Posted: 4 Min Read Expert Perspectives

Five Capabilities of a Next-Generation SOC

As attackers evolve, organizations need to rethink the tactics and strategies deployed in their Security Operations Center

Cyber attacks continue to worsen, growing in volume, pace, and sophistication. To stay ahead of these ever-changing threats, the Security Operations Center (SOC) needs to evolve in some important ways:

  1. Threat visibility: Extend to include cloud and on-prem infrastructure
  2. New/unknown attacks: Go beyond logs and rules to find emerging threats
  3. Active defense strategy: Use threat intelligence to make decisions
  4. Hunting and response: Plan, practice, and hunt for unknown threats
  5. Cyber security teams: Extend your SecOps capabilities and human expertise
     

Cyber Defenses: Current Problems, Future Resolution

Why do today’s cyber attacks succeed? Attackers are constantly evolving, and most organizations are struggling in one or more of the following areas:

Cyber security talent—Industrywide, there just aren’t enough people with the required skillset. Despite efforts to retain qualified personnel, and recruit and train the next generation, this problem isn't going away.

Security infrastructure—Without suitable technology, team, and threat intelligence integration, organizations won’t be equipped to monitor threats, prevent attacks, or scale and evolve as threats grow and diversify.

Response time—The above conditions can open the door to successful attacks, which may then go undetected and/or receive a slow or tepid response. That’s when the real damage is done.

SOC Evolution Underway

SOCs are evolving all the time. They tend to start as people-driven and tech-enabled where SOC technology helps people understand what is happening so they can identify policy violations, threats, etc., and take appropriate actions. Nowadays, typical SOCs are more people-driven and tech-enhanced where technology greatly expands what people are able to do and makes them much more efficient.

The next-generation SOC is tech-driven and people-enhanced. That is, it relies more on automation and incorporates tools, like machine learning, that can flag unusual behaviors and identify things we've never seen before. People stay still critical to the process, adding essential business context and cyber defense expertise, making decisions, and providing a check on the technology.

Now, on to the specifics.

Extend Threat Visibility to the Cloud

Can you monitor and protect applications (including shadow IT) and workloads in the cloud—whether in your own data center or a hosted site—as well as across your virtual and on-premises environments? This ability is critical for identifying attacks that come from vectors beyond your traditional perimeter.

Detect the Unknown

Can you detect true zero-day exploits and emerging threats that have not been detected by your security technologies? In all the ‘noise,’ can you tell which activities or behaviors are suspicious and how to best prioritize your next steps?

SOCs need to take greater advantage of technologies like machine learning, which can detect anomalies, trends, and associations. An employee’s online activities that seem ordinary may be revealed as suspicious once they’re compared to baseline behaviors, or considered in sequence or as a group.

SOCs need to take greater advantage of technologies like machine learning, which can detect anomalies, trends, and associations.

Move from Passive to Active Defense

Can you apply countermeasures to deter and deceive an attacker?

The key to an active defense is internal and external intelligence collection, sharing, and analysis. This is what you’ll use to identify attacks; determine who is attacking and why; understand their techniques; and determine the appropriate response.

Deception technology is one of the best ways to bait attackers into showing themselves and revealing their intent and tactics. It can also delay an attacker’s reconnaissance efforts.

Prepare for a Rapid Response

Are you ready to respond to a breach? Can you hunt for attackers who may have slipped past your defenses?

It’s critical to review, test, identify gaps, and make sure everyone knows their part in your organization’s cross-functional incident response plan. Take all lessons learned from tabletop exercises and actual incidents and build those back into your plan.

Threat hunting is a key strategy for finding and rooting out threats burrowed in your network. You need to deeply inspect systems and data and use threat intelligence to hunt for signs of compromise. Then rapidly observe, contain, and eradicate the threat.

Scale Your Cyber Teams

Can your security teams keep up and the cyber threats grow? It’s a challenge for every security organization to reduce burnout and retain top talent, regardless of size.

Help your teams to do more by offloading and automating as much as you can, including threat monitoring and prioritization.  Offer staff career paths and learning opportunities to hone their craft. Train all your employees as your first line of defense; this makes your organization much safer by reducing the attack surface for new threats to enter your network. 

For a continued discussion of these challenges and solutions Symantec offers, watch this recorded webcast: 5 Capabilities of a Next-Generation SOC

About the Author

Antonio Forzieri

Global Cyber Security Practice Lead

Antonio Forzieri is the strategic and technical advisor for Symantec’s Cyber Security Services, helping customers strengthen their cyber defense with expert threat monitoring, managed intelligence and incident response services.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.