Engineers tasked with maintaining, updating and recommending new tools for security operation centers (SOC’s) have a tough job keeping an ever growing set of tools humming. According to a 2017 ESG survey 40% of more than 400 respondents had between 10-25 tools in their SOC. These SOC/security engineer’s jobs are only getting harder as they contend with new sources and increasing volumes of data to monitor, detect and respond to a rapidly changing attack surface. For instance, 6 months ago Zoom logs weren’t important to most SOC’s but today’s distributed work environment has surfaced new attack vectors making it a top priority to monitor logs from productivity and video conferencing tools. SOC’s need an architecture strategy to handle a constantly changing set of applications, solutions, technologies and processes all trying to work together to solve critical security outcomes.
In a previous blog I discussed how data lakes are foundational for SOC’s to generate insights for rapidly evolving use cases and put these insights to work in detection, prevention and investigative workflows. In this article I will discuss why it’s imperative for SOC’s to embrace a platform centric approach to integrate and enable rapidly changing use cases, technologies, and processes.
Reports on cybersecurity trends (IBM’s Cyber Resilient Organization, SANS 2019 SOC Survey, Verizon’s DBIR) have surfaced several top-of-mind topics for SOC’s including, (a) the volume of attacks and variety of attack vectors is constantly growing (b) automation, analytics & orchestration are seen as key enablers for improving incident response but fall short of expectations © the enterprise SOC toolchain is becoming more complex and can include upwards of a dozen different products that don’t integrate well. According to a MuleSoft whitepaper, the average business transaction now crosses 35 systems. Those familiar with cybersecurity trends will not see anything new in these findings, and SOC’s have tried to get ahead of these findings by stitching a collection of point solutions and supporting them with ad-hoc manual processes. This in turn has surfaced new challenges:
Tool toggle Getting More Acute . Rapidly evolving SOC requirements have spawned a number of specialized tools for detecting, analyzing, responding to and preventing cyber attacks, leading to an increase in the number of tools and technologies security analysts interact with. It’s not uncommon for SOC’s to have upwards of a dozen tools, and should expect this number to keep increasing. Often each tool is trying to establish itself as a single pane of glass with minimal support for integrations, leaving analysts to figure out how to interface with these point solutions, creating the dreaded “tool-toggle”. As new attack vectors and TTP’s are employed by threat actors, we should expect tool-toggle to get worse if the status quo continues.
Data Centric Technologies No Longer a Luxury . The volume of telemetry and sources that produce them have moved beyond the traditional IT infrastructure. Even medium size teams now demand EPS capacities that would have been unheard of a few years ago. The volume and variety of log and alert data that needs to be processed to draw insights is growing year over year. Productivity tools and video conferencing tools have added new wrinkles to an increasingly complex attack surface. SOC’s have realized they need to invest in technologies to store, process and transform large volumes of data, and they will need their existing cybersecurity investments to play nice with these cutting edge technologies.
Adopting Innovative Technology Takes Too Long . Innovation in detection, response and mitigation space is increasingly driven by smaller, niche companies. SOC’s need to be ready to evaluate, deploy and scale these technologies across their business without ripping-and-replacing existing systems. The rate at which SOC’s can incorporate and scale new breakthroughs through standardized integrations will have a direct impact on improving overall security posture. According to an Accenture survey, security leaders who demonstrated proficiency in scaling new technologies perform four times better at detection and response than their counterparts.
Demonstrating Value Is Still A Challenge . According to a SANS 2019 survey, most SOC’s demonstrate their value by measuring the number of incidents handled. While the “quantity of work done” metric is somewhat useful, SOC’s recognize they need to measure workflow efficiency metrics like mean time to detection & mean time to remediation as they can show a direct impact on risk reduction. Calculating these efficiency & business value metrics requires collecting accurate data from a number of different systems, but that is difficult to do in practice due to silos and lack of interconnectivity between these tools.
Operational Efficiency is Difficult to Deploy . Getting faster at detecting malicious events to reduce the attacker’s window of opportunity is a top priority for SOC’s. SOAR technologies are seen as instrumental in achieving this goal based on Gartner’s 2019 Market Guide for SOAR. Unrelenting cyber attacks accompanied by increasing pressure to find and retain skilled analysts has made intelligent automation and orchestration a priority for SOC’s to scale and speed up their operations effectively. But automation and orchestration require integrated workflows and tools or else SOC’s are left to build custom glue code to deploy this operational efficiency.
A Platform Centric Approach
CISO’s need to embrace a modular, flexible and integration centric architecture for building detection & response capabilities to enable their company’s business priorities. The modern enterprise SOC has to go from just trying to extract utility from point products to enabling interactions in a complex ecosystem comprising analysts, commercial and open source products and multiple business units. Architecture patterns capable of supporting complex underlying systems as well as adapting to changing user requirements are needed in our new normal. To thrive in this new reality a platform centric approach that allows for tightly aligned but loosely coupled layers of data workflows, process workflows, analytics and integration services will be necessary . To be successful a SOC’s platform centric approach needs to be underpinned by these following principles:
- Platforms are characterized by open architecture & standards where multiple vendor products can be jointly responsible for overall success. SOC’s need a platform centric approach that reduces friction of replacing old products and integrating new ones into the analyst workflow. It should be easy for 3rd parties to participate in accelerating and automating existing workflows, and introducing new and innovative workflows.
- Scalable platforms are built on microservices. Core SOC capabilities should be conceptually thought of as a set of microservices i.e. capabilities that are loosely coupled from each other and highly specialized in individual focus that work together to enable a different number of workflow outcomes. They should work as independently as possible and updates to one capability should have minimal impact on others.
- Platforms foster innovation by eschewing vendor lock-in. The pace of innovation, and the places where innovation happens is drastically different than 10 years ago. Harnessing innovation shouldn’t require you to re-architect your SOC, likewise a collection of commercial and open source technologies should be able to work together to shape a collective outcome.
- Platforms are built on principles of reusability and embody a stable set of architectural constraints. Certain components of a platform should stay fixed over its lifetime, and others are allowed to change to address evolving needs. SOC’s need to invest effort upfront to determine components that will be deemed to be reusable. For example, data schemas powering the platform architecture should remain constant even when detection requirements and technologies change. The goal is to avoid rewiring the whole system when a new cybersecurity outcome needs to be supported.
As CISO’s and cybersecurity leaders rethink their detection, response and security analytics strategy to better address business initiatives, they need to take a hard look at the existing architecture powering their SOCs. There is no one size fits all approach to this challenge, but starting to bring platform centric thinking to SOC’s can reduce the friction to bring together changing requirements, innovative technologies and process improvements. SOC’s need to resist the traditional approach of deploying point solutions that create tool-toggle and scale primarily through sheer human effort. Given the operational priorities and business imperatives, SOC’s must embrace a platform centric view as critical to their evolution.