Threat Intelligence

7/13/2018
08:27 AM
100%
0%

SOCs Use Automation to Compensate for Training, Technology Issues

Executives and front-line SOC teams see human and technology issues in much different ways, according to two new reports.

A Security Operations Center is an expensive resource for protecting enterprise computing and network resources. A handful of factors can keep an organization from getting the most from the resources — and a recent study shows that those factors are more common than some would think.

A recent study by Exabeam resulted in the 2018 State of the SOC Report which has sections on how SOCs are built and staffed, and how employees at various levels of the organization see the SOC. In key areas, people at different organizational levels have very different views of the issues that exist.

"In terms of importance, upwards of 62% of people who work in the SOC see inexperienced staff as a key pain point," says Stephen Moore, vice president & chief security strategist at Exabeam. "Only 21% of those at the C-level think that this could be an issue." 

The divide is important, as indicated in another report, the 2018 State of Security Operations report, published by Micro Focus. According to the report, among the factors credited with improving SOC operations are the continuity and retention of key security personnel, and insight into the applications, data, systems, and users most likely to impact customers. That insight may be compromised when executives and front-line personnel have radically different views of the security landscape.

Experience level isn't the only area where there is divergence of opinion. Moore says. "Technology is twice the pain point for line people as for the C-suite." The Micro Focus report is quite specific on the nature of the pain. "Most security operations centers continue to be over-invested in technologies that inform them of a problem, yet truly struggle to protect, detect, respond, and recover from the cyber security attacks they fail to discover."

A growing number of organizations are looking to continuous security, or DevSecOps, to optimize the effect of the people and technology they do have in place. The State of Security Operations report points out that, "20% of cyber defense organizations that were assessed over the past 5 years … continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management." While still high, those numbers represent improvement over time.

Moore says that improvement has to come through automation and continuous response. "It's not enough to find something bad; you have to use your [organization] to respond," he says, adding, "You're seeing orchestration happen, which is sort of the SOC's version of DevSecOps. It's bringing all the pieces in together to help win the security fight."

One of the most important results of using the assets of the organization to be proactive is that the SOC has to become more friendly to the rest of the organization, Moore says. "It's meeting before a crisis and agreeing to a response," he explains. "It's a low-friction/high-trust response. That's really cool, and that's the promise — more communications at a human level."

The planned and automated response can help reduce the impact of both reduced staff training and outdated technology. And in security, making the most of what the organization has is critical. "It's important to be able to run a playbook," Moore says, noting that doing so, "…takes a lot of the pain, a lot of the sting, out of the SOC." In the end, he says "the SOC is a pain center, and this is a soothing agent. As a security executive it's your job to remove pain."

Related content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mike.armistead
50%
50%
mike.armistead,
User Rank: Author
7/18/2018 | 6:25:11 PM
Automation can help
Good to see an article on this important subject.  The good news is that there appears to be a new era of automation coming that can fuel a security team's capabilities to win the fight they are in with adversaries.  

Another report that readers might find interesting is from Cyentia Institute, called Voice of the Analyst.  It surveyed those in the trenches to give their direct view on such things as which tasks are most valuable, time-consuming and such.  https://www.cyentia.com/2018/02/12/new-research-voice-of-the-analyst-study/
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.