Five Ingredients Of An Intelligence-Driven Security Operations Center: Part 3 In A Series

As enterprises adopt new ways of thinking about security, they also must make changes in their operations centers to support the new mindset. Here’s what’s needed.

Brett Kelsey, VP & Chief Technology Officer, Americas, Intel Security

July 21, 2016

6 Min Read
Dark Reading logo in a gray background | Dark Reading

The second blog post of our series dealt with the shifts in mindset that are necessary for the adoption of an adaptive approach to security, as Gartner puts forth in the report, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. In the third and final post of this series, we’ll talk about transformations that are required in your security operations center (SOC) in order to support this shift.

Continuous Detection And Response

I’m a bit of a car guy, and I enjoy driving as much as getting to the destination, particularly when it comes to the ski resorts in the Lake Tahoe area of California. When I’m behind the wheel there, I’m continually on high alert, scanning the road for potential issues — especially in the winter. It could be something as simple as merging traffic or something hidden, like black ice, or something completely unexpected like a bear lumbering across the road. Similar to a driver on a long journey, an intelligence-driven SOC needs to move away from the traditional incident response model to what Gartner calls “continuous, pervasive monitoring and visibility that are constantly analyzed for indications of compromise.” And this ongoing cycle of monitoring and analytics must be implemented across all technology layers—the network, endpoints, the application front-end and backend, information/data, and yes, even users.

How can you enable continuous detection and response? The key elements include ingesting both internal and external threat intelligence and deriving contextual information from the data that’s relevant for your business. Next, you must correlate that information so that your solution sets can share the data and act in concert in order to respond more quickly and effectively. By incorporating technologies that unify and facilitate the protection, detection, and correction processes of the threat defense life cycle across your security infrastructure, a best-of-breed approach can be made to work.

Pervasive Visibility

Getting back behind the wheel for a moment, did you ever consider that manufacturers put brakes on a car so that you can go faster? Because of the improvements in safety features in cars, speed limits have actually increased over the years on some roads. Airbags, blind spot and lane detection, and other collision mitigation technologies all work together as a single, coordinated system so that we can drive safely at higher speeds and under challenging conditions. In the same way, pervasive visibility, where all your security components are collaborating, allows a business to operate at a faster pace. Now you can catch things that are coming at you more quickly and efficiently.

In a traditional multivendor, siloed SOC, individual security technologies are controlled by unintegrated, incompatible management consoles that can’t communicate with one another and don’t easily share intelligence. At the heart and center of an adaptive SOC is the ability to see everything — across systems, users, and networks that work together. Once you have end-to-end visibility, you can start mining all that rich internal threat intelligence for indicators of attack or indicators of compromise. If you want to take it up a notch, add external threat intelligence from third-party feeds or other trusted organizations. This type of data can provide you with valuable insights about threat characteristics and behaviors that enable you to look for similar patterns in your own environment.

Churning Through Massive Amounts Of Threat Data With Analytics

A consequence of pervasive visibility and threat intelligence is copious amounts of data. It’s much like driving through a blizzard in the mountains. You take in a great deal of data as you navigate this hazardous situation — snow, ice, wind, skidding cars, and pile-ups. Ultimately, you have to ingest this information, analyze it, and determine what matters most. This is where automation comes in — things like the information from apps such as Waze that alert you to traffic conditions ahead, built-in infrared night vision that helps you see farther, and adaptive braking systems that stop the car in an emergency.

In security, a similar issue arises. How do you corral and make use of this resource? The more data you have coming at you, the more you have to rely on machine automation to help you move swiftly and accurately when security incidents come up. Strong analytics technology, for example, helps identify characteristics associated with suspicious incidents and make correlations. You’ll need to establish baselines so that you know how to separate what may look normal for a particular user at a particular time of day in a particular area of the world and what deviates from that pattern. Analytics can help determine whether anomalous activity is real or not. It looks at contextual data and reduces noise and false positives so that you can apply your resources to events that appear to be real and then achieve the greatest impact.

