Threat Intelligence

7/13/2018
08:27 AM
100%
0%

SOCs Use Automation to Compensate for Training, Technology Issues

Executives and front-line SOC teams see human and technology issues in much different ways, according to two new reports.

A Security Operations Center is an expensive resource for protecting enterprise computing and network resources. A handful of factors can keep an organization from getting the most from the resources — and a recent study shows that those factors are more common than some would think.

A recent study by Exabeam resulted in the 2018 State of the SOC Report which has sections on how SOCs are built and staffed, and how employees at various levels of the organization see the SOC. In key areas, people at different organizational levels have very different views of the issues that exist.

"In terms of importance, upwards of 62% of people who work in the SOC see inexperienced staff as a key pain point," says Stephen Moore, vice president & chief security strategist at Exabeam. "Only 21% of those at the C-level think that this could be an issue." 

The divide is important, as indicated in another report, the 2018 State of Security Operations report, published by Micro Focus. According to the report, among the factors credited with improving SOC operations are the continuity and retention of key security personnel, and insight into the applications, data, systems, and users most likely to impact customers. That insight may be compromised when executives and front-line personnel have radically different views of the security landscape.

Experience level isn't the only area where there is divergence of opinion. Moore says. "Technology is twice the pain point for line people as for the C-suite." The Micro Focus report is quite specific on the nature of the pain. "Most security operations centers continue to be over-invested in technologies that inform them of a problem, yet truly struggle to protect, detect, respond, and recover from the cyber security attacks they fail to discover."

A growing number of organizations are looking to continuous security, or DevSecOps, to optimize the effect of the people and technology they do have in place. The State of Security Operations report points out that, "20% of cyber defense organizations that were assessed over the past 5 years … continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management." While still high, those numbers represent improvement over time.

Moore says that improvement has to come through automation and continuous response. "It's not enough to find something bad; you have to use your [organization] to respond," he says, adding, "You're seeing orchestration happen, which is sort of the SOC's version of DevSecOps. It's bringing all the pieces in together to help win the security fight."

One of the most important results of using the assets of the organization to be proactive is that the SOC has to become more friendly to the rest of the organization, Moore says. "It's meeting before a crisis and agreeing to a response," he explains. "It's a low-friction/high-trust response. That's really cool, and that's the promise — more communications at a human level."

The planned and automated response can help reduce the impact of both reduced staff training and outdated technology. And in security, making the most of what the organization has is critical. "It's important to be able to run a playbook," Moore says, noting that doing so, "…takes a lot of the pain, a lot of the sting, out of the SOC." In the end, he says "the SOC is a pain center, and this is a soothing agent. As a security executive it's your job to remove pain."

Related content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mike.armistead
50%
50%
mike.armistead,
User Rank: Author
7/18/2018 | 6:25:11 PM
Automation can help
Good to see an article on this important subject.  The good news is that there appears to be a new era of automation coming that can fuel a security team's capabilities to win the fight they are in with adversaries.  

Another report that readers might find interesting is from Cyentia Institute, called Voice of the Analyst.  It surveyed those in the trenches to give their direct view on such things as which tasks are most valuable, time-consuming and such.  https://www.cyentia.com/2018/02/12/new-research-voice-of-the-analyst-study/
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
8 Security Tips to Gift Your Loved Ones For the Holidays
Steve Zurier, Freelance Writer,  12/18/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16883
PUBLISHED: 2018-12-19
sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
CVE-2018-17192
PUBLISHED: 2018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on th...
CVE-2018-17193
PUBLISHED: 2018-12-19
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior ...
CVE-2018-17194
PUBLISHED: 2018-12-19
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and even...
CVE-2018-17195
PUBLISHED: 2018-12-19
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, a...