Burning down the legacy SOC

In less than a decade, cyberattackers have grown from a collection of talented mischief-makers into an aggregated, hyper-competitive, multibillion-dollar industry. Players range from global crime syndicates to nation states, and they can adopt roles that bend and shift depending on the outcome each player hopes to achieve -- be it social change, financial gain or good old-fashioned espionage.

But whatever the endgame, no organization has enough money, people or security intelligence to sift through all the data feeds that security information and event management (SIEM) tools and other enterprisewide systems provide fast enough to keep organizations secure.

To defend against sophisticated security breaches, companies deploy multilayered systems: heuristic-based protection, next-generation firewalls, intrusion-prevention systems, antivirus software and other common tools of the trade. Those systems do the grunt work of detection and protection by identifying easily recognizable inbound attacks.

But when attacks look like legitimate traffic, how can common tools identify patterns? How do they know what to defend against when the code behind the attack can change its approach at will -- and at machine speed -- to escape detection?

Modern threats can substantially increase the signal-to-noise ratio between what defensive systems see as threats and what actually constitutes an attack. Offensive scanning slows down as SIEM tools contend with inflated security-event logs flooded with terabytes of complex intersystem chatter. For some organizations, there can be more attacks in one hour than a well-staffed security team can address in an entire day.

The old-school security operations center (SOC) was a physical command center built around a SIEM tool. The arrangement had its advantages: Housing security operations in a single physical location promoted convenient security and control measures. The environment was more or less finite and hard to get into -- but hard to get out of, too. Neither flexibility nor scale came into the equation, but then, neither did extended risk parameters.

Today's SOC must contend with social, mobile and cloud-based solutions. It must blend myriad tools from third-party providers at multiple points in the security chain. Everything from antivirus software to data collection and analytics must be integrated into the SOC and into the security protocols the SOC supports. To be successful, the SOC must also automate threat intelligence and attack responses in real time. Destroying security silos and unifying technologies can put an SOC on the fast track to success.

Today's SOC must also support the ability to act automatically at machine speed -- a necessary but elusive requirement that is nearly impossible for a legacy SOC to meet. Automation can be scary for organizations charged with protecting personal and proprietary data, but orchestrating the many technologies and processes already in place allows organizations to act quickly and decisively. Orchestration keeps complex decisions in the hands of the professionals trained to make them, while automating predefined repeatable actions that voraciously consume analyst time.

Importantly, today's SOC isn't even a "center" in the strictest sense of the word. The enterprisewide use of orchestration and automation solutions means security administrators need not be physically present to respond to threats. Smart automation deployment requires fewer hands to accomplish everyday tasks and maximizes the effectiveness of security team members.

Coordinated, automated, human-in-the-loop strategies create speed. Speed to respond to an attack. Speed to remediate the effects of the attack. Speed to return to day-to-day operations.

Speed effectively creates time. And time, after all, is an agency's most valuable asset in the event of a breach. It's also the one thing neither money nor people can buy.