The Security Operation Centre (SOC) is the nerve system of an organisation’s security defences. Back in the days, the SOC focused mainly on fulfilling and assessing regulatory compliance. However, since SOCs first emerged in the mid-90s, they have evolved at break-neck speed and show no signs of slowing down.
The pandemic forced many SOC teams to rethink the way they operate. For many, the focus became making sure that employees could work effectively from home, which resulted in the increased dependance on cloud-based applications and services. This change posed serious security risks and elevated the role for SOCs. Investments in cloud-based infrastructure widened an organisation’s already broad threat surface and left corporate networks exposed to new vulnerabilities. As SOCs continue to mature, they are advancing their objectives and making more concerted efforts to stop threats before they can cause damage, rather than simply detecting and responding to threats retroactively.
While companies have started bringing workers back to the office since COVID-19 restrictions eased, remote working is here to stay and will require many changes to ensure operational resilience. Here are the key areas that SOC teams should pay attention to as they adapt to an ever changing threat landscape.
Harnessing the power of technology
The vast majority of organizations increased their adoption of advanced security technologies during the pandemic. Based on the recent study on SOCs maturity, 79% of SOC teams agreed that their company increased the deployment of these technologies in the past year—unsurprising, since the majority of respondents also agreed that their security budgets had increased.
Moving forward, SOCs teams will need to up their game when it comes to the tools they use to manage risks associated with modern cyberattacks that leverage artificial intelligence (AI). To level the playing field, SOC teams are increasingly looking to adopt new defences such as AI and machine learning (ML) to improve the detection of advanced threats. Nearly 60% of respondents placed this goal in their top-three primary roles for automation, ML, and cognitive security. The second and third most-selected roles were improving the detection of data loss and exfiltration, and improving the detection of insider threats.
Insider threats are certainly an interesting topic given the shift we’ve seen to remote work in the last year. As employees began working from home and adapting to a new way of life, their schedules, workplaces, and overall behavior increased in flexibility and unpredictability. This has made technologies like behavioural analytics, backed by unsupervised machine learning, increasingly important as SOCs seek to maintain cyber resilience during periods of significant change. The ability to continually establish and update the baseline behaviour of users and entities allows security teams to monitor, understand, and secure their organizations and remote workforce
Putting your incident response processes to the test
Establishing mature processes for handling security operations in a consistent and intelligent way is essential in situations where having an organized playbook and effective automation could mean the difference between a significant breach and a minor security incident. Nearly 30% of respondents considered “finding time for strategy and process improvement” to be a top challenge for their security operations teams moving forward, while 21% considered “doing too many processes manually” to be a top challenge.
What the past 18 months have showed is that it’s extremely important to consider all possible scenarios before a potential crisis. To always stay one step ahead of bad actors, SOCs should put their IT systems through rigorous tests. To do that SOCs can leverage innovative digital concepts, such as digital twins, where they have a virtual replica of their IT infrastructure to identify security vulnerabilities and deter potential attacks. When asked about the role of SOC Digital Twin technologies within security operations, more than two-thirds of companies believed such initiatives would help them drive better instrumentation and performance metrics.
Arguably, the most important security operations process is the regular evaluation of defenses to ensure their effectiveness against current threats and to ensure that security controls continue to operate as expected. These processes include evaluation of company’s threat models and using red-team exercises – assigned teams to emulate attacks- to evaluate defences in real-world conditions. The regular evaluation of threat models is important because threat models, like technologies, age quickly and can lose relevance. Based on the study, most organisations improved their evaluation processes with the majority conducting threat modelling and human-centric exercises – like red-teaming – every six months.
The talent war will continue
Businesses have been facing greater staffing demands due to the year’s growing cyberattacks, increased adoption of remote work, and companies’ expanding attack surface. However, qualified candidates are not growing fast enough, with 72% of companies showing concerns that this shortage affects their ability to detect and analyse attacks. Singapore itself faces an estimated talent shortage of up to 3,400 cybersecurity professionals in 2020, according to the Cyber Security Agency of Singapore (CSA).
Considering the disruption caused by the ongoing talent war, most companies have considered outsourcing some of their security operations. While outsourcing allows them to gain access to needed experts and to free up staff, many organisations continue to view outsourcing with distrust, especially for their security operations. The survey found that companies generally prefer managing their security operations in-house as opposed to outsourcing it. However, with the ongoing challenge, a hybrid management will continue to be a popular route, with most organizations outsourcing tasks to some degree.
Ramping up cyber defences
Hackers will continue to find new ways to exploit the new normal. Traditional cybersecurity measures do not cut it anymore and future attacks will require a more comprehensive strategy.
In a world where cybercriminals don’t sleep, neither should the vanguards keeping them at bay. To stay ahead of the curve in the industry, SOCs should learn from the challenges they faced in the past 18 months and continue to keep evolving competencies in line with these changes. Further, continue to modernize by building a robust defence mechanisms and processes as part of a larger business resiliency strategy.