SOCs Use Automation to Compensate for Training, Technology Issues

Executives and front-line SOC teams see human and technology issues in much different ways, according to two new reports.

Dark Reading logo in a gray background | Dark Reading

A Security Operations Center is an expensive resource for protecting enterprise computing and network resources. A handful of factors can keep an organization from getting the most from the resources — and a recent study shows that those factors are more common than some would think.

A recent study by Exabeam resulted in the 2018 State of the SOC Report which has sections on how SOCs are built and staffed, and how employees at various levels of the organization see the SOC. In key areas, people at different organizational levels have very different views of the issues that exist.

"In terms of importance, upwards of 62% of people who work in the SOC see inexperienced staff as a key pain point," says Stephen Moore, vice president & chief security strategist at Exabeam. "Only 21% of those at the C-level think that this could be an issue." 

The divide is important, as indicated in another report, the 2018 State of Security Operations report, published by Micro Focus. According to the report, among the factors credited with improving SOC operations are the continuity and retention of key security personnel, and insight into the applications, data, systems, and users most likely to impact customers. That insight may be compromised when executives and front-line personnel have radically different views of the security landscape.

Experience level isn't the only area where there is divergence of opinion. Moore says. "Technology is twice the pain point for line people as for the C-suite." The Micro Focus report is quite specific on the nature of the pain. "Most security operations centers continue to be over-invested in technologies that inform them of a problem, yet truly struggle to protect, detect, respond, and recover from the cyber security attacks they fail to discover."

A growing number of organizations are looking to continuous security, or DevSecOps, to optimize the effect of the people and technology they do have in place. The State of Security Operations report points out that, "20% of cyber defense organizations that were assessed over the past 5 years … continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management." While still high, those numbers represent improvement over time.

Moore says that improvement has to come through automation and continuous response. "It's not enough to find something bad; you have to use your [organization] to respond," he says, adding, "You're seeing orchestration happen, which is sort of the SOC's version of DevSecOps. It's bringing all the pieces in together to help win the security fight."

One of the most important results of using the assets of the organization to be proactive is that the SOC has to become more friendly to the rest of the organization, Moore says. "It's meeting before a crisis and agreeing to a response," he explains. "It's a low-friction/high-trust response. That's really cool, and that's the promise — more communications at a human level."

The planned and automated response can help reduce the impact of both reduced staff training and outdated technology. And in security, making the most of what the organization has is critical. "It's important to be able to run a playbook," Moore says, noting that doing so, "…takes a lot of the pain, a lot of the sting, out of the SOC." In the end, he says "the SOC is a pain center, and this is a soothing agent. As a security executive it's your job to remove pain."

Related content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights