Taking a Data-Driven Approach to SOC OperationsLEON WARD
Today’s escalating threat landscape means that security operations teams face a multitude of challenges. This can make it challenging for them to keep pace with the sheer scale of threats, tactics and techniques that bad actors frequently use. When you consider recent ransomware attack statistics, it is easy to see that cybercrime has intensified, with a record-breaking number of threats of increasing severity taking place year-on-year. In fact, according to Cybersecurity Ventures, ransomware is expected to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds in 2021. Global ransomware costs are expected to rise from $20 billion in 2021 to $265 billion by 2031.
SOC teams are drowning in data
SOC teams are under pressure to detect security events and rapidly respond, This is hard to do when they are drowning in data. As the number of devices, elements and sources of data increase, so does the number of tasks associated with processing that data into anything useful that the teams can utilize. Add to this the introduction of many new cloud environments, especially with the ‘new normal’ hybrid and remote workforce and this also generates a staggering array of event data.
Inevitably, security analysts can find themselves becoming fatigued with the volume of alerts as they face a growing backlog of investigation tickets that need to be resolved. Consequently, it is easy for ‘real’ alerts to get missed.
Furthermore, a lack of strong technology integration tools used for detection and investigation of incidents can also impede security analysts. Many security technologies simply don’t interoperate and integrate well or easily, and sometimes they don’t have the ability to integrate at all. This can lead to SOC teams struggling to align data sets and coordinate detection and response across disparate technologies.
A lack of resources is compounding the issue
SOC teams often face a lack of resources and skilled experienced analysts capable of understanding how to detect and respond to security incidents. To this point in the 2021 SANS SOC survey, lack of skilled staff was cited as the greatest barrier to full SOC utilization. Add to this a real lack of unification in teams, whereas most SOC teams rely on a partnership with IT operations and other developer teams across the business. However, often these teams work in silos with little integration and cooperation between them which means that detection and response to incidents can be hindered or limited at best.
As a result of the key challenges outlined above i.e. a lack of resources, limited cooperation and integration with other IT teams, a lack of technology integration and the sheer data overload of alerts and other notifications, the job of the security operations and threat intelligence teams is becoming increasingly difficult.
On the one hand they need all this data to understand more clearly what to look for and how best to prioritize. On the other hand, the sheer quantity of data, many tools and processes are now ingesting and producing is overwhelming for teams already taxed with many other security operations tasks.
A more unified and centralized approach
This is where our extended detection and response (XDR) solution helps because it aggregates data between disparate security technologies to provide a more unified, centralized, and consolidated system. Our ThreatQ Platform ingests data from a wide variety of sources, normalizing all this data (including removing any duplicate data) and correlates this to inform security narratives. This then helps to facilitate and prioritize threats for investigation and focused detection, integration, and response. It translates data for both investigation and responses and also exports to other tools and services for remediation. For example, it also integrates with SIEM, NDR, EDR, SOAR and sandbox tools and many others. This enables organizations to undertake customized risk scoring and reporting so that the business can accurately highlight the areas that they are most interested in analyzing.
Once data has been ingested into ThreatQ, the platform compiles a threat library that includes a wide variety of threat details, including adversaries, indicators of compromise (IoCs), attack patterns, malware, vulnerabilities, documented incidents, campaigns and more. Additionally, a separate module – ThreatQ Investigations – can be used alongside the core platform which allows organizations to create collaborative visual models of threat data in order to explore all facets of threats and attack scenarios. Tasks can also be created for threat hunting and other investigation functions. And finally, we also have another module, our ThreatQ Data Exchange, which allows the SOC team to create dedicated threat intelligence sharing relationships with a variety of parties. What is great about this is that they can specify what data to send with a high degree of granularity and they can also obscure the source of data.
Taking a data-driven approach
In today’s escalating threat environment, security is high on the C-suite agenda where directors are demanding that SOC teams rapidly respond and neutralize threats to the business. The only way to deal with this is through automation so that the SOC team can more easily aggregate a wide variety of data into a single location for analysis and correlation. Therefore, for those businesses that want to organize security threat data and become more productive with better and more efficient insights across the SOC teams, they should look at using a solution like the ThreatQ Platform. If you are interested in understanding more about the capabilities of the platform, download the latest SANS Institute white paper: The SOC of the future is data-driven which provides an independent review of the ThreatQ Platform.
– Ends –
 “A SANS 2021 Survey: Security Operations Center (SOC),” October 2021, www.sans.org/white-papers/sans-2021-survey-security-operations-center-soc [Registration required.]