IT and information security are critical, but when you have multiple systems throwing out hundreds of alerts every day, it is easy to become ‘alert fatigued’. Alerts relating to real, business threats can easily be lost in the sheer volume, giving malicious attacks a gap and making your business vulnerable. Adding intelligence around this process through a threat-centric Security Operations Centre (SOC) can help businesses prioritise incidents and more easily detect higher-risk threats affecting multiple locations and systems, for improved incident response and better security.
The evolution of the SOC
A SOC has become essential for business today, whether this is an in-house department or delivered via a managed services partner, responsible for monitoring environments and reacting to potential security threats. A SOC involves both Security Information Management (SIM) and Security Event Management (SEM), collectively known as SIEM, but brings in additional feeds for information and analytics.
While more data can potentially result in better output, simply alerting people to potential incidents is not sufficient, action must be taken. Security Orchestration, Automation and Response (SOAR) provides an additional component to automatically execute certain actions according to a playbook of threats, for example in the event of a denial-of-service attack, the firewall is instructed to block the threat without human intervention.
The challenge comes in with the evolution of threat vectors because a single attack may generate multiple alerts, each of which will trigger their own event, even though they are all related. For example, a blanket phishing scam could target an entire department, and each blocked email will generate an alert and an automated response which is inefficient. This can also be exploited by malicious actors who flood systems with multiple small alerts in an effort to disguise a bigger attack.
Adding in intelligence
It has become imperative to bring a layer of intelligence into the SOC – rather than analysing every alert and treating each as a separate threat, analysing the environment to understand related incidents can help to reduce this clutter. Focusing on the threat itself, rather than each individual alert, allows for a more efficient and proactive approach to security.
A threat-centric approach allows energy and resources to be prioritised effectively, but this must be aligned with incident response and threat level categorisations. Intelligence can be built into systems to identify different threats and flag potentially false alerts or distractions, with the aim of identifying and preventing targeted attacks as far as possible.
Professional services can make all the difference
While maintaining a threat-centric SOC in-house is possible for larger organisations, many businesses simply do not have the skills or resources to perform this function effectively. A professional services provider offers the typical benefits associated with outsourcing, including access to skills and a cost-effective procurement model.
However, the biggest benefit to using professional services for a threat-centric SOC is experience. A reputable service provider would have many different clients and have their finger on the pulse of events, so when a particular type of attack affects a different geography or even another client, they will be able to use this knowledge to help identify and prevent similar attacks from happening elsewhere.
Is a SOC for everyone?
Any business that wants to understand potential threats and risks in their technology environment should have threat-centric SOC in place, but this comes with a level of maturity that not all businesses possess. If the feeds and information from systems, including logs and alerts, do not exist, then a SOC will not be a viable solution. In addition, alerting and detection must go hand in hand with response, otherwise it serves no purpose. Organisations need to have effective incident response plans, actions, policies, and procedures for a threat-centric SOC to be effective. Professional services providers will be able to advise on the most appropriate approach, and if a SOC is the solution to deliver a more effective service with broader expertise and experience.
Simeon Tassev, MD and QSA at Galix