Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:00 AM
Brett Kelsey
Brett Kelsey
Partner Perspectives

Five Ingredients Of An Intelligence-Driven Security Operations Center: Part 3 In A Series

As enterprises adopt new ways of thinking about security, they also must make changes in their operations centers to support the new mindset. Here's what's needed.

The second blog post of our series dealt with the shifts in mindset that are necessary for the adoption of an adaptive approach to security, as Gartner puts forth in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. In the third and final post of this series, we’ll talk about transformations that are required in your security operations center (SOC) in order to support this shift.

Continuous Detection And Response

I’m a bit of a car guy, and I enjoy driving as much as getting to the destination, particularly when it comes to the ski resorts in the Lake Tahoe area of California. When I’m behind the wheel there, I’m continually on high alert, scanning the road for potential issues — especially in the winter. It could be something as simple as merging traffic or something hidden, like black ice, or something completely unexpected like a bear lumbering across the road. Similar to a driver on a long journey, an intelligence-driven SOC needs to move away from the traditional incident response model to what Gartner calls “continuous, pervasive monitoring and visibility that are constantly analyzed for indications of compromise.” And this ongoing cycle of monitoring and analytics must be implemented across all technology layers—the network, endpoints, the application front-end and backend, information/data, and yes, even users.

How can you enable continuous detection and response? The key elements include ingesting both internal and external threat intelligence and deriving contextual information from the data that’s relevant for your business. Next, you must correlate that information so that your solution sets can share the data and act in concert in order to respond more quickly and effectively. By incorporating technologies that unify and facilitate the protection, detection, and correction processes of the threat defense life cycle across your security infrastructure, a best-of-breed approach can be made to work.

Pervasive Visibility

Getting back behind the wheel for a moment, did you ever consider that manufacturers put brakes on a car so that you can go faster? Because of the improvements in safety features in cars, speed limits have actually increased over the years on some roads. Airbags, blind spot and lane detection, and other collision mitigation technologies all work together as a single, coordinated system so that we can drive safely at higher speeds and under challenging conditions. In the same way, pervasive visibility, where all your security components are collaborating, allows a business to operate at a faster pace. Now you can catch things that are coming at you more quickly and efficiently.

In a traditional multivendor, siloed SOC, individual security technologies are controlled by unintegrated, incompatible management consoles that can’t communicate with one another and don’t easily share intelligence. At the heart and center of an adaptive SOC is the ability to see everything — across systems, users, and networks that work together. Once you have end-to-end visibility, you can start mining all that rich internal threat intelligence for indicators of attack or indicators of compromise. If you want to take it up a notch, add external threat intelligence from third-party feeds or other trusted organizations. This type of data can provide you with valuable insights about threat characteristics and behaviors that enable you to look for similar patterns in your own environment.

Churning Through Massive Amounts Of Threat Data With Analytics

A consequence of pervasive visibility and threat intelligence is copious amounts of data. It’s much like driving through a blizzard in the mountains. You take in a great deal of data as you navigate this hazardous situation — snow, ice, wind, skidding cars, and pile-ups. Ultimately, you have to ingest this information, analyze it, and determine what matters most. This is where automation comes in — things like the information from apps such as Waze that alert you to traffic conditions ahead, built-in infrared night vision that helps you see farther, and adaptive braking systems that stop the car in an emergency.

In security, a similar issue arises. How do you corral and make use of this resource? The more data you have coming at you, the more you have to rely on machine automation to help you move swiftly and accurately when security incidents come up. Strong analytics technology, for example, helps identify characteristics associated with suspicious incidents and make correlations. You’ll need to establish baselines so that you know how to separate what may look normal for a particular user at a particular time of day in a particular area of the world and what deviates from that pattern. Analytics can help determine whether anomalous activity is real or not. It looks at contextual data and reduces noise and false positives so that you can apply your resources to events that appear to be real and then achieve the greatest impact.

Automation Of Routine Processes

One of the hallmarks of an intelligence-driven SOC is thoughtfully implemented automation, similar to the automation in today’s automobiles. As I’ve mentioned in a previous blog post, there’s a growing scarcity of qualified security professionals. We need to automate routine processes so that these talented individuals can be freed up to do the critical work of analysis. But we need to proceed with caution. For example, it would be counterproductive for automated response systems to completely shut down a CEO’s computer because they see a suspicious file.

So, rather than get too attached to the concept of “automation,” I prefer to think in terms of “automatability,” which both makes use of machine automation and introduces human analysis into the process before you take drastic measures, like shutting down an executive’s computer. Above all, you want to make certain that you create a process and workflow that suits your operation and that you can trust and continually improve.

Analyzing Patterns And Root Causes

With automation for mundane tasks in place, your security professionals’ time is best spent on proactively hunting and mining threat data, and then digging deeper to unravel patterns and root causes. When an attack occurs, they need to look at how bad actors infiltrated the infrastructure, identify patient zero, determine which systems or networks were affected, and find out what type of data was exfiltrated. Whenever malware shows up, your analysts need to investigate the trajectory of the threat and learn as much as possible about how it got in. By gathering this type of data, your organization will get better at spotting and responding to threats with similar characteristics and behaviors that may emerge in the future.

You’re On Your Way

We hope that you have derived some benefit from our blog series and that it will help you formulate a workable and successful adaptive security strategy for your organization. To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Gartner’s Neil Macdonald and me as we talk about the Adaptive Security Architecture concept. And remember — drive safely!

Brett Kelsey is the VP and Chief Technology Officer for the Americas for Intel Security. In this role, he has leveraged his business and practice development, technical expertise, and innovative thought leadership to evangelize Intel Security's go-to-market strategy across ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...