What upgrades do modern security operations centers need?
A few years back whenever someone said they were building a Security Operations Centre (SOC), it meant deploying a SIEM (Security Information and Event Management tool) and putting together a team for 24x7 operations. This team would of course build some processes for running the SOC but the question is would this model suffice in today’s environment of targeted threats?
What is Missing from the Modern SOC
What does a modern SOC need? It definitely needs a SIEM to pull together all the logs and build correlation rules around them. SIEM still remains the best tool for collecting, normalizing, and correlating, but what happens after SIEM raises those alerts? That’s where the modern SOC needs more focus. I will not use those clichéd breach examples where alerts got missed; rather I will consider the requirements needed after an alert is generated.
Analysts need to make quick decisions whether an alert is worth their time to investigate further. No SOC can afford a large analyst pool and given the high volume of alerts, this triage is extremely important. Industry statistics vary between 2% and 5% as to the number of alerts that require further investigation. Currently this triage is based on rules of thumb: a list of critical alerts based on analyst preference. Ideally, triage should be done after evaluating a variety of context data on the target asset, the source characteristics, the vulnerabilities, and the entire history of alert and entities. Unfortunately, all of this data is not available at any central place and there is no automation for analyzing them. Collecting and analyzing with only SIEM and no other specialized triage platform can take hours and the whole purpose of quick triage gets defeated.
The next thing the SOC needs is a platform to help investigate alerts that have been triaged. Such a platform should allow an analyst or investigator to pull together any data they need from logs, end machine states, threat intel, a variety of security products, passive sources like packets/netflows and should have analysis tools to investigate the alerts. In addition, the platform should have case management features for evidence retention and managing multiple threads in the investigation. SIEM does not provide such capabilities.
There is also the whole area of taking the actual response after the investigation. This is the place where security orchestration products are useful for automating things like blocking an IP, removing a user, changing machine settings, or pushing a patch. A modern SOC cannot afford delays in taking response action once the attack is unearthed and SIEM doesn’t provide such capabilities.
SIEM with Multiple Platforms
Finally there is the task of hunting for advanced attacks that often goes unnoticed in rule based systems like SIEM. While SIEM is building capabilities for pattern detection such as UBA and netflow analytics, a separate big data analytical platform can carry out such analytical model driven hunting much faster and with wider models.
At the minimum, a modern SOC will need to complement a SIEM with a hunting platform, a triage and investigation platform, and an orchestration platform. It will no longer be sufficient to have only SIEM with people and processes around it. Can we replace SIEM? To me, the current SIEM is still the best tool for logs, but it cannot be extended to be the complete SOC management platform.
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000