Automation Of Routine Processes

One of the hallmarks of an intelligence-driven SOC is thoughtfully implemented automation, similar to the automation in today’s automobiles. As I’ve mentioned in a previous blog post, there’s a growing scarcity of qualified security professionals. We need to automate routine processes so that these talented individuals can be freed up to do the critical work of analysis. But we need to proceed with caution. For example, it would be counterproductive for automated response systems to completely shut down a CEO’s computer because they see a suspicious file.

So, rather than get too attached to the concept of “automation,” I prefer to think in terms of “automatability,” which both makes use of machine automation and introduces human analysis into the process before you take drastic measures, like shutting down an executive’s computer. Above all, you want to make certain that you create a process and workflow that suits your operation and that you can trust and continually improve.

Analyzing Patterns And Root Causes

With automation for mundane tasks in place, your security professionals’ time is best spent on proactively hunting and mining threat data, and then digging deeper to unravel patterns and root causes. When an attack occurs, they need to look at how bad actors infiltrated the infrastructure, identify patient zero, determine which systems or networks were affected, and find out what type of data was exfiltrated. Whenever malware shows up, your analysts need to investigate the trajectory of the threat and learn as much as possible about how it got in. By gathering this type of data, your organization will get better at spotting and responding to threats with similar characteristics and behaviors that may emerge in the future.

You’re On Your Way

We hope that you have derived some benefit from our blog series and that it will help you formulate a workable and successful adaptive security strategy for your organization. To learn more about Gartner’s research in this space and approaches for implementing adaptive security, view this webinar featuring Gartner’s Neil Macdonald and me as we talk about the Adaptive Security Architecture concept. And remember — drive safely!

About the Author

Brett Kelsey

VP & Chief Technology Officer, Americas, Intel Security

Brett Kelsey is the VP and Chief Technology Officer for the Americas for Intel Security. In this role, he has leveraged his business and practice development, technical expertise, and innovative thought leadership to evangelize Intel Security's go-to-market strategy across key customer segments in the Americas; drive strategic customer engagements; and provide customer feedback to product engineering to help shape the direction of our technology.

Mr. Kelsey is a well-respected executive in the information technology field with a successful career spanning more than 25 years. An internationally recognized expert, he is renowned for his exceptional ability to conceptualize, develop, and implement technology strategies for government and private-sector clients across the healthcare, financial, education, telecommunications, and power industries. He offers in-depth knowledge of information security practices, including complying with state, federal, and industry regulations, standards, and laws such as HIPAA, ISO, NIST, ITIL, CoBIT, Sarbanes Oxley, and GLBA. Additionally, he has served as Chief Security Officer in several government departments and financial organizations.

While serving as CSO, he led the corporate security program, which is focused on ensuring the integrity, confidentiality, and availability of critical information and computing assets, as well as managing risk to enable positive growth for the company's business. Brett also oversaw security in development practices, research in critical infrastructure assurance, electronic discovery, physical security, and internet security research.

Prior to joining McAfee Inc., Mr. Kelsey was the VP of dervice felivery for NWN Corp. by way of the acquisition of Western Blue Corp. At NWN, he led a team of over 75 technical consultants focused on delivering complex IT solutions in information security, cloud & data center computing, virtualization, end-point management, network infrastructure, and IT application modernization.

In addition, Brett was a founding partner and principal security consultant with S3 Group and managing principal at Lucent Professional Services (formerly International Network Services) where he led numerous Fortune 500 client engagements providing comprehensive security solutions encompassing risk and vulnerability identification, risk assessment and mitigation, and security program development incorporating infrastructure recommendations, policies, procedures, and processes to protect critical information, systems, and assets.

Mr. Kelsey has been called upon as an expert high-tech crime witness and certified computer forensics investigator examiner in numerous high-profile computer hacker arrests and convictions. He has served as a member of the Cisco Systems Technical Leadership Council, the McAfee Partner Advisory Council, the Microsoft Security Advisory Council, the Computer Security Institute (CSI), the Information Systems Security Association, InfraGard, the Information Systems Audit & Control Association, and the Project Management Institute.

In addition to extensive professional development and technical training, Mr. Kelsey holds certifications as both a certified Information Security Systems Professional and Certified Information Security Auditor.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights