An ineffective Security Operations Center (SOC) puts the security of your entire organization in jeopardy. Your SOC is under attack, facing a constant barrage of data that makes it nearly impossible to keep up with alerts or respond to them appropriately. One thing we at Capsule8 saw consistently through customer interviews is that there is a clear hierarchy of needs for dealing with attacks. We thought the insight was worth sharing: introducing the SOC Hierarchy of Needs. It’s a journey with a series of steps that start by focusing on five key areas within the SOC that can be addressed and improved to best protect your organization. We’ll be digging in a bit deeper on our webcast with guest speaker Amy DeMartine of Forrester, as well as in a future white paper, but here’s a quick overview of the hierarchy:
Discovery – The first level is discovery. For many organizations, inventory is a complete blind spot and people can’t protect what they don’t know exists. It is impossible to get a true read on your security posture without an accurate layout of your production infrastructure.
Visibility – Traditionally, visibility happens at the network level. The cloud, containerization, and even end-to-end encryption removes a lot of that visibility. Yet, the better the visibility, the better detection and investigations you can do. A lack of visibility means common approaches, and your SOC, are far less effective at detection for modern production environments.
Detection – The SOC steps in when prevention fails. Ideally, the SOC will detect attacks as efficiently as possible and not waste its time on things that aren’t attacks. But more importantly, the SOC should try not to miss attacks. The closer they get to being able to detect attacks in real-time, the lower the business impact to the company. In a traditional enterprise, people are trying to improve detection by adding a layer of algorithms, and largely ignore improving the quality of data (both are valuable).
As we’ve said before, “The answer to more efficiently finding the needle in the haystack isn’t collecting more hay.” According to our recent research, “The State of Cloud-Native Security,” 46 percent of IT leaders we surveyed said that more than half of production environment security alerts were false positives. It’s crucial to focus on telemetry data that can provide meaningful signals and not just noise which can help you hone in on important signals and push aside the false positives that can divert the attention of your SOC.
Investigation – Most of the time, the initial goal of investigating an alert is to determine whether it likely represents a compromise or, at the very least, something that requires further action. But once an incident is confirmed, a much deeper forensic investigation is often necessary to help understand the attack and help make sure it doesn’t happen again.
Automation of Response – Rarely does the Security Operations team itself do clean-up. But in many organizations (especially those going cloud native), SecOps is moving to automate as much of security response as possible. Automation and, more specifically, automated response, are basically the holy grail of the SOC.
Google, in particular, already does this with its SecOps team. Instead of a traditional security operations center with many low-skill people doing triage on alerts, they have a development team that investigates any new incident, then automates detection and response for similar incidents in the future.
These steps, even broken down this simply, can still seem overwhelming. But the drive toward a SOC-less enterprise is happening, and as we discussed in our post, “Time to Blow Up the SOC?” the time for change is now. Many teams are re-examining their organizations’ security programs come to the realization that their SOC may be burdening their team’s efforts instead of helping them. We’ll continue to break down each level over the coming weeks and will be bringing advice from security practitioners on the front lines as to how to address each challenge.
Capsule8 is developing the industry’s first real-time, zero-day exploit detection platform purpose-built for Linux production environments – whether containerized, virtualized or bare metal.