Cyber adversaries constantly leverage sophisticated, malicious applications and legitimate tools to infiltrate organisations and evade existing security controls. To counter such attacks, security teams need to transition from security management to proactive security operations, efficiently thwarting cyber threats before they cause damage.
At a high level, the SOC’s core mission remains to help the enterprise manage cyber risk, but what has changed is the sophistication of cyber threats and the mechanics of the SOC to operate. To successfully protect and respond to threats, SOCs need deep visibility into organisational activity and to automate key but repetitive functions while freeing analysts to focus on more valuable functions such as threat hunting and vulnerability management.
Key functions performed by a modern SOC:
- Preventative security:
This step includes all the actions involved in thwarting the success of an attack and forcing the attacker to abandon, including regularly maintaining and updating existing systems, updating firewall policies, patching vulnerabilities, application whitelisting, and blacklisting, among others.
- Data lake normalisation and management:
The modern SOC collects, maintains, and regularly reviews events and logs of networks, users, endpoint activity, and communications in the organisation. This data helps threat hunters to uncover undetected threat actors and is used for remediation and forensics.
- Continuous proactive monitoring and suspicious activity detection:
Tools used by the modern SOC monitor activity continuously and flag any suspicious movements. Monitoring around the clock allows for the identification of emerging threats, giving analysts the best chance to prevent or mitigate harm. Monitoring tools automate behavioural analysis, minimising the amount of triage and investigation the human threat hunters must perform.
- Indicators of compromise and attack triage, prioritisation, and correlation:
Supported by automated security analytics (ML/AI), SOC analysts look at each alert and indicator of attack, discard any false positives, and determine the criticality of threats. This allows them to triage emerging threats appropriately, handling the most urgent issues first.
- Threat hunting:
It is an analyst-centric process that enables organisations to proactively uncover hidden and advanced threats missed by automated preventative and detective controls. This process stops them before the damage is done, and as these mechanisms are automated, they can trigger the indicators of attack that need to be investigated to detect the threat earlier.
- Root cause investigation:
In the aftermath of an incident or during the attack, the modern SOC is responsible for figuring out exactly what happened – when, how, and why. During this investigation, modern SOC analysts use logs, events, threat intelligence, and security analytics to help them respond efficiently and prevent similar problems.
- Threat response:
As soon as an incident is confirmed, the modern SOC can act as a first responder, performing containment actions like isolating endpoints, terminating harmful processes, deleting files, and more. The goal is to respond while reducing the impact on business continuity.
- Remediation and recovery:
In the aftermath of an incident, the modern SOC will work to restore all affected systems. This may include wiping and restarting endpoints, reconfiguring systems, or in the case of ransomware attacks, deploying viable backups to circumvent the ransomware.
- Lessons learned:
While often overlooked, lessons-learned sessions are crucial to improving an organisation’s security posture and readiness to face security incidents in the future. They help evaluate the organisation’s security risks and incident response performance, identify challenges, and improve incident response capabilities in the future.
- Optimisation of the security operations model:
An effective defensive strategy requires an adaptive security architecture that enables organisations to enact optimised security operations, increasing efficiency through integration, automation, and orchestration while improving the organisation’s security posture.
Technology enables SOC functions to scale
Each of the SOC functions is critically dependent on technology. The right technological approach will significantly influence the organisational capabilities and cost when minimising the time to detect and respond to threat actors. Security operations teams tend to favour a modern and highly integrated Cloud-based platform that delivers all of the following:
- Centralised visibility and search: This involves a centralised investigation into all data from across the distributed IT infrastructure, including immediate access to security alerts and complete telemetry to accelerate threat investigation and incident response with real-time visibility.
- Holistic threat analytics: This is the application of artificial intelligence, TTP- based scenario analytics, and deep contextual analytics across the forensic data to detect advanced threats and accurately prioritise all threats across the entire attack surface.
- Incident case management: This is the application of capabilities that enable security teams to engage in collaborative and efficient workflows with a centralised and secure case management platform for managing and accelerating threat investigation and incident response efforts.
- Task automation: This is the automation of routine and time-consuming tasks to support threat investigation and incident response, including automated execution of mitigations and countermeasures for threat containment and neutralisation.
- Operational metrics: This involves the ability to easily capture metrics and effectively report on the business’s key performance indicators (KPIs) and service-level agreements (SLAs).
Contact Dolos to learn more about how modern SOCs can automate your security operations and increase your organisation’s overall efficiency.