[BreachExchange] Why Your Business Needs A Security Operations Center

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 11 20:12:56 EDT 2017


To survive attacks, organizations must be aware of potential threats,
detect incidents early and react quickly. The most effective way to
coordinate your defenses, security professionals say, is with a Security
Operations Center (SOC). A SOC is a cyber clearinghouse run by security
professionals who leverage technology to monitor an organization’s entire
information domain to help prevent, detect and respond to attacks.

Yet, 44 percent of companies participating in EY’s 19th Global Information
Security Survey 2016-17 reported they did not have a SOC (and only half
said they could predict or detect a sophisticated cyberattack). Instead,
cybersecurity is often handled piecemeal by IT and security workers who
don’t always cooperate. Worse, companies without a SOC lack the ability to
examine the big picture and strengthen security for valuable assets in a
holistic manner.

Setting up a SOC doesn’t have to be too expensive or difficult, according
to Jason Finlayson, a cyberthreat management lead at EY. It is simply a
coordinated, effective approach to managing threats and incidents.


At the heart of the SOC is an automated system that collects information
from PCs, laptops and other devices. This Security Information and Event
Management system (SIEM) analyzes millions of login attempts, data
transfers and other information, and warns security officers of potential

In the past, SIEMs drove businesses crazy with false positives. But over
the past few years, they’ve become more accurate by allowing
ever-increasing customization of the reporting rule-sets, pre-defined
automated response actions in tandem with other technologies, and the
incorporation of behavioral analytics.

“We can baseline the environment and say, ‘This is what’s normal,’”
Finlayson said. For example, a computer that communicates with a new server
and sends data to an unknown IP address would be flagged for human

If the incident is innocent, a security officer may instruct the SIEM to
ignore such cases in the future. But if it looks like a real threat, the
security officer would initiate mitigation actions, such as cutting off
network access to the suspected intruder and prevent networked computers
from interacting with it. Machines proven to be compromised with
unauthorized software or in contact with the suspect site might be isolated
from the network and “re-imaged,” while investigations are carried out to
identify how it was compromised and prevent it happening again.

With the advent of increasingly intelligent systems, the SIEM becomes
increasingly automated. In the future, Finlayson predicted, SIEMs may
become so autonomous that security workers will simply ask, “What’s
happened today? What IT network devices have you quarantined, shut down and
re-imaged and put back on the network without me even knowing about it?”


An automated SIEM, while invaluable to the SOC, can’t do everything. People
must first determine the critical assets based on the organization’s
strategy, assess the most significant threats to them, create likely attack
scenarios and “tune” the monitoring process to track them.

For example, if a CEO begins negotiating a controversial merger, the SOC
might boost monitoring of the company’s financial systems and social media
pages. “We go hunting for the incoming attacks, as opposed to waiting,”
Finlayson said.

Threat intelligence is an important component of a SOC. In EY’s survey, 64
percent of companies reported having only an informal threat intelligence
program — or none at all. A SIEM can provide or ingest threat analysis and
subscribed data feeds about the latest threats. Through continual
adjustment and updating, the SIEM assists in managing the threat detection
capabilities the company needs, Finlayson said.

A SOC also identifies a company’s vulnerabilities and deploys technology to
regularly scan devices and coordinate the update and patching of
weaknesses. Many companies patch piecemeal — 55 percent of respondents to
the EY survey said they lacked a formal vulnerability identification

Plugging holes sounds simple, but it’s a vital part of security.
Cybercriminals know which programs have flaws and search for companies that
haven’t patched them, Finlayson said.

Though they may seem complicated, SOCs streamline cybersecurity for
organizations, helping to spot dangerous trends early and directing teams
to act before it’s too late. Investing in a SOC is likely to save money and
increase efficiency over time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170511/8bd65ab8/attachment.html>

More information about the BreachExchange mailing list