Adapt to survive: improving SOC maturity with adaptive security

Enterprises are under relentless cyber-siege:  a recent survey found that nearly 80% of US-based organizations had experienced a cyberattack in the previous 12 months.  Most mid-size and larger organizations run security operations centers (SOCs) and part of their mandate is to quickly identify and investigate signs of attacks, and mitigate them.  

Obviously these SOCs need to be able to react quickly to mitigate security incidents.  Yet, a 2016 SANS Institute study found that nearly half (45.9%) of organizations rated their SOC’s ‘maturity in being able to respond to events’ as immature, or unknown. Just 15% rated theirs as ‘mature’.  While a recent Hewlett Packard Enterprise (HPE) report on security operations showed that 82% of SOCs are operating below the recommended maturity levels to help limit risk and protect business operations.  And 27% overall failed to achieve minimum security monitoring capabilities because they “operate in an ad-hoc manner, with undocumented processes and significant gaps in security and risk management.”

So how can SOCs enhance their maturity in terms of their ability to detect, respond and mitigate incidents?  The HPE report states:  “Organizations that achieve the highest levels of capability are fulfilling advanced use cases for security monitoring and analysis by leveraging SIEM technology. This includes customizing a SIEM with business context, asset details, identity information and intelligent correlation”.

The reference to business context is particularly important, as it echoes Gartner’s adaptive security concept which requires organizations to have ‘context-aware network, endpoint and application security protection platforms’ – enabling their SOCs to understand exactly which business processes an attack might impact upon, and to base its responses on the attack’s implications and level of threat to the business.

Let’s examine why business context-aware incident response is critical, by considering what actually happens in a SOC as a security event progresses.

Putting incidents in context

The first step with any incident is detection:  this is usually done using a SIEM system, which uses business logic and analytics to sift through the huge volumes of logs produced by security tools, remove false alarms, and flag events that merit extra investigation by the SOC’s security analysts.  These events are then reported, their impact analyzed, and the attack can be stopped or contained – in theory, at least.

But in practice, many organizations’ response processes are unstructured. Once an attack has been identified using the SIEM, security analysts may spend hours simply trying to figure out which systems to isolate and when, because they cannot easily tie the attack directly to the business processes that are being affected.  And during this time, the attack is often able to continue its spread laterally across the organization’s network.

In contrast, with business context-aware incident response capabilities in place, the SOC team can quickly triage the event, and answer critical questions such as:

• Which business applications rely on systems impacted by the attack?
• How business-critical are those applications, and who is responsible for them?
• Do the impacted applications handle sensitive data, and can that data be exfiltrated?

The answers to these will in turn dictate the urgency of the response, and the level of remediation needed.  AlgoSec plays a key role in bringing business context to incident response processes and enabling adaptive security, through its seamless integration with leading SIEM solutions.

This integration ties security incidents directly to the business processes that may be impacted, including applications, servers, network and traffic flows and security products.  The SOC team can then decide on the best course of action, and when it’s best to take it, balancing the security risks to the organization from the attack, against the operational risks of potential downtime – as AlgoSec’s CTO, Prof. Avishai Wool, discussed in this blog.

For most enterprises, the SOC is the nerve center of their cyber defenses, but it is still developing its capabilities.  To better protect the enterprise, the SOC needs to mature and align itself more closely with the overall business strategy and operations.  This will make incident responses faster and more accurate, enabling the organization to adapt and survive in the face of attacks.