Today’s enterprises are under a continuous stream of cyberattacks and security operations centers need to equip themselves with what’s to come. Exabeam Chief Security Strategist, Stephen Moore and Exabeam Director of Threat Research, Barry Shteiman expanded on the current state of play and the future of cybersecurity in a recent webinar.
Current State of the SOC
Organizations fall into one of two categories: they have a SOC, or they don’t. Unfortunately, the many organizations that do have a SOC are not getting the value they should.
Underperforming SOCs typically follow an assembly line mentality instead of being a strategic thinking machine. These organizations have the largest output, which indicates a lower value operation.
Indicators of underperforming SOCs:
- Report statistics that give a wow factor instead of a true measure of risk
- Heavily burdened by requests from other organizations that are not core to the investigation or response of a breach
- Staffed with a response team of IT professionals that are not qualified to handle security incidents without training
- Fail to answer questions effectively. Example, “Is this account compromised?” should not be disregarded or treated lightly
CISOs are the most at-risk job in an organization. They are considered a disposable insurance policy for a severe breach. SOCs should look to invest in solving problems and better tools, instead of expensive CISOs.
Adversaries and Their Current Methods
When looking for insider threats, SOCs should focus on what they can see now with advanced correlation technologies and modern investigation tools. These technologies help find the things that are known to exist, but can’t be caught yet. Flashy new attacks are interesting, but are typically not representative of the most common issues. Identifying common failure points and the true root cause of breaches will save time, money and prevent future issues.
- Conduct complete investigations
- Focus on root causes
- Evaluate current investments and gaps in technology
Why Do Attackers Continue to Succeed
In order to prevent attackers from succeeding, SOCs need to focus on finding attacks, fixing them, providing excellent customer service and getting credit for it. Team leads need to audit what their team is focused on. SOCs often get bogged down in distraction avoidance and fail to prioritize. If analysts are distracted by other requests, then they are unable to perform effectively. This is compounded by how drastically understaffed the cybersecurity space is. Individuals who fill cybersecurity roles are often not trained properly or don’t have the experience needed to perform the role effectively.
Advanced SOCs prioritize:
- Early training with a focus on impact
- Consistent firedrills
- Tiered cybersecurity response plans that train new staff on the early tiers and involve them on the later tiers with friendly mentors
The State of Security Analytics and Response Programs
To become more strategic, SOCs need to be friendly and participate in conversations with functions like HR, legal and sales before a breach occurs. All core functions need to feel prepared and be comfortable communicating with the rest of their team in the event of a breach.
- Use recent breaches in the news and walk through potential scenarios
- Evaluate if the organization is equipped to handle a similar situation
- Devise an internal and external communication plan
- Automate part of a security threat response to improve response time
The Role of SIEM vs UEBA in the SOC
A SIEM is the first, simple piece of a security platform. User and Entity Behavior Analytics (UEBA) sits on top of it and adds the benefits of machine learning and modeling into detection. UEBA can be used in conjunction with your current SIEM, or with the Exabeam Security Intelligence Platform.
Click here to listen to the full webinar, “2017 Cybersecurity State of Play and Where We’re Headed.”