The year 2017 has been dominated by the worst cyber-attacks and high profile data breaches. Just to give an example,
Consumer credit score company Equifax has revealed that hackers accessed up to 143 million customer account details earlier this year. The data breach happened on July 29 and the details taken include names, social security numbers, drivers’ licenses, and credit card numbers of around 200,000 people
This breach might have cost multimillion dollar as penalties but the cost they will pay for the most important element of business is client trust and reputation, which they might have built over years.
The incidents like this have made organizations realized that the threat landscape is changing faster, new challenges are emerging every day. Organisations have to change their defense strategy from basic level majors and ad hoc response to more sophisticated and robust processes.
To identify the data compromise, organizations need to know potential vulnerabilities, threats and also be able to detect the incidents at early stages for faster reaction and recovery. There is no second opinion that Security Operations Center (SOC) is the effective way to centrally coordinate, monitor and manage organizations security defense system.
Evolution of the SOC
As the technologies evolved so the cybersecurity threats and attack vectors. Malicious intention users started using sophisticated tools and technologies for targeted attacks that can be executed faster to captures the vast amount of data and/or cause more damage. And to defend these attacks security tools and technologies are also evolving.
By utilizing these evolving technologies, Security Operations Centers (SOC) are evolved over a period of time. Hewlett Packard has come out with most informative paper on the evolution of SOC.
The first generations SOC around 1975 were mainly built for the defense organizations and government agencies. The objective of these SOC was to defend against the low impact malicious code. As the internet and technology evolved so the virus outbreaks and the needs for the intrusion detection increased.
The second generation accommodated this need around 1996. The hackers kept improving attack methodologies and started using bots to launch the Denial of Services attacks using the army of bots, that when the SOC evolved to have the capability of intrusion prevention.
Attackers changed their strategies and started slow moving attacks that will not get detected by the organizations security infrastructure, to detect these persistent attacks SOC got updated with APT (advance persistence threat detection technologies) by the time around 2007, the regulators started imposing the cybersecurity requirements are SOC braced to take care of these regulatory requirements.
In this 3rd generation, SOC Security Incidents and Event Management (SIEM) was the core technology, which was collecting the logs feeds from the log sources integrated with it and used to generate the alerts as per defined rules.
Around 2013, the security professional realized that adding the external threat intelligence feeds and using the heuristic analysis using SIEM solution will give an early warning of compromise.
Need for Next Generation SOC
With the evolution digitization and disruptive technologies like IoT attack surface increased and the volume and type of data that needs to be captured and analyzed increased many folds. Attackers are using the state of the art technologies to snoop into the corporate network unnoticed and taking advantage of the not only the technology vulnerabilities but the process flaws to steal the information.
“It takes constant monitoring and maximum use of data to find attacks and abnormal behavior before damage is done. But the world produces over 2.5 quintillion bytes of data every day, and 80 per cent of it is unstructured. This means it’s expressed in natural language – spoken, written or visual – that a human can easily understand but traditional security systems can’t.” – IBM Cognitive Security
It is accepted by the cyber security industry that reactive defense techniques are not going to help for protecting and reducing the impact of the breach, the Next Generation SOC (NG-SOC) are evolving to provide predictive cyber security analysis.
Next Generation SOC (NG-SOC)
There are two main things that needs be addressed by the next generation SOC, processing humongous amount of structured and unstructured log data and provide the predictive alerts based on the continuous learning form the dynamic IT infrastructure
Machine Learning & Deep Learning based SIEM tool
For many professionals, SOC still means SIEM tool and security monitoring. And to some extent that is correct as the SIEM tool acts as a core engine of the SOC, which collects the logs from the integrated log sources, processes those logs as per the predefined rule and provide the alerts.
Since the inception of the SIEM tool security engineers/analysts are putting in lots of different rules to monitor and correlate the log data pumped into the SIEM tool. These rules are added one by one as per the environment requirements. Because of the amount of log data that needs to be processed by the SIEM tool, it is impossible to generate the rule that can identify the anomalies.
The next generation SIEM tools will be using machine learning which is basically marrying the rules or algorithms with the statistics, that can be utilized for making knowledge-based, intelligent analysis that will produce predictive actionable results
Wearing the Hackers Hat – AI based Sandbox
Hackers are always ahead of security defense teams, use the technology to perform analysis of targeted client’s environment to identify the vulnerabilities to predict exploitability. This same technique security analyst can use by utilizing AI and ML-based sandboxing tool, that can be a proactive approach and a defensive one too. This can provide knowledge-based inputs to the analyst to counter the probable security attacks and protect the system from potential security risks
Human factor of Next Generation SOC
All these advancements in the technology area do not eliminate the need for making the intuitive informed decisions by the human brain. We still need to have security analyst to look into the incidents and finalize the action plan. The life of these analysts will be made easy by freeing them from the repetitive mundane tasks and they can use their time and intelligence in defining and executing the incident response plan to reduce the impact.
“If you continue doing what you have always done without embracing automation, you will be obsolete in three to four years,” Nick Coleman, global head, cybersecurity intelligence at IBM , told the IsacaCSX Europe 2017 conference in London.
To Sum up
The question is are we thinking like hackers, Identifying the exploitable loopholes in technology, process, and people or are we too busy in dealing with trillions of logs that are getting pumped into SOC?
This is the right time to start upgrading your SOC tools with the Artificial Intelligence and Machine Learning based security technologies to automate and improve the secuirty posture of your organisation.