraints. In
these cases, enlisting an MDR partner can help.
Emphasize
the human element
Enterprises'
spending on cybersecurity products continues to rise. Despite a lower growth
rate than forecast before the coronavirus pandemic, Gartner expects Information
Security spending to grow 2.4 percent to reach $123.8
billion in 2020. Faced with security
staff shortages and skill deficits, organizations are adopting an array of
technology tools and services to bolster their IT security strategy.
While
technology is foundational to strong security, alone it adds limited value to
the SOC. Managed Security Services (MSS) can help resource-constrained security
teams extend their capabilities and prevent basic and well-known attacks. But
they are inadequate for responding to major, new, or unusual security
incidents.
Attackers
are employing sophisticated and rapidly evolving techniques. Attacks are
unfolding in multiple, incremental steps, often over weeks or months. The
combination of multiple disjointed tools and services utilized by most SOCs
produces data that is difficult to normalize, and the tools themselves are
often tuned down to uselessness because staff resources are too constrained to make
sense of its output.
The complexity
of today's threats requires human experts to intermediate and validate events
and their potential impact. The threat landscape evolves daily, so what worked
in one instance may not work in the future. Human analysis in conjunction with
threat intelligence is critical to respond to threats and minimize the damage
they can inflict.
Retain
your talent
In addition
to foundational security abilities, responding to today's threats requires
analysts to have expertise in specific disciplines. A
strong threat intelligence team, for example, will have comprehensive knowledge
of threats informed by continuous research. This context allows them to filter
through thousands of new vulnerabilities every week and quickly identify those
with the biggest potential for exploitability and damage to the organization.
The ability
to retain security talent is crucial for the SOC because acquiring the
knowledge and experience required to successfully combat today's security
threats takes time. Unfortunately, companies are challenged with retaining SOC
analysts and the number of security professionals is not growing to meet
demand.
While there
are several reasons for SOCs high turnover rate, there are a couple of proven
ways to improve talent retention: providing analysts an opportunity to work on
projects outside their daily responsibilities and offering training
opportunities for career development. Both vastly increase an analyst's value
to the SOC.
Decrease
time to identify risks and vulnerabilities
In today's
hyperactive threat landscape, it's not unusual for a new vulnerability to be
exploited within a week of being identified by attackers. Conversely, an
organization's normal patching schedule can be 4 to 6 weeks. This
time gap underscores the need for monitoring. Businesses can't rely on patching
alone as a defense.
A successful
SOC will have a threat process that's informed by continuous research, enabling
it to quickly identify high-risk new vulnerabilities, detect attacks, and
reduce their impacts and lateral spread in minutes. This proactive approach and
rapid response will give the organization more time to develop appropriate
patches.
The
MDR advantage
Meeting
these benchmarks can be a challenge for overtaxed SOCs. A Managed Detection and
Response (MDR) solution can complement the SOC's tactical responsibilities with
strategic and platform-specific expertise and human mediation.
MDR
providers deliver an economy of scale. Typically, they employ more than 100
skilled SOC analysts, with a retention rate that's better than the average.
Most SOCs
are compelled to take a generalist approach to stretch their limited staff. MDR
provides team members that have deeper levels of knowledge based around the
organization's unique business needs. They work on higher-level security
incidents as they advance through tiers, gaining expertise as they respond to
more complex attacks. And because analysts work in distinct disciplines,
responses are performed in parallel, rather than linearly, decreasing the time
to detect attacks to just minutes.
Many SOCs
are struggling to meet the challenges of an increasingly dynamic threat
landscape. Responding to the proliferation of complex threats requires
expertise and skills most businesses don't have. An MDR approach balances technology
with the human intelligence needed to ensure accuracy and value. Partnering
with an MDR provider can help SOCs meet success criteria and reduce the
likelihood and impact of successful attacks.
--
Previous Articles in the Series:
1. Defining MDR and MSS
2. Defining Detection Left of Boom and Right of Boom
3. Defining Visibility and Threat Management
4. Defining Active Threat Hunting and Threat Intelligence
5. Defining Daily Tasks and Skills of a SOC Analyst
6. Defining Success for a SOC
Next Up:
Defining Value from an MDR Solution
##
About
the Author
Dan Pitman is a
Principal Security Architect at Alert Logic and works with customers to develop
and design security solutions to fit their needs on-premises, hybrid, and in
the cloud. With over 20 years' experience in technology spanning consumer
support, development, infrastructure operations and security, Dan is passionate
about technology and leads the way as a Solutions Architect in helping Alert
Logic's customers secure their systems. Born and raised in South Wales, Dan
enjoys returning to Alert Logic's Cardiff Headquarters on a regular basis,
working with the teams there continuously improving the customer experience.