Security teams have a challenging and ever-changing role. Here’s how a SOC can keep up

Security teams should coordinate and operate by standard practices to ensure their efforts yield the maximum results. Learn some tips from an industry insider on how to make it happen.

Developing programmer Development Website design and coding technologies working in software company office

Image: SARINYAPINNGAM, Getty Images/iStockphoto

A security operations center (SOC) consists of a dedicated team of people devoted to handling information security to protect the business. While not every company has a SOC (nor the resources to establish one), they’re often found in medium- to large-sized organizations and companies that handle financial transactions.

I’ve served in dual roles as a system administrator and cybersecurity analyst working for small organizations, but I have not had the opportunity to work in an SOC. One of the many challenges I faced while handling security operations was dealing with the sheer volume of alerts I received and sorting out the false positives from the genuine threats.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

I chatted with Gaurav Banga, CEO and founder of AI cybersecurity firm Balbix, to get his take on the work of SOCs and how cybersecurity is changing.

Scott Matteson: What are the main objectives of a SOC?

Gaurav Banga: A SOC is responsible for keeping an organization protected against threats 24/7. When a SOC is alerted of a vulnerability or incident in-progress, it must jump into action as soon as possible in order to minimize or negate the damage done, while keeping the uptime of business-critical operations.

Scott Matteson: What are the challenges faced by a typical SOC?

Gaurav Banga: Some SOCs may receive greater than one million alerts per day and most SOC analysts can only manage around 20 to 25 alerts per day. What’s worse, the number of unfilled cybersecurity jobs is expected to be 1.8 million by 2022, a 20% increase from 2015. As a result, Traditional SOCs do not have the resources and tools needed in order to effectively handle all security alerts from their security information and event management (SIEM) logs.

Scott Matteson: Why are organizations struggling with the volume of alerts produced by their security controls?

Gaurav Banga: Traditional SOCs struggle with the volume of daily alerts produced by their SIEM logs. Triaging these alerts consumes a lot of effort–and is essentially a reactive exercise, since an attack may have already compromised some enterprise systems. We also have a lot of false positives in these alerts, which further exacerbates the situation. As organizations are usually behind in patching their systems and fixing other vulnerabilities, this allows cybercriminals the chance to seek out any one of several security gaps in the company’s network and gain unauthorized access.

Scott Matteson: How can organizations solve this problem?

Gaurav Banga: SOCs need to be intelligent and self-learning in order to develop a proactive approach to security. To do this, SOCs must adopt modern tools that use specialized AI algorithms to be able to automatically discover all IT assets and users, monitor all them for risk across hundreds of attack vectors. Such tools can help find, contextualize and prioritize threats that need to be remediated based on risk.

SEE: What businesses need to know about the California Consumer Privacy Act (TechRepublic Premium)

Scott Matteson: How does the enactment of GDPR and CCPA impact SOCs?

Gaurav Banga: The enactment of GDPR and CCPA should spur SOCs to adopt a proactive approach to cyber-defense, if they have not already. The consequences of suffering a data breach should speak for itself. Businesses will be liable for penalties of either 4% of annual global turnover or €20 million for failing to comply with GDPR. Enforcement of CCPA will be either through a private right of action for data breaches, with the rest of the act subject to enforcement by the California Attorney General at a maximum of $2,500 per violation.

Scott Matteson: What security tools or platforms are used by effective SOC?

Gaurav Banga: Effective SOCs use automated security tools and AI-powered platforms that are be able to discover all assets and users, continuously monitor for hundreds of attack vectors, maintain real-time visibility across device, app and user inventory as well as attack surfaces, and provide a continuous and comprehensive risk assessment. This will allow SOCs to remediate vulnerabilities based on business risk, conceptualize threats to take proactive, mitigating actions and improve the overall relevance of reports for CIOs and CISOs to give to the board.

Scott Matteson: What does the SOC of the future need to incorporate to keep up with evolving security threats?

Gaurav Banga: A SOC of the future will predictive and proactive. It will need to have automated self-learning tools in place to continuously measure and manage the overall cybersecurity posture of an enterprise’s network, before the adversary can attack. Such SOCs will have comprehensive and real-time situational knowledge of their inventory, vulnerabilities, exposure, relevant threats, any active compensating controls and the relative business criticality of different assets.

Scott Matteson: What career elements are useful to SOC staff?

Gaurav Banga: Finding the right staff, with the right training and experience, can be a challenge.

The best SOC analysts think like their adversaries and train to counter threats and attacks using a combination of inductive and deductive reasoning as well as good technical and business knowledge.

Most SOCs are organized into two operational groups. The first is the operations team which continuously monitors screens looking for potential anomalies, events and risks that are detected. A good knowledge of the elements of breach risk, attack vectors and familiarity with modern AI and automation tools is key.

The second is the incident response team, which addresses actual breach events. These engineers have more-advanced skills and are typically responsible for forensic investigation, advanced malware analysis, and training and mentoring more-junior staff.

Scott Matteson: How do you advise SOC staff keep the organization’s employees educated?

Gaurav Banga: CISOs and SOCs have found gamification to be an effective strategy for educating their organization’s employees on cybersecurity and pushing down the ownership of cyber-risk management. Gamification of an enterprise’s cybersecurity processes involves leveraging peoples’ natural desires for competition, learning, achievement, and recognition toward reducing the business’ breach risk.