By Kiersten Putnam | Trace3 Senior Innovation Researcher
Data is central to security - this probably comes as no surprise, since it is the data itself that encompasses the security telemetry organizations need for understanding the posture of their security stack. Without reliable access to this telemetry, can you imagine how organizations would be able to correctly detect and respond to threats? It would be very difficult to nearly impossible! Fortunately, this blog is not about the shortage of security data that organizations have access to - many organizations have a diverse set of security tooling producing many different alerts. This blog is about the challenge that comes from the amount of data that is produced by these security tools. There is so much data collected that it exceeds the human capacity for processing and thus, creates challenges with accurate visibility and timely detection of security alerts.
As the security operations teams monitor, detect, and respond to cybersecurity threats, they are analyzing a lot of the security data. Given there is just so much telemetry they sift through to do their daily jobs, there are some common data challenges these organizations report. These data challenges include poor visibility to see threats and too many alerts. From a process perspective, there are also common challenges that are felt. Typically, these are reported as being understaffed, having high turnover, and spending too much time on manual processes. Regardless of the type of challenge, all pain points are real and should be evaluated for how they can be addressed.
From Overload to Order: Paving the Path Forward
Challenging problems call for unique and innovative solutions.
While the core mission of a security operations team remains unchanged, there is an opportunity to optimize the current processes causing operational and security challenges. Thinking from the brink of innovation comes the practice of Autonomic Security Operations. While the name sounds fancy, it is fundamentally looking for opportunities to break out of the rigid, siloed operations center and focus on how to drive automation to the point that the processes become autonomous. If the fundamental pain these teams face is having too much data and not enough resources or processes to keep up with it, then there must be opportunities to ask yourself where automation can be leveraged.
To simplify this down even more, there will be a path the security organization will need to take. By evaluating your processes, your technology stack, your organization structure, you can decide whether to take an optimization approach or a transformation approach. Let’s break it down visually.
On the one hand (optimization), you are operationalizing certain processes in your SOC with improvement. On the other hand (transformation), there is the cultural shift of embracing Autonomic Security Operations for completely evolving your current processes, culture, and organization to create a new SOC.
The choice is yours and luckily, it doesn’t need to be made today.
Along with the Autonomic Security Operations practice, emerging technology is evolving to enable both the operational and transformational paths.
Candidly, it’s difficult to classify use cases that fit strictly as operational or strictly transformative because these use cases are rapidly evolving to handle more and more features within a SOC. While the choice will be for the SOC to decide whether to optimize their processes or transform them, the technical decision will fall on the spectrum of manual to autonomous capabilities. As the innovation team, we are focused on technologies that are falling on the right of this spectrum (autonomous). Below is a peak of these technologies we have been tracking:
While above is a snapshot of how we currently see the market, it’s important to recognize that the market has been evolving rapidly with a variety of different solutions to provide support for operationalizing security risks. As it evolves, we are seeing these solutions continuously leverage new techniques with AI to create their offerings. This ranges from merely adding automation into the process to creating copilot security analysts that kickstart an investigation. While some of these use cases have many solutions within them, our perspective is that as time goes on, solutions will continue to differentiate themselves across the capabilities they are able to provide automation and assistance to with the help of AI. Given the key problem statement in this space is the excessive amount of data and security tools, it is likely that these solutions will continue building out their platforms into more comprehensive platforms. In fact, we are already starting to see acquisitions take place that are pointing to this. Examples include Silk Security being acquired by Armis and Avalor by Zscaler.
While you may not have to make an immediate decision, the question for you will be how to determine what is best for your organization.
It will likely involve a series of steps to first critically evaluate your current organization. Next, it will be time to determine what use cases are important to your organization, and the amount of automation you are looking for. Finally, when it comes to narrowing down on the tech you will leverage, this is where our Innovation team will shine. As the market continues to change, we would love to keep you informed and provide our guidance on enhancing your soc. You can reach us innovation@trace3.com
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.