Tamer El Refaey, Chief Cybersecurity Strategist, Emerging Markets, Micro Focus, tells SAME that with the right technical capabilities, NextGen SOCs can help filter pout ‘noise’ and overcome the major challenges surrounding cyber security.
Proper security visibility is the dream of every organisation. Knowing if something malicious is stealthily taking place in the environment and stopping before it causes a business impact is the ultimate goal of every security investment. Next-generation (NextGen) SOC was used and sometimes overused by multiple technology providers to give their customers hope to achieve that dream. In other situations, other security technology providers questioned the existence of the SOC, altogether.
Organisations are left baffled whether a NextGen SOC is a viable option or not. Is it technology? Can we buy a NextGen SOC? Can we transfer an existing SOC into a NextGen SOC?
The Need for a NextGen SOC
Today’s security operation centres face significant challenges that prevent them from achieving the goal they were built for. The top three of those challenges are:
1. Security visibility. According to statistics, 78% of chief information security officers (CISOs) are concerned about monitoring across a growing attack surface.
2. Alert fatigue. Around 75% of SOC professionals reported that they are suffering from a massive volume of security alerts.
3. Skill shortage. 62% of surveyed SOC managers complained about analysts’ availability and experience.
NextGen SOC promises to overcome these challenges by enhancing the ability to detect compromise attempts and gain insights that allow the analysts to navigate through the noise and focus on smaller high-fidelity alerts. Additionally, next-generation SOC is supposed to ensure resource optimisation and efficiency.
Key Areas of a NextGen SOC
To build the next generation SOC, we must focus on four key areas within the SOC: business, people, process and technology. The business aspect deals with the SOC’s mission, operating model, stakeholders, and services. The people aspect is related to the SOC leadership, the hiring process, skill assessment, and SOC resources retention. The process aspect focuses on the different processes and procedures within the SOC to execute the day-to-day activities, ensure SOC maturity and evolution, and prepare for the future.
For the remainder of this article, we will focus only on NextGen SOC’s technology aspect.
Technology Aspect of a NextGen SOC
Technology plays a significant role in building a NextGen SOC. It is also the area where most of the investment is made. Multiple technology considerations should be considered when building a SOC, in general. The SOC architecture, the quality of data that is ingested, the technology ecosystem of the SOC, etc. are few examples of technical capabilities that should be carefully considered.
However, to capitalise on these foundations and mature into a NextGen SOC, five key capabilities make a big difference: metrics and KPIs, layered analytics, advanced content, improved context, and intelligent autonomy.
It is said that we cannot improve what we cannot measure. The same is true for the NextGen SOC. Metrics and KPIs are the tools that allow management to know whether the SOC is delivering according to expectations, the areas of improvements, and where to focus efforts and time. Metrics and KPIs can help other cybersecurity teams make the right decisions to enhance the existing security controls. NextGen SOC metrics fall, generally, into four categories; purpose, posture, performance, productivity. Most security operation centres focus on the last two; performance and productivity are more comfortable to measure and report. However, a NextGen SOC needs to ensure its alignment to business and role in enhancing the overall security posture of the organisation.
a.) Purpose. These are metrics and KPIs that measure the reason a SOC was formed. Some examples are avoided financial losses, reduction in customer fraud, prevented data breaches, etc. Better numbers show that the SOC is fulfilling its purpose.
b.) Posture. Metrics and KPIs related to posture are meant to measure how good or bad the organisation’s security. Examples may include the number of successful breaches, the number of open vulnerabilities, the percentage of failed security controls, etc. Reductions in these numbers show the organisation’s more robust security posture.
c.) Performance. Performance metrics and KPIs are meant to measure how good the SOC is in dealing with cybersecurity incidents. Examples may include mean time to detect (MTTD), mean time to respond (MTTR), breaches Vs incidents, etc. These indicators can provide SOC leadership with visibility on areas that need their attention.
d.) Productivity. Metrics and KPIs associated with productivity are designed to measure the efficiency of the SOC. Some examples include the false positive rate, the average time to close a ticket, the average number of alerts per analyst, adherence to service level agreements (SLA), etc. These indicators should be used to revise the workforce capacity, resources that require further training, and areas where automation would be much needed.
