The role of a Security Operations Center (SOC) is to keep an enterprise safe from cyber-threats – their mission is to continually monitor for and respond to alerts and incidents. However, 27 percent of SOCs receive over 1 million alerts every day and the average SOC analyst can only handle 20 to 25 in the same span.
The enterprise attack surface is constantly growing from adoption of new and more technologies, therefore making close to impossible for SOCs to manage all security alerts on their own in order to avoid data exposure on a monumental scale. However, with the right tools in place, SOCs can be proactive in their cyber-defense strategies and stay on top of all threats to avoid security incidents.
To learn about the correct approach to take, Digital Journal spoke with Vinay Sridhara, the CTO of Balbix.
Digital Journal: What are some of the security threats facing businesses that SOCs need to monitor for?
Vinay Sridhara: There are over 100 different attack vectors that threat actors can leverage in order to obtain unauthorized access to a business and gain access to customer, partner, or company data, access business critical applications and more. Just a handful of the security threats facing businesses that SOCs need to constantly monitor and identify for each IT asset include shadow IT, misconfigured cloud servers, unpatched software, insecure connected devices, certificate issues, encryption issues, weak passwords and more.
DJ: Why do businesses need a SOC?
Sridhara: As hackers and cybercriminals launch increasingly sophisticated attempts to steal sensitive data and worm their way into business-critical applications, security operations centers (SOCs) are the dedicated teams on the front line working to stop them. They stay up-to-date on the latest threats and mitigation techniques so they can act as an early warning system. When a security alarm goes off in a SOC, its personnel try to handle the incident as quickly as possible so that damage is minimized or a potential breach is avoided altogether.
It is imperative that SOCs are successful in their duties. For example, the failure to secure an enterprise’s customers data can make those users vulnerable to a widespread variety of attacks and it can result in a fine under different data privacy regulations, including GDPR and CCPA which will be enacted in January 2020. Data privacy watchdogs including the FTC in the US can also fine a corporation for failing to ensure the integrity of customers data and/or privacy, in fact, the FTC fined Equifax an amount that could total $700 million for the credit reporting agency’s 2017 data breach of 147 consumers’ Social Security numbers, payment card information, dates of birth and more.
DJ: Why are SOC analysts overloaded with vulnerabilities?
Sridhara:Organizations of all sizes struggle with the daily volume of alerts produced by their security controls, which often exceed the capacity of their security teams. In fact, over a quarter of all SOCs receive more than 1 million security alerts every day and the average SOC analyst can only properly handle around 20 to 25 alerts within that same span of time by leveraging the legacy security tools traditional SOCs typically use.
The enterprise attack surface is massive and increasing exponentially. There are a myriad of ways by which networks can be breached. To get an accurate idea of breach risk, security teams need to analyze a lot of data – up to several hundred billion time-varying signals from the extended network of devices, apps and users. Analyzing and improving cybersecurity posture is not a human scale problem anymore.
The problem does not stop there. Juniper Research estimates that there will be over 50 billion connected things in 2022, an increase of 138% from the estimated 21 billion devices in 2018. As companies continue to adopt new and greater amounts of technology, their attack surface expands in unison.
To make matters worse, SOCs are facing a talent crisis; 66% of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.
DJ: How can SOCs develop a proactive strategy to combat the growing attack surface? What support do SOCs need?
Sridhara:To develop a proactive security strategy, SOCs need to be increasingly intelligent and self-learning. This can be achieved by applying the power of AI to be proactive in cyber-defense, rather than reacting to alerts and events like traditional SOCs.
SOCs must also be able to automatically discover all IT assets and users, continuously monitor for hundreds of breach risk factors, maintain real-time visibility across device, app and user inventory as well as attack surfaces, and provide comprehensive risk assessment using deep learning and advanced AI algorithms to reveal breach risk insights. As a result, SOCs will enable security personnel to prioritize vulnerabilities that need to be remediated based on business criticality, conceptualize threats in order to take proactive mitigating steps, and improve the relevance of reporting for CISOs and CIOs to business leaders, the board of directors, auditors and regulators.
