Breakdown of SOC tools and technologies: During their Shmoocon talk, Wyler and his colleague James “Pope” Pope, senior manager of governance, risk, and compliance at Corelight, offered a list of the fundamental technologies CISOs should consider when building or outsourcing a SOC.These essential tools include:
EDR (endpoint detection and response)
EDR is a security solution that continuously monitors and analyzes endpoint activities to detect, investigate, and respond to cyber threats in real-time. “This is the tool that sits on the endpoints for all your users and all devices that aren’t even users,” Pope said. “You want that. You need it for detections and, hopefully, preventions. And then when you don’t prevent something, like something gets past that EDR, you want to be able to reduce that response time by having what I like to call advanced telemetry on monitoring.”[ See: EDR buyer’s guide: How to pick the best endpoint detection and response solution ]
SIEM (security information and event management)
A SIEM system collects, analyzes, and correlates security logs and event data from various sources to detect anomalies, generate alerts, and support compliance and forensic investigations. Depending on the EDR vendor and what the organization pays for, it might not have access to the full set of EDR logs it needs. “You need to either pay to extend them or send them somewhere,” Pope said.[ See: SIEM buyer’s guide: Top 15 security information and event management tools, and how to choose ]
NDR (network detection and response)
An NDR is a security tool that monitors network traffic to identify suspicious behavior, detect threats, and enable rapid response to potential cyberattacks. “I think of this as more video surveillance for your network,” Wyler said. “Watching the packets go by and seeing what’s happening in that environment is like video surveillance. It can be expensive, but it is worth it.”
SOAR (security orchestration, automation, and response)
SOAR is a platform that integrates security tools, automates workflows, and streamlines incident response processes to improve efficiency and reduce response times. “You could argue the orchestration automation part of this does not belong in a SOC,” Pope said. “That could be a separate trend; a separate group in your operations team is building that.” But, he added, “you need something that has a playbook that you execute every single time in this order. It shouldn’t be a different playbook each time. And then you want to build automation steps through those playbooks.”[ See: SOAR buyer’s guide: 11 security orchestration, automation, and response products, and how to choose ]
TIP (threat intelligence platform)
TIP is a system that aggregates, analyzes, and prioritizes threat intelligence data to help security teams identify, assess, and mitigate emerging cyber threats. “Threat intelligence should be the foundation of your entire security program,” Pope said.”Having a threat intelligence platform means taking all of the ridiculous feeds that are out there, whether they are community-led ones, ones that you pay for, the secret squirrel ones [and] feeding them into something that allows you to centralize it and then say, okay, what do we care about here.”He added, “Don’t just go out and spend money and be like pew, pew, pew, pew, look how cool I am. I’m so elite. Spend the money in the places that say, ‘This is who’s going to come for me.’”
UEBA (user and entity behavior analytics)
UEBA is a security solution that uses machine learning and analytics to detect abnormal user or entity behavior that may indicate insider threats or compromised accounts. Once the files get out of the TIP, they are shipped off to analyze related user and entity behaviors, Wyler said.
Identity (verify access to resources)
Identity and access management (IAM) tools authenticate and authorize users, ensuring that only legitimate users can access sensitive systems and data.[ See: IAM buyer’s guide: 9 top identity and access management tools ]
Personnel challenges in setting up a SOC: In any SOC, whether built internally or delivered by an outside provider, having high-caliber personnel who monitor and follow up on the reports from the security technologies is critical. “If you look at the things that have been around a while, you have workforce turnover,” Splunk’s Paterra says. “If you have a good analyst, they might go somewhere else tomorrow for a better job offer,”Moreover, “the effectiveness of the analyst is just a very clear problem,” says Paterra. “And then there’s just the volume of work. If you take a mass flood of alerts, it hits analysts not being effective,” which, experts say, can ultimately cause trauma and burnout.”Analyst fatigue and burnout are fairly common, whether that’s in a SOC or if you’re in incident response,” Wyler tells CSO. “I think those are two areas of security that often can take a toll on folks because there is a significant amount of responsibility that comes with being in that role.”For very large SOCs, it helps to differentiate layers of personnel dependent on their skill level. Schiappa says that Artic Wolf’s SOC, which many organizations use on an outsourced basis, relies on 1,500 security personnel who contribute to or operate the SOC. “We ingest one and a half trillion security observations daily,” says Schiappa. “We have multiple tiers of capabilities in there,” he says, from nascent security workers at tier one up to highly skilled security workers at tier three.
Other factors CISOs should consider when building a SOC: When building or maintaining an in-house SOC, experts flag other factors that CISOs should keep in mind. One question CISOs should ask themselves is, “have you equipped your analysts to do their job effectively,” Paterra says. “If you have to enumerate, go and sit down and just look at what they’re doing from a day-in, day-out perspective. If they have 50 browser tabs, you can very easily say that your analysts are not in a position to do their job effectively.”Pope recommends that organizations spend more time in detection engineering. “That is when you get those alerts, and you’re saying, these are false positives, or the tool shouldn’t have sent it. You [should tune] those alerts so you’re not repeating the same thing tomorrow, the next day, the day after that,” Pope says.Moreover, AI is rapidly changing the face of security operations, which can radically improve detection engineering. “There’s real value in AI right now on upskilling and leveling up SOC analysts,” Pope says. “That’s here today. It will be there in the future. Maybe it’s not solving everything, but it is making analysts faster and better.”See also:
SOC modernization: 8 key considerationsHow to evaluate SOC-as-a-service providers
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3840447/security-operations-centers-are-fundamental-to-cybersecurity-heres-how-to-build-one.html
