The Three Biggest Challenges in the Security Operations Center
The Three Biggest Challenges in the Security Operations Center
Cybercrime rates continue to soar. The fact is that your security operations center (SOC) is both your front line and last line of defense. The volume of cyberattacks is increasing, as is the relative speed of individual attacks. At Cryptonite, we measure relative speed as the time measured from initial network or endpoint penetration, followed by reconnaissance and identification of targeted resources, and then ending at the start of exfiltration of data (or worse). Many security operations teams don’t have the people, processes, or technologies to stop the attacker until well after the start of data exfiltration. Even worse, most SOC teams don’t detect the attacker in their networks at all. The worst case scenario, in which detection is reported by an outside party, is the most common. This, of course, places the defending SOC team heavily on the defensive and can raise the pressure and stress on the team. The faster the speed of an undetected attack, the more likely that extreme (and career-defining) damage will be done.
Challenges to effective SOC operations are many. Our view of the top three include:
Budgets. Budgeting for cybersecurity is between difficult and impossible. In the face of multiple threats, all it takes is one to succeed. How can you measure the amount of cybersecurity that you need to address these threats sufficiently enough to say you won’t suffer from a cyberattack that penetrates your network? The answer is you cannot do it. More likely is that your newest strategy must relate to minimizing the time to breach detection followed by the time to threat mitigation. Yes, attackers and malicious insiders will penetrate your networks. Your SOC team must employ the tactics, techniques, and procedures to identify them rapidly and shut them down before serious damage can be done. Automation is likely the only way to move at necessary threat speed. Defense strategies must also evolve – classic perimeter based defense strategy is breaking more often under the unrelenting pressure of cyberattackers.
In many organizations, budgeting spending is about return on investment (ROI). This is much harder to quantify. The whole idea of effective SOC operations is to avoid the big bang: a cyberattack disaster of biblical proportions. Avoiding economic loss, the breach of data, compliance failure, and reputational impact. Per the Ponemon Institute, the average cost of a data breach in 2017 was about $3.62 million. Yet for many management teams, these numbers seem so large that they don’t address it at all. Often, the executive staff really cannot identify the right investment for cybersecurity the way they would for expenditures and ROI in other departments. Smaller companies tend to redistribute some of the IT resources over to the SOC team, and perhaps augment the budget as they can. Usually, this is not enough to prevent that one attack nor to detect and stop it in a timely way. In the final analysis the growing weaknesses in budgeting primarily for a perimeter based defense is creating an expanding opportunity for cyberattackers.
According to a PWC study, 39 percent of boards of directors actively participate in setting cybersecurity policies, 36 percent are involved in the technology selection process, and slightly less than one-third, about 31 percent, actively review current security and privacy risks. While cybersecurity has become more of a board-level issue, the BOD is very challenged to understand the right expenditure levels necessary for the SOC team to be successful.
Team Building. Finding experienced cyber warriors to staff your SOC is currently difficult and rapidly nearing impossible. By many estimates, there will be over 3 million unfilled cybersecurity positions by 2021. This impacts both private industry and government. Right now, the U.S. government has thousands of unfilled and open cyber defense positions. This is all a revolving door. On the other side of that door, talented players are being recruited almost as fast as you can hire and train them.
You can also decide to outsource some of your support to managed security service providers (MSSPs). In this case, you are entrusting your most confidential internal operations to outsiders, so you have to be extremely careful in vetting the firm and the specific employees that will work on your account.
Alert Volumes. A veritable tsunami of alerts now hits the SOC team on a daily basis. In the United States, over one-third of enterprise and government accounts must actually process over 10,000 alerts per day, and a smaller percentage process over 100,000 alerts per day. These numbers are so large that only slightly over half of these alerts are actually investigated. Even of legitimate alerts that merit attention, only slightly over one-third are actually resolved. Many of the alerts are false-positives and even more are redundant alerts for problems previously identified. This triage is a numbers game for the defenders, but for the attackers, it is a hole so large they can “drive a bus through it.” And they do. All the cyberattackers need is for a single attack to be successful. The attackers use automation to bring scale and make the numbers work in their favor.
So how can you meet these challenges to the SOC team? New best practices and technologies are required to give the defenders the advantage they need to succeed. New strategies such as Zero Trust become essential for the SOC team to win. The fundamental tenet of Zero Trust is that users inside the network are not trusted any more than users outside of the network. Zero Trust also brings important compatibility with your existing investments. Zero Trust extends and builds upon the perimeter defenses you have to further harden your internal network and meet the advanced threats your enterprise faces today.
This changes the model and moves the initiative back to the defenders. Zero Trust technologies can cut through the noise in the SOC to bring sharp focus to the activities of a persistent attacker. Zero Trust technologies with the right automation will not only stop malicious activity, such as internal network reconnaissance, but they will bring a sharp and immediate focus to the attackers. Rather than focusing on just perimeter defense, the successful SOC team will also devote significant resources to Zero Trust best practices to find the attackers that are within the network, rapidly identify them, and just as quickly use automation to shut them down.
