AHEAD Next Gen SOC Whitepaper
AHEAD Next Gen SOC Whitepaper
AHEAD Next Gen SOC Whitepaper
Traditional security processes and tooling have proven unable to keep pace,
creating gaps in visibility and protection, decreasing the ability to detect and
respond to threats, and ultimately increasing overall risk posture. In overcoming
these challenges, organizations should look to embrace and build a Security
Operations Center capable of supporting their diverse, dynamic, and ever-
growing environment to detect and respond to emerging threats via modular,
scalable, and automated processes.
04
Table of Contents
Security Operations Centers are a
Business Imperative
05
An SOC Needs Transformation Too
06
Every(log), Everywhere, All at Once
07
A Stack of Needles
08
Investigating The Known Unknowns
10
Playing By Different Rules
12
Milestones Along the SOC Journey
Managed SOC: Architecture
Secure API
SIEM
Encrypted Log
Forwarding
04 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
As if all this wasn’t bad enough, organizations aren’t doing themselves any favors with
how rapidly their technology landscape is shifting and growing to try to keep up with the
demands of their own business. In the rush to embrace these cutting-edge technologies,
more often than not, security operations is unable to keep up. Tools and processes built for
a static and on-prem environment can’t support the dynamic and elastic nature of modern
infrastructure and cloud-hosted services, not to mention even having the knowledge and
skillsets to understand how they all work. All of this equates to a field day for threat actors
as they look to exploit this perfect storm for an easy payday that the organization can’t see
or react to before it’s too late.
In order to mount the level of defense necessary to protect their organizations, Security
Operations Centers must evolve with the business to become the next generation SOC,
both in the tools they leverage and the processes that drive them.
05 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Centralized, normalized
Ingestion & data enables quicker Rapid & Enriched
time to detect
Correlation Analysis
Automation maturity
lifecycle creates feedback Efficient and advanced
loop to identify new detection capability
automation opportunities transitions into robust
as new data sources are investigative processes
identified and ingested
Structured, Yet
Modular Automation Effective processes become
natural candidates for automation Dynamic Processes
In order to run an effective and efficient Security Operations Center, an organization must:
2. Analyze that data at speed and scale to surface the potential threats
that deserve attention
06 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Every(log), Everywhere, All at Once
The production and continuous use pace at which threat actors can move
of new data is a trend that will only throughout an environment. Thus, a
increase – and with the proliferation of log-source-agnostic common schema
connected devices – will do so at an capable of ingesting logs from any
exponential rate. Every time that data source, via any method, and in as close
is used, or even viewed, there is also a to real time as possible is a critical
log of that event (often times multiple foundation of a next generation SOC.
logs from the various data sources in
line between the user and that data).
Now multiply that for every user and
every piece of data being accessed
across every instance of that data to
understand the scale of the problem
that Security Operation Centers face on
a day-to-day basis.
07 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
A Stack of Needles
With all the logs in one place, ‘search’ a timely fashion is a necessity of a next-
becomes an invaluable function to generation SOC. The limited resources
security teams. When organizations are available must be spent responding
generating and ingesting logs on the to the right threat at the right time.
scale of multiple terabytes per day, it This modern threat detection platform
is all too easy to get lost in a torrent of becomes the key to transforming the
data whose relevance is yet undefined. sheer volume of incoming log data to
Turning this log data into actionable the ‘who, what, when, where, and how’
and operational intelligence becomes a needed to properly investigate—and
data analysis problem – one that is only make sense of—a security threat.
solvable if the data arrives in a timely
and consistent format. Once that data
exists, is parsed, normalized, indexed,
and ultimately quickly and easily
searchable, what remains is a mountain
of data from which teams must locate
relevant, prioritized, and contextualized
security information.
08 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Investigating The Known
Unknowns
A continued trend in breach reports is For security, however, the work doesn’t
the not insignificant number of security stop there. While properly securing the
incidents that occur as a direct result environment is the first step, security
of misconfigurations or human error. operations teams also have the
As organizations continue to transform added work of knowing how to detect,
and embrace new technology to investigate, and respond to potential
drive efficiencies and competitive security concerns in lockstep with
advantages, that same technology can new technologies and organizational
sometimes represent a radical shift changes. In addition to (and possibly
in skillsets and knowledge to manage more important than) the training
and operate – and the consequences aspect is establishing mature and
of getting it wrong can mean showing flexible investigative processes—capable
up as a statistic in the next breach of integrating with any source of data—
report. However, there is at least some that can abstract as much as possible
encouraging data coming from those for analysts so that they can focus
reports. Errors and misconfigurations on a defined process. Technology will
have shown a downward and levelling- always be changing. It’s impossible to
off trend as the cause of major think that any one security analyst will
breaches, so we know that we’re doing know every intricate detail of how Tool A
something right. This can likely be versus Tool B functions, or the level of log
attributed to the rapid training and verbosity between Vendor Y and Vendor
knowledge development that has gone Z. But they can, however, be trained and
into these new technologies, both on the guided to the point where the end goal
IT and security operations sides of the of an investigation remains the same –
business. to provide any and all relevant context
about a security alert so that someone
more familiar with the technology
or business process can answer the
09 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
question: “Is this malicious behavior?”
These processes and communication
flows must have provisions to identify
who that person or group is as well as
the ability to request, collect, and action
feedback to effectively close the loop on
any security investigation.
010 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Playing By Different Rules
When working with security incidents, there is a direct (and unfortunate)
correlation between the time it takes to respond and the direct and indirect
costs that can be attributed to said incident. The longer a threat actor
is in the environment, the more difficult, time-consuming, and resource-
intensive it becomes to properly eradicate them, which ultimately leads
to more damage caused by the threat actor. Security operations as a
whole can be boiled down to a race between the operations team and the
threat actor, but these races aren’t held on a level playing field. The threat
actor actively hides their activity to prevent being detected for as long
as possible and throws as many obstacles as possible in the path of the
security operations team to slow them down. If there is any hope in keeping
up, an SOC must start finding and leveraging shortcuts of their own. In this
case, that means orchestration and automation anywhere and everywhere
possible. This requires solid processes in order for the automation to be
effective (automating a bad process just gives you a bad outcome faster),
11 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
but when those processes do exist, detection, identification, response,
feedback, and closure of security alerts can start being measured in
seconds and minutes.
12 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Milestones Along the SOC
Journey
The task of an SOC is one that will never be simple or easy – even when embracing
these tenets, security operations remain at a disadvantage given what they are up
against. Fortunately, the principles outlined above function in a feedback loop of
sorts, with each representing a milestone in the journey and reinforcing one another.
The processes and technologies needed to support the identification and ingestion
of data sources within an environment naturally enable teams to analyze that data
and effectively detect security threats at scale. From there, the need to establish
investigative processes capable of supporting both data source flexibility and
guardrails for analysis paves the way for relentless automation. While there will always
be novel attacks and new vulnerabilities identified, these tenets will put a security
operations center in the best possible position to successfully keep pace with both
threat actors and their own business as they continuously transform.
13 Next-Gen Security Operations: Delivering a Modern SOC in Today’s Evolving Security Landscape
Contributing Author:
National Hubs
ATLANTA CHICAGO SAN FRANCISCO
1117 Perimeter Center 401 Michigan Ave. 2000 Crow Canyon Place
W406 #3400 Suite 250
Atlanta, GA 30338 Chicago, IL 60611 San Ramon, CA 94583