It is the ability to look at the data in hand using different lenses that could lead to enhanced visibility, better insights, different outcomes, and high-quality decisions. The various analytics that can be used inside the SOC are:
Real-time correlation, it works on detecting policy violations and meeting certain pre-defined conditions. This type of analytics is meant to detect and document well- known kind of attacks using traditional analytical tools.
Real-time correlation is still essential as it helps spot most of the conventional attacks that a SOC faces daily. Responses to these types of alerts should be, mostly, automated. A SOC analyst should not spend much time on dealing with alerts resulted from real-time correlation.
Big data analytics, this type of analytics builds relationships between different datasets that can provide an extra level of insights. Big data analytics can detect undocumented attacks using conventional analysis tools.
Supervised machine learning, Supervised ML is usually used to detect low and slow documented attacks by training the machine on previous attack models using pattern matching. It is instrumental in detecting known attacks that require unconventional analysis capabilities. Malware infection, spam.
Unsupervised machine learning. This type of analytics is beneficial to detect unknown attacks that require advanced analysis capabilities. Mathematical data models are used to build behaviour profiles that would flag observed abnormality. The main benefit of unsupervised machine learning that you do not require training datasets. Yet, the behaviour profiles are continuously enhanced as more data is analysed.
Context is king. The bigger the picture we see, the accurate the decisions
we take. To support the initiative of NextGen SOC, the following minimal context information must be integrated:
a.) Asset information. Not all assets are created equal. The SOC team needs to understand which asset is under attack, the asset criticality to the business, the information it handles, the asset network model, and any other information that quickly allows the analysts to make the right decision.
b.) Vulnerability information.
Information like open vulnerabilities, compliance status, source code potential issues can provide the SOC analysts with security alerts with more prioritisation.
c.) Identity information. Identity and access information add situational awareness that can help the SOC
team prioritise alerts, decide on the abnormality of activity, and automate incident response in many cases.
For instance, details of new joiners, leavers, privilege users, high-value targets, access details, etc. are
critical to adding the analysts’ proper understanding.
d.) Intelligence information.
Threat intelligence has been a critical component of the NextGen SOC. Consuming different threat feeds and indicators of compromise have been proven helpful. NextGen SOCs should expand in leveraging intelligence information by integrating open-source intelligence, commercial feeds, and ensuring their awareness of world news that may impact their organisation. The news of COVID-19 pandemic would alert the SOC to expect increased COVID- related phishing campaigns.
Content is needed to analyse the collected data into the SOC. Content can exist in the form of analysis rules, data models, reports generated, etc. When developing or selecting content, four key objectives need to be considered:
a.) Techniques, tactics and procedures (TTP). SOCs can use known patterns of activities or methods associated with a specific threat actor or group of threat actors to detect threat actors while performing their attacks. Frameworks such as MITRE ATT&CK can provide great content that the SOC can use.
b.) Threat hunting support. NextGen SOCs should have the ability to develop or leverage content that can simplify and mature their threat hunting capabilities. Such content should be provided by the different technologies used or through reports or dashboards that can be created. Some examples of such content can be host and user profiling, outlier detection, domain generation algorithms (DGA), etc.
c.) Business risk mitigation. One of the main objectives of NextGen SOC is to enhance the security posture of the organisation. Content that supports this objective is mandatory to ensure optimal risk mitigation. For instance, NextGen SOC should be able to pinpoint security control failures, regulatory compliance nonconformity, business process deviation, segregation of duty violations, etc. that could impact the organisation’s data confidentiality, integrity, and availability.
d.) Business-related use cases. A NextGen SOC is the one that supports and enable the business. A NextGen SOC should develop content that is business aligned and can provide early detection of attacks on the company. For example, content that monitors SWIFT, ATM, OT networks, telecom infrastructure is critical.
With the struggle to find qualified resources, NextGen SOC should work towards autonomy where the dependency on the human element is minimal whenever possible. Automation is one aspect of SOC autonomy. However, it is only focusing on orchestrating and automating the incident response. The term intelligent autonomy is meant to be wider than the incident response. It looks at the different non-intellectual activities that a SOC analyst does and move them to the machine. Examples may include SOC self-diagnosis and healing, leveraging robotic-process automation to mimic human actions, providing access to information using voice commands, etc.
NextGen SOC is becoming critical for the success of organisations cyber resilience endeavour. The main technical capabilities that a NextGen should have are clear metrics and KPIs, layered analytics, improved context, advanced content, and intelligent autonomy.