Let's face it: The old security models are broken. Cyberattackers are breaching organizations in record numbers, and each year it seems the damages become more pronounced.
Point solutions certainly aren't the answer. Hackers are increasingly getting in between lines of code buried deep within applications and via manipulative phishing scams that cajole unsuspecting employees into holding the door wide open for the adversary.
Then there's the trusty security operations center (SOC). It brings continuous monitoring, real-time incident response, advanced threat intelligence research and a whole host of other invaluable amenities to the table – assuming of course, the resident security analysts have time for all that. And increasingly it is clear that they do not.
In fact, few if any security analysts can rightly say they're able to investigate 100 percent of security alerts. The numbers vary depending on which survey you look at, (one says that 79 percent of cybersecurity pros are overwhelmed with the number of alerts; another says 93 percent are unable to triage all threats). But the writing is on the wall, and it says, "this isn't working."
Unfortunately, fixing the SOC isn't as simple as just hiring more security analysts for the exceedingly obvious reason: the cybersecurity talent gap. It's more like a canyon at this point, and it's widening yet. By 2021, Cybersecurity Ventures predicts 3.5 million unfilled security roles. That's a small nation.
But take heart, all hope is not lost. The SOC is still the best horse we have in this race, but not in its current shape. It needs some upgrading before it will be ready to take on the seemingly endless barrage of ever more elusive cyber threats.
Enter Security Orchestration, Automation, and Response (SOAR). Through a combination of supervised and unsupervised machine learning (ML), the analyst can begin to train a security automation platform that actually gets better over time at contextualizing security events. This significantly reduces the amount of manual triage and frees up analysts to focus on the truly pernicious threats.
So what exactly would this new SOC look like? A lot like the old one, only it's operationally superior:
The security analyst is and always will be the hero of this story. Their role in the AI-enhanced SOC is to detect and perform incident response to the most suspicious activities. We need them to uncover potential false negatives that would otherwise be drowned out in a sea of false positives.
Security analysts will also act as mentors. How they rate and respond to the events that filter up to the top after automated analysis ultimately cycles back into the automation platform to inform future threat rankings.
Finally, they're the sages of the SOC. They bring finely tuned human instinct and years of expertise, critical thinking and training to your security posture.
It works like this: Your SOAR platform works with your SIEM, integrating with your core applications and the various sources of log data from your arsenal of security tools (firewalls, intrusion detection systems, etc.).
If you’re already getting alerts from a SIEM, security automation helps with the investigation and triage of alerts, which typically number in the thousand. These are further culled down if automated analysis identifies them as false positives. The handfuls of remaining threats are then ranked so the highest risk alerts can be prioritized.
An advanced SOAR platform should also be able to go beyond alert triage and incident response processes, to help with threat hunting. Here the platform parses a massive quantity of events (in the billions), and ranks them based on context, existing threat intelligence, and also on any feedback it's already received from security analysts. At this point, the security analyst takes the reins on the investigation and makes an incident response decision and updates the SOC playbook to inform future threat detection and response efforts.
Finally, we arrive at the technology: the cognitive automation platform that's at the center of this new approach to threat detection and response.
In the past, ML was relatively unwieldy in the sense that it was difficult to use effectively. However, the concept of "self-service machine learning" is taking off, making it possible to develop relatively intuitive process flow builders. In other words, you don't need an ML expert in your SOC to use maximize its impact.
Essentially then, what you're left with are the fundamental ingredients of a modern-age SOC that can handle both the volume and the complexity of today's threats.
To be fair, this is a watered-down version of how SOAR transforms the SOC. But for the unabridged version of the story, download the eBook below.