The bulk of today’s security operations budget is spent on junior analyst staring at consoles trying to keep up with alerts. It’s not a cost-effective way to run a Security Operations Center (SOC), and it’s worse as an investment.
While companies with bigger budgets do see a little more success thwarting threats, it’s not feasible for most to throw more money at the problem. Outsourcing to a Managed Security Services Provider (MSSP) leads to spending even more and getting worse results.
For SOC investments to pay off, organizations need a modern detection and response strategy that’s more than just more technology and more people. It needs a connective tissue that weaves together vendor platforms with adequate depth and connects people and data in the right place so they can actively defend the organization.
Bigger budgets create a big mess
Most organizations are not getting an optimum financial return from their SOCs. Today’s Fortune 100 companies have as many as a hundred different vendors they’re working with. That means a hundred different sources of alerts that must be managed by junior analysts suffering alert fatigue. They didn’t become a cybersecurity professional to stare at glass all day, but they are the first of multiple tiers of analysts who must figure out what must be handled immediately and what must get escalated.
This makes decisions more complex and more difficult because it’s harder to discern between a potential attack and a trusted application. The more alerts that are generated, the more time is wasted weeding out false positives. If time is money, then today’s model for running an SOC is the equivalent of setting a pile of cash on fire.
Most of that cash is spent on hiring and junior analysts to sit long days in front of consoles that are fed by far too many technology platforms. In a couple of years, they’ll leaving for a better pay and a more interesting gig, further fueling a bad cycle of replacing people who burn out from chasing alerts and false positives. No amount of people and platforms are going to help those running the SOC keep up with the information overload, let alone the actual threats.
More money is not the answer; neither is more technology. We need to shift to a mindset of detection and response if investments in the SOC are to pay off.
Smarter investments support active defense
Automation is part of the solution to fixing today’s broken SOC model, but it’s not a panacea. If you have too many technology platforms in play without any best practices or workflows, just beginning to automate anything will overwhelm everyone involved. And remember, they’re already burned out and job hunting.
A key first step is paring down the amount of technology, as diversity contributes to your SOC’s poor financial performance. Many security organizations end up with multiple platforms that do the same thing as each other. Platform overload exacerbates the eyes on glass problem, generates too much data, and it means humans aren’t meeting the data in the right place. You must have clear criteria for the platforms your’re keeping, regardless of what led to their initial adoption. It should come down to the performance of the platform.
Too many platforms means lots of staff training. It’s ok to adopt a best of breed approach by selecting the optimum technology for each category—it can even be an open source solution. But key criteria for your rationale should be the capability of each platform and its ability to work together to achieve integrated reasoning—this integration is possible without having to rip and replace or get locked in by vendors with siloed solutions.
You want your SOC to be vendor agnostic and shift where people meet data so your SOC is one that actively defends, rather than merely protects. You can’t defend the organization if people are meeting exponentially growing data at the log file or alert level.
Active defense pays off through a shift in mindset
Most security leaders know they can’t just keep throwing money at a problem, and organizations are learning their CISOs need visibility at the executive level—especially those that have had high profile breaches. Their security leaders are “fixers.”
They’re fixing are processes, so they’re more efficient and support active defense. High on the agenda is reducing the number of false positives. This enables second and third-tier analysts to hunt for potential incidents based on credible alerts through collaboration and easy information sharing, which is a much better return on investment than having them stare at consoles all day.
This shift gets you the most value from your people. They share what they learn across the broader organization—the SOC retains all the intelligence and institutional knowledge they’ve accumulated, regardless of staff turnover.
Today’s CISO is leading a team who wants to learn from cyberwarfare and how large-size intelligence community agencies manage their strategies and SOCs. Active defense means thinking like hackers to anticipate what they might do next. The SOC must constantly think about its points of weakness because threat actors are using breach automation tools. If they can constantly attack an organization in the most optimal manner, you can’t assume you’re unbreachable.
An active defense mindset means the SOC is thinking about ways to improve their defenses and looking at mistakes so they can learn from them because they are situation-focused. This doesn’t happen if they’re bogged down by formal process and procedure. Gone are the days of just buying more tools endpoint detection and response (EDR). It’s time to solve for “X”. XDR includes threat intelligence, cloud services, SOAR and next-gen SIEM tools, among other services. It means equipping security and risk leaders to devise a wider range of detection and response techniques for more effective cybersecurity investigations.
Organizations need a modern detection and response strategy that's more than just more technology and more people. It needs a connective tissue. #cybersecurity #respectdata
Click to Tweet
XDR changes where humans meet data. It’s not more eyes on glass. It must change because the volume of data and alerts is growing exponentially. XDR is data science that equips an SOC with enough situational awareness, enough intelligence, and enough processing on the data so it’s meaningful to a human, and SOC investments are paying off.