How to Update Agency Security Operations Centers

Today’s hybrid IT environments, which incorporate cloud and on-premise infrastructure, demand structural changes to agency security operations centers, or SOCs, to be better able to operate within cyberspace versus simply reacting to it. 

SOCs face plenty of challenges: serving the needs of remote and teleworking employees, managing multiple cloud platforms, and dealing with the exploding number of IT-configurable devices on emerging 5G networks. 

The structure of SOCs is already adapting and evolving to bring together defensive operations and the analysis of emerging threats with the strategic introduction of new technologies. The result is a mature, flexible, risk-based and cost-efficient approach to ensure the crown jewels of an enterprise remain secure.

One key to succeeding in this environment is to apply both automation and orchestration. Automation is applied to both defense operations and threat hunting, using a combination of artificial intelligence and machine learning. Orchestration manages how multiple sets of tools and platforms interact and are sequenced for incident response action sets.

Artificial Intelligence and Machine Learning

AI includes capabilities such as natural language processing, image recognition of objects, and pattern recognition through neural network models attempting to mimic cognitive functions of the brain. The term machine learning is frequently used interchangeably with AI, although there are distinct differences. ML algorithms use machines to learn about a given dataset. A subset of ML includes deep learning, which has shown a lot of promise in the cybersecurity realm

AI and ML are not only used in a next-generation SOC to enhance detection and prevention activities, but also, increasingly, to augment incident response actions such as containment actions, ticket creation, and user engagement to triage and/or validate a suspicious action. The applications of AI and ML reduce the time spent on each alert and improve the Mean Time to Detect as well as the Mean Time to Repair.

Automation and Orchestration

Automation and orchestration are basic components of the NextGen SOC. By combining high-speed machine search and advanced controls (of tools and platforms), more data is available to the analyst, enabling them to be more efficient and helping them to deliver more contextually aware outcomes for remediation. This reduces the threat count and speeds up the analyst’s ability to assess and respond. Advanced controls can also protect against zero-day threats and provide much higher fidelity data about such threats. These outcomes have two key benefits: better security and higher value for the same cost as compared with traditional managed security services.

Automation and Threat Hunting

A NextGen SOC leverages manual and machine-assisted analysis in a proactive effort to accelerate detection capabilities where traditional measures like SIEM solutions, firewalls, malware protection solutions, and other signature-based options can only solve part of the puzzle. Detecting and responding to advanced threats requires going beyond common detection techniques. Successful hunting requires a preemptive repetitive process of searching through large data sets, using a combination of AI and ML, to identify threats that likely will, or already have, evaded the client’s current detection capabilities. The application of automation to threat hunting enables faster response time and more agile and improved recommendations on responses. It reduces attack vectors, breaches, and breach attempts and enables organizations to move from a purely reactive response to operating ahead of threats.

NextGen SOCs Represent a Fusion Center

NextGen SOCs perform complex defensive operations that are comprehensive and apply proactive monitoring. As incidents are identified, they provide rapid incident response and remediation support. All of this must be done within a risk management framework that requires in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. Finally, new technologies must be strategically introduced in order to mature and enhance SOC capabilities while reducing risk and lowering total cost of ownership.

When all these pieces come together, it represents a fusion of information sources, advanced analytics, and centralized coordination to answer questions quickly and to protect, detect, and respond to security events so a compromise doesn’t become a full-scale breach. 

John Harrison is director of Criterion Systems’ Cybersecurity Center of Excellence.