The Future of Security Operations31 May 2020 | Eric Eifert
Security Operations has become even more critical to an organisation to survive the imminent cybersecurity threats. Its benefits are obvious. A team focused 24/7 on preventing, detecting, assessing, monitoring, and responding to cybersecurity threats and incidents. The future of security operations is also continuously evolving and will heavily integrate automation, behaviour analytics, security isolation, and machine learning to more rapidly detect and respond to cyber events. Automation is essential, enabling operations teams to do more and to keep pace with cyber-attacks for all organisations, from small private entities to government agencies.
More and more questions are being discussed across the cybersecurity industry, impact and benefit to various market sectors, and how teams should respond. Questions on how continuous assessment and enterprise cyber situational awareness will help increase the security posture of an organisation? Or how advanced analytics are being used to help detect sophisticated threats? Or how automation and security orchestration will help to improve the security posture of an organisation?
1. Q: What new technology will have the most significant impact on security operations, and when do you feel it will be fully utilised?
A: I would say it is a collection of capabilities that make up the latest Security Orchestration Automation and Response (SOAR) platforms. These platforms are focusing on increasing the productivity, efficiency, accuracy, and management of the SOC. They also include features like case management, SLA management, and ticketing to reduce the need for other separate technologies typically used within the SOC. With the tremendous amount of cyber security technologies on the market, having a technology that can orchestrate and automate workflows and response actions now allows the SOC to be a more active participate in the defence of an organisation. This is a paradigm shift from the legacy reactive stance the SOC was in the past now allowing for proactive actions to take place on a daily basis.
2. Q: What guidance can you provide for an organisation considering either building an in-house SOC or leverage a Managed Security Service Provider?
A: Several factors need to be considered, and I would encourage everyone to start with a cybersecurity strategy that has one element focused on Cyber Security Operations to help answer these questions. The first consideration is the regulatory and governance environment the organisation is operating under. Some may not allow remote monitoring like certain government agencies or critical infrastructures. If remote monitoring is allowed, it may be restricted to providers within the country, so off-shore options might not be feasible. The next consideration is often budget. Dedicated on-site SOCs are much more expensive as you are not leveraging shared infrastructures and resources. We have seen many clients opt for a hybrid which has some on-site resources provided typically during core business hours while then leveraging the remote service for the 24/7 monitoring and incident handling. The third consideration is the availability of the required skills and technologies. With the advanced solutions and capabilities necessary to successfully operate a SOC finding the availability of skilled resources to deliver and support these solutions in sufficient quantities in your countries may be challenging.
3. Q: What considerations need to be make if organisations are primarily leveraging cloud services?
A: Cloud services are excellent, but you need to understand what you are getting when it comes to security services and how that integrates into your overall cybersecurity program. The cloud providers have greatly enhanced their security features, but you need to either enable them or purchase them. You can also purchase 3rd party security applications that will run within the cloud environment. Keep in mind, for the most part, you are buying infrastructure, platform or software as a service. These things will still need to be secured, either by native cloud security features or 3rd party security controls. The next piece is who will monitor the alerts coming from these security controls. A SOC will still need to collect, analysis, investigate, and respond to the information being generated from the security technologies or controls within the cloud environments. Most organisations leverage the cloud for specific use cases so it is one piece of their architecture and it would need to be included in the overall security monitoring, incident handling, and incident response capabilities for the organisation.
4. Q: What is the difference between global threat intelligence versus local threat intelligence?
A: Global threat intelligence is providing information that is seen across the entire globe. This would be things like critical vulnerabilities that affect common operating systems or technologies used globally, large virus or malware outbreaks that affect users globally, threat actors that are targeting victims across multiple regions and so forth. Local or regional threat intelligence is more specific to a specific country or region of the world. This is where you get more granular understanding the local threat actors, custom-crafted viruses or malware targeting specific companies or countries, and threats to custom-developed software used in companies or government agencies. We also see an increased demand for brand protection and Darkweb monitoring that is very company-specific; local threat intelligence is often used to support these types of requirements.
5. Q: What is a good rule of thumb to determine what can be automated vs what should be done manually?
A: From my experience, the challenge with automation has not been with the technology but more with user acceptance and adoption of that technology. So the first step is to understand the workflows being used and demonstrating the actions associated with those workflows. If you can demonstrate specific actions will be taken 100% of the time under specific circumstances, then this is the ideal situation for automation. Let’s take an example. Let’s say that you have a trusted threat intelligence feed from the government that provides known bad IPs on a daily basis. This requires you to update your firewall to block outbound connections to these IPs as well as look through the proxy logs for the last 90 days for previous connections. This could take a SOC analyst some time to do if they need to coordinate with the firewall administrator and set up the search query. This can and should be automated. You can also automate workflows but set human in the loop breakpoints to allow humans to review what has been done and allow it to continue or stop it as necessary.
Visit Digital14.com today to learn more about our cybersecurity, our advisory services, and advancing your security operations.
Connect with us