Security Operations Center
The need for a generational change
The risk of cyber threats is higher than ever, according to the BSI (Federal Office for Information Security) in its latest management report on IT Security in Germany in 2021. For example, nine percent of respondents said that they even see their entire business existence endangered by cyber attacks. According to the industry association Bitkom, cyber threats cause damage to 86 percent of all companies. Bitkom sees ransomware as the main cause of the failure of information and production systems as well as the disruption of operational processes. The resulting financial losses have increased by 358 percent since 2019.
The number of cyber threats has not only increased. Cybercriminals are increasingly acting more professionally, especially in digital blackmail attempts. Ransomware is now perfected into a lucrative “business model”, including convenient as-a-service options.
Andreas Riepen, Head of Central & Eastern Europe (CEE) at Vectra AI explains why the classic SOC should be updated urgently.
Andreas Riepen from Vectra AI
Against the background of these threat scenarios, it is becoming increasingly difficult for companies to maintain cyber security – and thus business continuity – and to ensure compliance. At the same time, it is necessary to strategically advance the digital transformation as a whole from the state side and to steer it in controlled ways. In its “Implementation Strategy for shaping the digital transformation”, the Federal government, which is now the managing director, has already defined decisive fields of action in the course of the current legislative period. Digitization is also one of the thematic core areas of the traffic light coalition in the current exploratory talks. Germany in particular, which has initiated the urgent digital transformation with Industry 4.0, among other things, must now set a good example in terms of cybersecurity.
There is no shortage of initiatives for the digital future, but there is still some catching up to do in terms of security in companies so as not to jeopardize the chances of digitization. The security experts are often overloaded and equipped with too few resources. This starts in the Security Operations Center (SOC), which in too many cases adheres to an outdated system. The modern complexity of rogue devices, remote employees and multi-cloud environments makes the environment to be protected hardly manageable. The transformative changes are joined by advanced attack methods used in today’s ransomware and supply chain attacks. These can end catastrophically for any company that is not dedicated to modernizing cybersecurity.
Outdated detection systems open doors for new attacks
If you call it SOC 1.0, it is usually the combined use of outdated detection systems, such as SIEM (Security Information and Event Management) and IDS (Intrusion Detection System), which are no longer up to modern threats. The common tools used so far cause high operating costs with limited results, do not detect ongoing attacks and focus on preventing attacks rather than building resilience to attacks. As today’s attack tactics have overtaken the old SOC, analysts are increasingly having to manually dig through limited data sources to reach inaccurate conclusions. The result is a lack of insight into what is happening and a security team that is tormented by inefficient workflows at a high price.
The time for change has now come, as it has been repeatedly shown how prevention methods fail in detecting ransomware attacks. This means that the only chance to stop these attacks is to detect and stop the movements of the attackers within an environment. In addition, today there are many ways that attackers can bypass the MFA. Although the detection of endpoints is important, it is not a means against a cunning attacker who has stolen access data. That’s the bad news. The good news, however, is that the defense against today’s attacks does not have to be overly complicated.
Towards a modernized SOC
While the customer experience was at the forefront before the pandemic, companies now have to put the employee experience at the forefront. The now established effectiveness of remote work means that the talented IT professionals of the region can work where they want. So while companies are building SoCs, they need to create ecosystems that relieve the burden on skilled workers. Otherwise, you risk losing the most qualified candidates to employers abroad.
This is one more reason to modernize and choose a future–proof approach that puts visibility and workflows in the foreground – and acts as a kind of digital Labrador retriever. This approach makes it possible to sniff out attackers despite evasive tactics and put them in front of the feet of a threat hunter. The modern SOC continues to rely on event logs and SIEM tactics, but supplements them with more extensive endpoint and network data. The disciplines Endpoint Detection and Response (EDR), AI-controlled network Detection and Response (NDR) and User and Entity Behaviour Analytics (UEBA) are combined. The new SOC 2.0 spans a network across on-premises, cloud and cloud-native applications and can thus detect previously unknown, suspicious processes and lateral movement attacks.
The use of AI in the SOC can immediately help to improve the security situation. With the right AI platform, organizations can improve the accuracy of alerts, optimize investigations, detect threats, and improve performance. This allows analysts to know exactly which threats they need to prioritize. AI is incredibly capable of processing large amounts of data quickly and efficiently, while humans are exceptionally good at dealing with ambiguities and putting information in context. AI can therefore help the SOC to use the strengths of its players. An analyst cannot see how an attack develops in the middle of the night, but the right AI can automatically intercept and stop the attack and relieve the specialists.
A breath of fresh air for security analysts
AI and machine learning (ML)-based detection capabilities are able to capture high-risk behaviors, while other AI tools automate much of the old SOC’s manual Tier 1 workflow. The modernized SOC is an out-of-the-box “cyberwatcher” capable of self-training and self-improvement. As a result, the frequency of false alarms is significantly reduced, and alarm fatigue is almost eliminated.
SOC modernization is the future for any company that wants to set up an efficient, sustainable security operations center. The investigation of threats is much more fruitful if it is based on a solid, precise analysis by intelligent systems and is evaluated by trained professionals who only need to search through a greatly reduced list of suspicious activities instead of looking for the threatening needle in the digital haystack.
Since regulatory compliance keeps many stakeholders up at night, a modern SOC can significantly improve governance and strengthen the trust of regulators, investors and customers. The ability to detect, evaluate and prioritize threats in real time ensures a quick and effective solution to problems and prevents costly and reputation-damaging violations. Fewer working hours, better results, lower costs and faster troubleshooting speak for the SOC 2.0. Reliable compliance with more stringent regulations and the ability to repel unknown and clandestine attacks are other pluses. They represent an approach that is worth taking a closer look at.