A security operations center (SOC) is a command center facility for a team of information technology (IT) professionals with expertise in information security (infosec) who monitors, analyzes, and protects an organization from cyber attacks.
Security teams are defending an increasingly amorphous battleground against a diverse, ever-improving set of threats and adversaries. They need a cutting-edge command center. Of the technologies and techniques listed below, none alone can completely meet the need. But together, they build a modern, more effective security operations center that’s up to taking on today’s threats.
• Zero trust: Focused on users, assets, and resources rather than a network perimeter, zero trust minimizes security risks. The model is built on three principles:
1) Verify everyone and everything,
2) provide the least privileged access,
3) and assume you’ve been breached. Focusing on data security, zero trust rigorously authenticates the end user. It’s a necessary strategy shift for a more fragmented and distributed security environment.
• Security operations process automation: It’s essential. You can’t have human analysts respond to every attack. Instead, they can write the rules so that automated solutions identify and respond to those attacks without human intervention faster than a live actor could manage. Security orchestration, automation, and response (SOAR) and user and entity behavior analytics (UEBA) are often where automation makes its mark.
• Modern SIEM: This is where the analytics investment we found in our research comes to fruition. Security information and event management (SIEM) systems offer full visibility into activity within your network, empowering you to respond to threats in real-time.
• Training and staffing: This is every organization’s struggle. All these other technologies help you do more with a leaner team, but ultimately, a growing organization facing growing threats needs to expand its security team. You can improve the effectiveness of your analysts through automation and analytics,
and you can improve training by reducing the number of tools they have to use to get the job done.
That modernized SOC will include an arsenal of the best tools and customization available. But that can
create its own headaches, in terms of training and the ability to understand an incident with data from multiple sources. In a complex, multi-cloud, multi-service environment, it’s essential to be able to see
all that data, not just traditional security data.
This highest-level, end-to-end perspective is vital not only to security and compliance efforts but to successful development and operations as well. A consolidated view of the data creates a single source of truth for security and IT teams.
After the SolarWinds hacks, we’re all worried about enemies who might use our friends to exploit our systems and networks. The first principle, to audit your vendors, is harder than it sounds because you are one “video conferencing vendor” or “payment processing vendor” that is actually composed of maybe a half-dozen business systems, through external APIs and services. You need visibility into every data component and flow. You also need to know how to respond quickest when a breach is discovered, both to shut it down and to determine which data may have been compromised.
For supply chain threats (and any other kind), you need to improve your ability to see suspicious lateral movement within your networks. Whether bad guys sneak in through a vendor’s software patch or an employee’s stolen credentials, you’ll want to be able to spot them as they slither through your network looking for the goods.
But weak passwords, poor multifactor authentication methods, and not using a single sign-on solution can punch holes in this strategy. This is where organizations need a modern SOC, and a well-defined and closely monitored identity policy with strong enforcement and monitoring, to fill those gaps.
Security teams should continue to build on this shift because their job is to mitigate potential disasters. At its most fully realized, this takes an organization into DevSecOps, the melding of three interrelated disciplines that, frankly, aren’t usually as interrelated as they should be.
DevOps practices broke down the traditional silos between development and operations teams for faster software development and the high-quality delivery of software and digital experiences. The next step is DevSecOps, integrating security.
DevSecOps brings all three disciplines into one flow with shared goals and measurements, and tools and practices that reduce friction between the three traditionally siloed groups. This provides an opportunity for security automation and introduces security earlier in the development process.
Even if your organization is not ready to embrace this full philosophical shift, you can use the singular experiences of the last 2 years to advocate for the importance of integrated security thinking, at every stage of IT and the business. Musato Technologies offers SOC solutions to improve cyber security and defense capabilities for business infrastructure.
You must be logged in to post a comment.