Security teams must coordinate and work according to standard procedures to ensure that their efforts deliver the maximum results. Learn some tips from an industry insider on how to make this possible.
Image: SARINYAPINNGAM, Getty Images / iStockphoto
A Security Operations Center (SOC) consists of a dedicated team of people who deal with information security to protect the company. Although not every company has a SOC (nor the means to set it up), they are often found in medium to large organizations and companies that handle financial transactions.
I have served in two positions as a system administrator and cyber security analyst who works for small organizations, but I have not had the opportunity to work in a SOC. One of the many challenges I encountered during the handling of security operations was processing the huge amount of warnings I received and looking up the false positives of the real threats.
SEE: Mastermind scammer behind Catch Me If You Can talks about cyber security (TechRepublic download)
I spoke with Gaurav Banga, CEO and founder of AI cyber security company Balbix, to get his opinion about the work of SOCs and how cyber security is changing.
Scott Matteson: What are the main objectives of a SOC?
Gaurav Banga: A SOC is responsible for 24/7 protecting an organization against threats. When a SOC is warned of an ongoing vulnerability or incident, it must take action as soon as possible to minimize or eliminate the damage caused while maintaining the operating time of mission-critical activities.
Scott Matteson: What are the challenges for a typical SOC?
Gaurav Banga: Some SOCs can receive more than one million alerts per day and most SOC analysts can only manage around 20 to 25 alerts per day. What is worse is that the number of unfilled cyber security tasks is expected to be 1.8 million by 2022, a 20% increase from 2015. As a result, traditional SOCs do not have the resources and tools needed to effectively handle all security warnings. handle SIEM (information and event management) logs from their security.
Scott Matteson: Why do organizations struggle with the amount of warnings produced by their security controls?
Gaurav Banga: Traditional SOCs struggle with the volume of daily alerts produced by their SIEM logs. Triggering these warnings takes a lot of effort – and is essentially a reactive exercise, because an attack may already have affected some business systems. We also have many false positives in these warnings, which further aggravates the situation. Since organizations usually lag behind in patching their systems and resolving other vulnerabilities, cyber criminals can look for one of the vulnerabilities in the corporate network and gain unauthorized access.
Scott Matteson: How can organizations solve this problem?
Gaurav Banga: SOCs must be intelligent and self-learning to develop a proactive approach to security. To do this, SOCs must use modern tools that use specialized AI algorithms to automatically detect all IT assets and users, and monitor them all at risk through hundreds of attack vectors. Such tools can help find, contextualize, and prioritize threats that need to be addressed based on risk.
SEE: What businesses should know about the California Consumer Privacy Act (TechRepublic Premium)
Scott Matteson: What influence does the adoption of GDPR and CCPA have on SOCs?
Gaurav Banga: The adoption of GDPR and CCPA should encourage SOCs to take a proactive approach to cyber defense, if they have not already done so. The consequences of a data breach must speak for themselves. Companies are liable for fines of 4% of the annual worldwide turnover or € 20 million for non-compliance with the GTC. CCPA enforcement takes place through a private right to action for data breaches, with the rest of the law subject to enforcement by the California Attorney General with a maximum of $ 2,500 per violation.
Scott Matteson: Which security tools or platforms are used by effective SOC?
Gaurav Banga: Effective SOCs use automated security tools and AI-powered platforms that are able to discover all resources and users, continuously monitor hundreds of attack vectors, maintain real-time visibility in inventory of devices, apps and users, as well as attack surfaces, and provide a continuous and comprehensive risk assessment. This allows SOCs to address vulnerabilities based on business risks, conceive threats to take proactive, mitigating actions, and improve the overall relevance of reports for CIOs and CISOs for governance.
Scott Matteson: What should the SOC of the future include to keep pace with evolving security threats?
Gaurav Banga: A SOC of the future will be predictive and proactive. It must have automated self-learning tools to continuously measure and manage the overall cyber security position of the corporate network before the opponent can attack. Such SOCs have extensive and real-time situational knowledge of their inventory, vulnerabilities, exposure, relevant threats, active compensatory controls and the relative business criticism of various assets.
Scott Matteson: Which career elements are useful for SOC employees?
Gaurav Banga: Finding the right staff, with the right training and experience, can be a challenge.
The best SOC analysts think like their opponents and train threats and attacks using a combination of inductive and deductive reasoning, as well as good technical and business knowledge.
Most SOCs are organized into two operational groups. The first is the operational team that continuously monitors screens in search of possible deviations, events and risks that are detected. A good knowledge of the elements of infringement risk, attack vectors and familiarity with modern AI and automation tools is crucial.
The second is the incident response team, which deals with current infringement events. These engineers have more advanced skills and are usually responsible for forensic investigation, advanced malware analysis and training and guidance of more junior staff.
Scott Matteson: How do you advise SOC employees to keep the employees of the organization trained?
Gaurav Banga: CISOs and SOCs have discovered that gamification is an effective strategy for informing employees of their organization about cyber security and reducing ownership of cyber risk management. Gamification of an enterprise’s cyber security processes involves exploiting people’s natural desires for competition, learning, achievement, and recognition to reduce the company’s risk of infringement.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday