InfoSec Insider

It’s Time for Your SOC to Level Up

Artificial intelligence can provide manpower, context and risk assessment.

Given an ever-increasing cyberattack surface, a global security workforce shortage, as well as an increased frequency and sophistication of attacks, security operations centers (SOCs) need to leverage better tools – namely artificial intelligence (AI) – in order to manage threats.

An organization’s SOC is responsible for keeping the enterprise safe from cyber-threats. Typical SOCs and its security analysts will operate in shifts around the clock in order to respond to all alerts and incidents. Setting up an effective SOC has been long recognized as Job 1 when setting up an enterprise security program, either using in-house staff or a managed security service provider (MSSP).

However, the traditional strategy of focusing on alert-handling as the most important and primary function of the SOC is not working. The rate at which alerts are generated by security information and event management systems (SIEMs) is far above what humans can handle. In fact, 27 percent of SOCs are alerted more than 1 million times per day. On average, SOC analysts can only investigate between 20 and 25 incidents every day, which means SOCs are not able to even remotely keep up, even when staffed well.

Furthermore, by the time an alert happens, the attack is already in play and some damage might already be done. A focus on “alert-handling strategy” has the effect of keeping the SOC operating on the back foot, just reacting to the adversary’s moves. To make matters worse, the attack surface is growing exponentially with the adoption of new and greater amounts of technology.

Therefore, SOCs must implement proactive cybersecurity strategies in order to actively identify and proactively remediate security gaps to keep an organization and its data safe from threat actors before they can attack.

The stakes are high: Companies that are victims of data breaches can suffer significant hits to their bottom line, and they can also be penalized under data privacy regulations (including GDPR, CCPA, HIPAA as they gain more teeth). The American Medical Collection Agency (AMCA) was forced to file for Chapter 11 bankruptcy this year as it was unable to pay off the enormous expenses that accrued after its breach of more than 20 million American citizens’ data. Data security and privacy compliance standards have an implicit requirement of strong cybersecurity posture, in addition to all the usual checklist items about policies and controls.

Security incidents can also negatively impact trust relationships with consumers, and when customers don’t trust a business to handle their data properly, they will take their business elsewhere.

To accomplish their mission of keeping enterprises safe from cyber-threats, SOCs must rethink traditional security methods and level-up by adopting a more proactive cyber-defense strategy. This can be done by leveraging AI-powered security platforms to do a comprehensive job of identifying and remediating riskiest hotspots in cybersecurity posture on a continuous basis.

AI-powered cybersecurity posture management platforms effectively take the practice of vulnerability assessment and management to the next level making it the first line of defense of your cybersecurity program. These platforms provide continuous discovery and analysis of all enterprise assets for risk across 100+ attack vectors, provide risk insights about likely breach scenarios, and prioritize the remediation steps that you need to take in order to improve cybersecurity posture and decrease breach risk.

Adopting a proactive security approach allows SOCs to discover and fix vulnerabilities and other risk items, such as unpatched systems, password issues, misconfiguration, users highly susceptible to phishing, etc. – before attackers get a chance to leverage these to attack your enterprise. This risk-based approach to cybersecurity posture transformation also enables your security team to understand if they are working on the right projects, addressing the riskiest areas of the organization’s attack surface and quantifying the progress they are making.

AI can assist SOCs in their efforts to be proactive by providing an accurate inventory of all assets, including internet of things (IoT), cloud, mobile and bring-your-own-devices (BYOD), as well as traditional assets. Each asset will have a number of attributes, and AI can help analyze them continuously to produce risk context about your devices, users and applications. So, when your SOC analysts want to know “where will attacks start” or “what are our critical assets,” they can get accurate answers instantaneously – much in the same way that you rely on Google to tell you the answer to “Italian restaurants around me”.

AI can also help the SOC understand the risk of a particular indicator of compromise (IOC) by leveraging context that comes from patch state or the configuration of the systems in question, their level of exposure based on how the system is used and where it is located, the presence or absence of relevant compensating controls (like an endpoint detection and response tool or a firewall rule that you may have deployed) and the relative business criticality of the asset. In essence, AI is helping your people do this complex calculation using specialized algorithms and huge computational power.

This risk context can help reduce the total volume of alerts by removing false positives, and then prioritize the rest based on risk. SOC analysts can also triage alerts faster with this additional context.

Cybercriminals are continuing to launch increasingly sophisticated attacks in order to steal sensitive data and even infiltrate business-critical applications. The massive shortage of cybersecurity workers around the world, coupled with an overwhelming (and ever-increasing) number of vulnerabilities and alerts that SOCs need to manage, make the job of keeping an organization safe from cyber-threats nearly impossible.

With AI, you can leverage the power of self-learning to address both of these challenges. Your limited team can keep tabs on all parts of the attack surface and get visibility into appropriate risk context which enables the highest quality cybersecurity decisions, all while being very highly efficient and effective contributors. You are also likely to attract the best talent for your SOC, since everyone likes to have access to the best tools for their job.

Gaurav Banga is CEO and founder at Balbix. 

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles