IT technician

How could your security operations center (SOC) reach its true potential?

You may not have control over when security incidents occur, but an effective and mature SOC can stop threats before actual damage occurs.


In brief

  • As the threat landscape continues to evolve and attackers are using new strategies, it is important to know whether your defences are strong enough to stop them getting through.
  • The security operations center (SOC) at the core of your cyber offense should be mature and advanced enough to keep up with anything which comes along its way.
  • Cybersecurity leaders should critically review their SOC setup to realize its full potential and head towards the next generation of SOC.

Disruptive technology, like the Internet of Things (IoT), AI, 5G, the metaverse and quantum computing make hacktivism, ransomware and other cyber attacks a very real threat. The task of securing your organization has never been more complex – or important in leading transformational change and innovating at speed.

Although organizations cannot control when and where security incidents occur, they can position themselves to address threats and opportunities effectively. Whether a small team or a 24x7 operation center, maturing your SOC will improve your organizations detect and respond metrics in your fight against the evolving Cyber threats.

EY SOC Maturity Assessment two pager

Please fill in the form to download the paper.


EY Global Information Security Survey 2021 (GISS)revealed that less than half 47%) of cybersecurity leaders say their organization understand and can anticipate the strategies attackers use. An organization cannot fine tune its security operations to the attacker’s techniques and tactics if they can not anticipate them. This finding reflects what we see in practice: many organizations are prevention-oriented with a compliance driven investment in monitoring and response capabilities. In this article, we reflect on the significant potential for improvement in how SOCs are designed and delivered.

SOC Maturity

Starting with the status quo, we can say that financial institutions often invest heavily in tools and technology for the SOC, but spend less time, money and effort defining how to use them efficiently. A SOC’s maturity can be assessed in five domains Business, People, Process, Technology, and Services domains.

EY's SOC maturity assessment

We see higher maturity levels in process and technology than people, business and services in general. Lower maturity in subdomains usually is correlated with a cause and effect relation. Here are some examples with the pitfalls we see in general

Correlation rules

An organization may have a maturity level of “defined” when it comes to use case management process. What often happens: they build rules that are triggered against generic rules and signatures such as antivirus, end point detection and response (EDR) and intrusion detection systems rather than building correlation rules for specific attack patterns than are used against the organization. This is often correlated with a lower maturity level in Services sub-domains such as Threat Intelligence integration into SOC processes. We note that most companies copy their SOC use cases from best practice material. While this can be a good start, offering a useful baseline, best practice material is hardly confidential. When everyone – including attackers – knows your defenses inside out, they’re no longer suitable for serious cyber protection. Cross-organizational case management collaboration and automation is still a lacking feature even for a well-established SOC organization.

Automation

As important it is to have sound detection rules, the activities following to respond to a triggered alert is often manually intensive and takes a lot of time to sort and validate whether the incident is real or not. Often with a high percentage of false positives these take up the majority of a SOC analyst’s time. It often means team resources are not used effectively: highly qualified security analysts end up responding to potential incidents based on repetitive, checklist-based tasks.



Clearing the SOC dashboard to focus only on real threats is beneficial for the organization and team alike.



Automation in investigation and mitigation workflow is a key stone in maturing SOC capabilities. What we often see is that the talk of automation in a less mature SOC makes the SOC engineers and managers quite nervous. The fear of mistakes in automation causing business disruption or the impact on their reputation often blocks the advancements in this area. Automation in threat response however is not a standalone task but should be very carefully constructed in collaboration with other corporate functions.

With more time and resources available, the SOC team can also turn their attention to proactive threat hunting. All too often, this important endeavor exists essentially in name only.  At the same time, team turnover falls dramatically when people have more rewarding work to do than mundane tasks in daily workloads, which is good for organizations not only in terms of costs saved in recruitment and onboarding, but also the knowledge and experience retained in this key function.

As can be seen, automation would improve the maturity level in various aspects across the domains people, process, technology and services.

 

Next Generation SOC

We believe the future of SOC is one that leverages the full potential of people, technology and processes, and considers all business drivers to deliver a suite of services that truly protect the organization. The next generation of SOC will be about using technological advances at scale to support seamless connections between these different touchpoints.

To continue meeting security needs, we believe next generation SOCs should also incorporate:

  • Big data platforms and machine learning and advanced behavioral analytics, threat hunting, integrated incident response and SOC automation
  • Network traffic analysis and application performance monitoring tools
  • Endpoint detection and response, which helps detect and mitigate suspicious activity on hosts and user devices

User and entity behavior analytics, which uses machine learning to identify suspicious behavior patterns.

Moving away from traditional SOC image

Summary

The SOC is a vital player in protecting your organization from a growing range of cyber threats. As technology advances and companies struggle to recruit qualified staff, a sophisticated, tech-enabled SOC will help you remain agile and robust in hunting and responding to threats. Key to this is reducing the noise of false positives, empowering the team to focus on strategic work and using tools and technology intelligently to realize the true potential of the SOC.

About this article