IT Brief India - Technology news for CIOs & IT decision-makers
Story image

Stretching the SOC’s ability to cover more threats

Yesterday

A key trend in security operations over the last 18 months is the focus on 'doing more with less'. This continues today, and while the challenge is not unique to security - identical pressures are being felt in many other technology subdomains as well - security is perhaps the domain that's least able to absorb this extra workload effectively. 

That's demonstrated by recent research by Exabeam and IDC, which found over one-third of respondents in the Asia Pacific and Japan (APJ) region experienced significant security incidents in the last 12 months "that required additional resources to remediate".

SOC analysts are already under extraordinary pressure to stay abreast of hundreds of system logs and to be able to perform threat detection, investigation and response (TDIR) in complex environments and/or across significant regional or global footprints and staff numbers. 

The research identifies a clear disconnect here: 87% of organisations in Asia Pacific and Japan believe they have good or excellent ability to detect cyberthreats, yet they are monitoring only 62% of their IT environments, on average. 

What, then, of the other 38% of IT environments not under the SOC's direct gaze? There are multiple possible explanations.

It's possible the lack of oversight of some of these systems or platforms is a known risk: captured on the corporate risk register but considered a lower risk of breach and, therefore, deprioritised. Unmonitored systems could also be 'shadow' or as-a-service platforms procured outside of guidelines and not immediately visible to SOC teams. As organisations use more cloud and generative AI services, SOC analysts may not be fully across all services that are being used by individuals, teams or business units, which makes effective oversight difficult from a security perspective. 

Resourcing is also a known issue. SOCs tend to be lean in their resourcing compared to the overall size of the organisation and technology estate they monitor. A SOC of 2-10 FTE resources is consistently reported in the annual SANS SOC survey as the most common size. While this can grow to 26-100 security personnel in some larger organisations, we've similarly observed larger organisations getting by with far fewer FTE resources. This is often only exposed by an incident - and the mean time required to detect and respond to it - which then leads to some soul-searching on SOC resourcing and visibility.

The right logs for the job

A common conclusion to be drawn is that many organisations do not have the right information going into their security operations to detect, investigate and respond to threats against employees and systems.

In the absence of doubt, this is not a data problem. Organisations have terabytes of security log data that the SOC is required to sift through to identify potential threats. If anything, there is too much data and too many logs being ingested into tools like a security information and event management (SIEM) or endpoint detection and response (EDR) system.

For the SOC, less is more when it comes to determining which information sources to coalesce to create actionable insights. 

The SOC does not need to be across every single log and telemetry point - only the right log or combination of logs to facilitate visibility of key systems and to understand whether the behaviour of those systems - or of the users interacting with them - is normal or abnormal. 

What that right combination of logs looks like can be realised through a combination of discovery workshops, proof-of-concepts and specific tooling that can uncover blind spots and gaps in cyber coverage. Such tools can be used to map the data sources currently being used to establish visibility of a specific scenario and to suggest improvements on a good-better-best basis for improved visibility.

With the right combination of logs trained on identifying specific types of threats, SOC analysts are able to perform TDIR faster, and that is reflected in efficient mean-time-to-detect (MTTD) and mean-time-to-resolve (MTTR) metrics. 

The use of TDIR automation

There's a clear correlation between the effectiveness of a SOC and its ability to select the best data sources for detecting a specific type of threat. 

Not only that, a SOC needs to be able to automate as much of the analysis of those logs as possible. The top two TDIR challenges faced by organisations, based on IDC's research, are time-consuming investigation processes and a lack of automation across the TDIR workflow. 

As the pace of attacks continues and adversaries adopt advanced, new techniques, such as AI, automation is really the only way to keep up with threat actors. A specific TDIR platform can help organisations automate and streamline workflows.

With the assistance of automation and machine learning helping to separate normal and abnormal behaviour patterns from log data, a level 1 SOC analyst can become as effective as a level 2 or 3 analyst. This augmentation of the capabilities of all SOC analysts means doing more with less in security operations can realistically be achieved.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X