InfoSec Insider

A Hybrid Solution to Taming SOC Alert Overload

Technology can free analysts from the burden of manual and tedious tasks so they can operate at the highest level of their abilities.

The moving assembly line was one of the greatest innovations of the Industrial Revolution. Prior to 1913, when Henry Ford installed the first moving assembly line in his factory, cars were built by humans performing manual, mundane tasks. Imagine humans hand painting cars on the factory floor – that was the reality. I would argue that today’s security operations center (SOC) teams are stuck in the 21st century digital equivalent of hand painting cars.

Greg Martin InfoSec Insider author

To put it simply, enterprise SOC teams are burnt out from alert overload. The manual and mechanical processes that still exist in many SOCs today are inefficient and error-prone. On a daily basis, SOC analysts are battling against increasingly sophisticated and highly-organized attackers. Yet they’re not able to perform to their true potential since they’re mired in alert triage, false neg/pos decision trees, swivel chair tool correlation, RSS and email list intelligence. Teams spend more time on routine threats and keeping their SIEM up and running than on protecting their organizations from the most dangerous, targeted attacks.

It’s time for a SOC revolution. I’ve found that we as an industry have largely avoided the debate of modernizing the security operations process. Maybe the first step is just acceptance. “Yes, it is broken but how do we fix this going forward?” I have a few thoughts.

  • People are not the problem. We should avoid simply pointing the blame on security professionals every time there is a breach. This doesn’t help us improve.
  • Technology is not the problem. We have great technologies in security and, with the move to data-driven analysis and AI-based defenses, the tools are only getting better.
  • Process has some clear flaws. Few want to address this – perhaps because change is too hard. It’s easier to hire additional smart people or adopt a shiny new product to feel like we are moving the needle. For example, how much did Equifax spend on security a year prior to its massive data breach? A report says $250 million – that should be enough to get this right.

Humans are and will likely always be the best defense we have against cyber threats – particularly when they have the right technology to support them. The emphasis, again, on the technologies to support them.

We have finally reached the perfect storm of technology, policy and opportunity to completely re-factor security operations with the major advances in open-source big data, AI software and the general adoption of cloud-native services throughout the enterprise. It’s time for us to evolve the process of security operations so that we’re leveraging technology and our best humans to make real progress. We can do this by focusing on three important areas.

  • Detecting modern attacks. Modern attacks are multipart and multistage, and can last for days or weeks. Adversaries’ patterns—permutation and combination of attack vectors—are large, but modern compute clusters can detect “Hacker Behavior Analytics.”
  • Using AI to automate security analysis. Today’s AI technology is capable of determining which alerts represent real hacker activity. Using deep learning/neural network-based learning, AI systems learn and adapt so they can identify the signals of a multipart and multistage attack. This helps security analysts to focus on true threats, not noise.
  • Evolving the “predictive SOC.” Imagine a global SOC that can learn from attacks across each organization and deploy AI models to detect the latest threats. Hackers often use the same techniques and tools across attack campaigns. As an industry, we need to get to a place where we are sharing analytics and data (in real time, or near real time) for AI models to predict tomorrow’s attacks today.

It’s time to reimagine security operations. We’re at a time in history when we have the technology to free our analysts from the burden of manual and tedious tasks so they can operate at the highest level of their abilities. Let’s make that happen.

Greg Martin is the CEO and co-founder of JASK. He is a renowned cybersecurity expert with experience as a cybersecurity advisor to the FBI, Secret Service and NASA. Prior to JASK, Martin founded Anomali (formerly ThreatStream) the leading Threat Intelligence Platform company.

Suggested articles