Threat Intelligence

SOCs Use Automation to Compensate for Training, Technology Issues

Executives and front-line SOC teams see human and technology issues in much different ways, according to two new reports.

A Security Operations Center is an expensive resource for protecting enterprise computing and network resources. A handful of factors can keep an organization from getting the most from the resources — and a recent study shows that those factors are more common than some would think.

A recent study by Exabeam resulted in the 2018 State of the SOC Report which has sections on how SOCs are built and staffed, and how employees at various levels of the organization see the SOC. In key areas, people at different organizational levels have very different views of the issues that exist.

"In terms of importance, upwards of 62% of people who work in the SOC see inexperienced staff as a key pain point," says Stephen Moore, vice president & chief security strategist at Exabeam. "Only 21% of those at the C-level think that this could be an issue." 

The divide is important, as indicated in another report, the 2018 State of Security Operations report, published by Micro Focus. According to the report, among the factors credited with improving SOC operations are the continuity and retention of key security personnel, and insight into the applications, data, systems, and users most likely to impact customers. That insight may be compromised when executives and front-line personnel have radically different views of the security landscape.

Experience level isn't the only area where there is divergence of opinion. Moore says. "Technology is twice the pain point for line people as for the C-suite." The Micro Focus report is quite specific on the nature of the pain. "Most security operations centers continue to be over-invested in technologies that inform them of a problem, yet truly struggle to protect, detect, respond, and recover from the cyber security attacks they fail to discover."

A growing number of organizations are looking to continuous security, or DevSecOps, to optimize the effect of the people and technology they do have in place. The State of Security Operations report points out that, "20% of cyber defense organizations that were assessed over the past 5 years … continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management." While still high, those numbers represent improvement over time.

Moore says that improvement has to come through automation and continuous response. "It's not enough to find something bad; you have to use your [organization] to respond," he says, adding, "You're seeing orchestration happen, which is sort of the SOC's version of DevSecOps. It's bringing all the pieces in together to help win the security fight."

One of the most important results of using the assets of the organization to be proactive is that the SOC has to become more friendly to the rest of the organization, Moore says. "It's meeting before a crisis and agreeing to a response," he explains. "It's a low-friction/high-trust response. That's really cool, and that's the promise — more communications at a human level."

The planned and automated response can help reduce the impact of both reduced staff training and outdated technology. And in security, making the most of what the organization has is critical. "It's important to be able to run a playbook," Moore says, noting that doing so, "…takes a lot of the pain, a lot of the sting, out of the SOC." In the end, he says "the SOC is a pain center, and this is a soothing agent. As a security executive it's your job to remove pain."

Related content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mike.armistead
50%
50%
mike.armistead,
User Rank: Author
7/18/2018 | 6:25:11 PM
Automation can help
Good to see an article on this important subject.  The good news is that there appears to be a new era of automation coming that can fuel a security team's capabilities to win the fight they are in with adversaries.  

Another report that readers might find interesting is from Cyentia Institute, called Voice of the Analyst.  It surveyed those in the trenches to give their direct view on such things as which tasks are most valuable, time-consuming and such.  https://www.cyentia.com/2018/02/12/new-research-voice-of-the-analyst-study/
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11506
PUBLISHED: 2019-04-24
In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to Expo...
CVE-2019-8991
PUBLISHED: 2019-04-24
The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIB...
CVE-2019-8992
PUBLISHED: 2019-04-24
The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBC...
CVE-2019-8993
PUBLISHED: 2019-04-24
The administrative web server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for ...
CVE-2019-8994
PUBLISHED: 2019-04-24
The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact oth...