Cybercrime rates continue to soar. The fact is that your security operations center (SOC) is both your front line and last line of defense. The volume of cyberattacks is increasing, as is the relative speed of individual attacks. At Cryptonite, we measure relative speed as the time measured from initial network or endpoint penetration, followed by reconnaissance and identification of targeted resources, and then ending at the start of exfiltration of data (or worse). Many security operations teams don’t have the people, processes, or technologies to stop the attacker until well after the start of data exfiltration. Even worse, most SOC teams don’t detect the attacker in their networks at all. The worst case scenario, in which detection is reported by an outside party, is the most common. This, of course, places the defending SOC team heavily on the defensive and can raise the pressure and stress on the team. The faster the speed of an undetected attack, the more likely that extreme (and career-defining) damage will be done.
Challenges to effective SOC operations are many. Our view of the top three include:
Budgets. Budgeting for cybersecurity is between difficult and impossible. In the face of multiple threats, all it takes is one to succeed. How can you measure the amount of cybersecurity that you need to address these threats sufficiently enough to say you won’t suffer from a cyberattack that penetrates your network? The answer is you cannot do it. More likely is that your newest strategy must relate to minimizing the time to breach detection followed by the time to threat mitigation. Yes, attackers and malicious insiders will penetrate your networks. Your SOC team must employ the tactics, techniques, and procedures to identify them rapidly and shut them down before serious damage can be done. Automation is likely the only way to move at necessary threat speed. Defense strategies must also evolve – classic perimeter based defense strategy is breaking more often under the unrelenting pressure of cyberattackers.
In many organizations, budgeting spending is about return on investment (ROI). This is much harder to quantify. The whole idea of effective SOC operations is to avoid the big bang: a cyberattack disaster of biblical proportions. Avoiding economic loss, the breach of data, compliance failure, and reputational impact. Per the Ponemon Institute, the average cost of a data breach in 2017 was about $3.62 million. Yet for many management teams, these numbers seem so large that they don’t address it at all. Often, the executive staff really cannot identify the right investment for cybersecurity the way they would for expenditures and ROI in other departments. Smaller companies tend to redistribute some of the IT resources over to the SOC team, and perhaps augment the budget as they can. Usually, this is not enough to prevent that one attack nor to detect and stop it in a timely way. In the final analysis the growing weaknesses in budgeting primarily for a perimeter based defense is creating an expanding opportunity for cyberattackers.
According to a PWC study, 39 percent of boards of directors actively participate in setting cybersecurity policies, 36 percent are involved in the technology selection process, and slightly less than one-third, about 31 percent, actively review current security and privacy risks. While cybersecurity has become more of a board-level issue, the BOD is very challenged to understand the right expenditure levels necessary for the SOC team to be successful.
Team Building. Finding experienced cyber warriors to staff your SOC is currently difficult and rapidly nearing impossible. By many estimates, there will be over 3 million unfilled cybersecurity positions by 2021. This impacts both private industry and government. Right now, the U.S. government has thousands of unfilled and open cyber defense positions. This is all a revolving door. On the other side of that door, talented players are being recruited almost as fast as you can hire and train them.
You can also decide to outsource some of your support to managed security service providers (MSSPs). In this case, you are entrusting your most confidential internal operations to outsiders, so you have to be extremely careful in vetting the firm and the specific employees that will work on your account.
Alert Volumes. A veritable tsunami of alerts now hits the SOC team on a daily basis. In the United States, over one-third of enterprise and government accounts must actually process over 10,000 alerts per day, and a smaller percentage process over 100,000 alerts per day. These numbers are so large that only slightly over half of these alerts are actually investigated. Even of legitimate alerts that merit attention, only slightly over one-third are actually resolved. Many of the alerts are false-positives and even more are redundant alerts for problems previously identified. This triage is a numbers game for the defenders, but for the attackers, it is a hole so large they can “drive a bus through it.” And they do. All the cyberattackers need is for a single attack to be successful. The attackers use automation to bring scale and make the numbers work in their favor.
So how can you meet these challenges to the SOC team? New best practices and technologies are required to give the defenders the advantage they need to succeed. New strategies such as Zero Trust become essential for the SOC team to win. The fundamental tenet of Zero Trust is that users inside the network are not trusted any more than users outside of the network. Zero Trust also brings important compatibility with your existing investments. Zero Trust extends and builds upon the perimeter defenses you have to further harden your internal network and meet the advanced threats your enterprise faces today.
This changes the model and moves the initiative back to the defenders. Zero Trust technologies can cut through the noise in the SOC to bring sharp focus to the activities of a persistent attacker. Zero Trust technologies with the right automation will not only stop malicious activity, such as internal network reconnaissance, but they will bring a sharp and immediate focus to the attackers. Rather than focusing on just perimeter defense, the successful SOC team will also devote significant resources to Zero Trust best practices to find the attackers that are within the network, rapidly identify them, and just as quickly use automation to shut them down.