For many companies, the security operations center (SOC) is the heart of their approach to keeping data, networks and applications secure. The SOC provides a real-time overview of what is happening across the network – good and bad.
For many years, SOCs have relied on security incident and event management (SIEM) deployments to keep up with all the machine data being generated. However, IT is changing rapidly. How can SOC environments keep up?
What’s changing?
With more systems deployed in the cloud, SIEM deployments have to cope with many more different sources of data. Application deployments have changed too – rather than server images with operating systems, applications can now be implemented in software containers or be built from functions running on serverless computing infrastructure like AWS Lambda.
According to our research, containers are used by a growing group of companies. Around a third of enterprises have deployed Kubernetes to manage their new applications. Similarly, 28% of enterprises are using Docker containers in AWS. Lastly, serverless computing has grown too – one in three companies now use AWS Lambda.
All these new platforms run outside the enterprise, so there is a shared responsibility model to be considered. For SOC teams, this means getting real-time streams of information from public cloud platforms and combining them with data from the individual applications and services. This then has to be linked to any other machine data sets from internal cloud deployments through to network data. What does this add up to? A lot more data.
At the same time, there is a lack of people experienced in running SOC environments at scale. According to the ISACA State of Cybersecurity Report Part 1 2019, 69% of organizations have indicated that their security teams are understaffed, while 58% have open roles. For 32% of respondents, it took six months or more to fill those roles too. This lack of suitable candidates to run SOC environments is itself a risk.
In cloud environments, you also have the emergence of Site Reliability Engineers (SREs). These roles are relatively new, and they hold both administrative and security responsibilities for cloud deployments. Collaboration between the SOC and SRE teams around defined roles and responsibilities is therefore important.
What processes need to change?
So, in facing more data, more pressure to perform and more demands on staff time, what should IT security teams be doing? Is it more of the same, but faster, or are there different approaches needed? So how can we achieve the results we need in the SOC without going mad?
Firstly, it’s important to look at the SOC in context. Rather than being the standalone bastion of security for the enterprise that it was in the past, today it is linked to multiple external organizations all fighting their own battles to maintain security as well.
For companies running SOC environments, collaborating with partners or customers that have their own SOCs can help improve operational efficiency on both sides. This can be based on informal discussions and networking, or it can be more formalized sharing of best practices and processes that both companies can benefit from.
Adopting a more collaborative model relies on trust and security at both organizations, but it can provide a multiplier effect in terms of effectiveness. Personally, I have found that working with customer SOC teams has made our approach better too.
Similarly, automation should be an easy way to help staff improve efficiencies, rather than relying on manual processes. In turn, this should leave more time to investigate outlying results and potential indicators of compromise (IOCs) through correlating issues, trends and events throughout the entire organization.
This approach to automation can be especially powerful for teams supporting DevOps processes. By using prescriptive processes and suggested workflows, it’s possible to help team members sift through machine data quickly and put that data into the right context. Automation here can be linked into machine learning to further reduce the amount of human input required.
SIEM providers are already adding more automation and integration with cloud platforms; even so, a cloud-native approach to integration and automation can scale up more efficiently than bolting on additional capabilities to existing on-premise deployments.
However much new tools might help, though, it’s also worth looking at your team culture. The range of skills that are required in the SOC are many, and the traditional focus on security and incident management is never going to go away. However, what is required today is two-fold: first, the understanding of how to collaborate with other teams both inside and outside the organization to implement best practices, and second, the awareness of how to build and automate processes to make them repeatable and scalable. For those that are new to automation, this can be a significant additional skill to build up.
The evolution of the SOC, and the tools that underpin this organization, will continue. The skills to support this evolution have to evolve too. More data and more automation will help, but the culture to understand this in context will be critical.