By Kiersten Putnam | Trace3 Senior Innovation Researcher
Data is central to a security posture — this probably comes as no surprise, since it is the data itself that encompasses the security telemetry organizations need for understanding the posture of their security stack.
Without reliable access to this telemetry, can you imagine how organizations would be able to correctly detect and respond to threats? It would be very difficult, if not almost impossible. Fortunately, this article is not about the shortage of security data that organizations have access to — many organizations have a diverse set of security tools producing many different alerts. Instead, this article is about the challenge that comes from the amount of data that is produced by these security tools.
There is so much automated monitoring and data collected that it exceeds the human capacity for processing and, thus, creates challenges with accurate visibility and timely detection of security alerts.
The challenges faced in SOC management
As the security operations teams monitor, detect, and respond to cybersecurity threats, they are analyzing a lot of the security threat data. Given the vast amount of telemetry these security professionals sift through to do their daily jobs, there are some common data challenges these organizations report. These data challenges include poor visibility to see threats and too many alerts.
From a process perspective, there are also common challenges that are felt in security operation center management. Typically, these are reported as being understaffed, having high turnover, and spending too much time on manual processes. Regardless of the type of challenge faced by a security team, all pain points are real and should be evaluated for how they can be addressed.
SOC operations problems call for unique and innovative solutions.
While the core mission of a security team and a managed SOC service more generally remains unchanged, there is an opportunity to optimize the current processes causing operational and cybersecurity threat challenges.
Thinking from the brink of innovation comes the practice of Autonomic Security Operations. While the name sounds fancy, it’s fundamentally looking for opportunities to break out of the rigid, siloed operations center and focus on how to drive automation to the point that vulnerability management processes become autonomous.
If the fundamental pain these vulnerability management teams face is having too much data and not enough resources or processes to keep up with it, then there must be opportunities to ask yourself where automation can be leveraged to better assess threat intelligence and mitigation.
To simplify this even more, there will be a path the security organization will need to take. By evaluating your security posture processes, your technology stack, your organization structure, you can decide whether to take an optimization approach or a transformation approach.
Let’s break it down visually.
On the one hand (optimization), you are operationalizing certain processes in your SOC with improvement. On the other hand (transformation), there is the cultural shift of embracing Autonomic Security Operations for completely evolving your current processes, culture, and organization to create a new SOC.
The choice is yours, and, luckily, it doesn’t need to be made today.
Along with the Autonomic Security Operations practice, emerging technology is evolving to enable both the operational and transformational paths.
Candidly, it’s difficult to classify use cases that fit strictly as operational or strictly transformative because these use cases are rapidly evolving to handle more and more features within an SOC. While the choice will be for the SOC to decide whether to optimize their processes or transform them, the technical decision will fall on the spectrum of manual to autonomous capabilities.
As the innovation team, we are focused on technologies that are falling on the right of this spectrum (autonomous). Below is a peak of these technologies we have been tracking:
Security hygiene establishes a baseline for your security controls and threat responses. By conducting health checks and comparing them against industry frameworks like MITRE, it ensures robust defense against emerging threats.
Next-gen SIEM addresses challenges with traditional SIEMs by focusing on centralizing large volumes of data, analyzing data at scale, and creating cost-effective approaches.
Alert hygiene maintains hygiene of incident backlog by consolidating security findings and conducting incident prioritization.
Next-gen SOAR enhances SOAR processes by providing workflow automation for not just security incidents but operations in general.
AI SOC analyst alleviates the role of a SOC analyst by leveraging security LLMs to kick-start the alert investigation processes.
While this is a snapshot of how we currently see the market, it’s important to recognize that the market has been evolving rapidly, with a variety of different solutions to provide support for operationalizing security threat risks.
As it evolves, we are seeing these solutions continuously leverage new techniques with AI to create their offerings. This ranges from merely adding automation into the process to creating copilot security analysts that kickstart an investigation. Although some of these use cases have many solutions within them, our perspective is that as time goes on, solutions will continue to differentiate themselves across the capabilities with which they are able to provide automation and assistance with the help of AI.
Given the key problem statement in this space is the excessive amount of data and security tools, it’s likely that these automated threat intelligence and mitigation solutions will continue building out their platforms into more comprehensive platforms. In fact, we are already starting to see acquisitions take place that are pointing to this. Examples include Silk Security being acquired by Armis and Avalor by Zscaler.
You may not have to make an immediate decision; although, the question for you will be how to determine what is best for your organization.
It will likely involve a series of steps to first critically evaluate your current organization. Next, it will be time to determine what use cases are important to your organization, and the amount of automation you are looking for. Finally, when it comes to narrowing down on the tech you will leverage, this is where our Innovation team will shine.
As the market continues to change, we would love to keep you informed and provide our guidance on enhancing your SOC. You can reach us at innovation@trace3.com, or through our contact page.
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.