In his keynote address, “Transforming Security Operations with Modern Security Analytics” at this year’s Spotlight18 conference in Las Vegas, Don Sheehan, director of cyber defense solutions at Grant Thornton, said the security operations center (SOC) is challenged by the new reality that data is everywhere.
While there has been an increase in awareness of the potential impacts of cyber issues, and executives are more aware, Sheehan said that when it comes to the potential risks and downstream implications, awareness is still lacking.
Organizations continue to confront concerns about cybersecurity spending, asking whether they are spending too much because they don’t have any incidents or whether they are not spending enough, leaving themselves unprepared for incidents.
Security operation centers are also being challenged by the integration of risk as part of business risk discussions and the constant fear of the next threat, which has shifted the focus to not only security but resilience for the organization.
Recognizing that security is not an island, it’s imperative to build security into the entire organization, particularly when thinking about insider threat programs. “Threat actor TTPs drive us to identify a security threat via a much larger and diverse set of system data, rather than collection and correlation of security alerts,” Sheehan said.
Despite the security measures that have been taken, most organizations are left thinking that they are not yet safe enough. “Everybody wants to protect things, until the budget comes out,” Sheehan said. Still, the cyber landscape is evolving to include a shift in focus on insider threats.
“The SOC is not just security anymore, nor is it just operations and it may not even be a center. Coordination with non-IT teams is now normal. Risk management, HR, legal, physical security, IT operations. Use cases from these nontraditional teams are changing the focus and increasing the workload for the cyber defense center team.”
The change in direction isn’t problematic, but as workloads increase, the team gets stuck doing the old stuff plus the new focus areas. “Automation of common tasks can free up time for staff to focus on more complex challenges, and integrating with other business areas makes cyber more relevant and not just ‘techie,’ which means the SOC is moving beyond reactive mode.”
As SOCs evolve, though, insider threat programs need to be more than just a tool. “An insider threat program requires new event data to be analyzed, but the correlation of physical security logs with security telemetry has many challenges. This increases the coordination responsibilities and requires updated workflows.”