Why organizations must arm their SOCs for the future
Security Operations Centers (SOCs) around the globe represent the first line of defense between enterprises and cyber-threats. This mission requires that SOCs respond to security alerts around the clock, and jump into action as quickly as possible to minimize the damage done from events that are in progress while keeping the uptime of critical operations in accordance to the SLAs.
The importance of SOCs are highlighted by the fact that 30% of CEOs rate cyber-threats as one of the top five threats to their organizations behind policy uncertainty (35%) and the availability of key skills (34%) according to PwC’s 22nd annual global CEO survey of 1,378 executives.
Unfortunately, a massive enterprise attack surface that continues to grow due to the adoption of new and more technologies can make organizations vulnerable to cyber-attacks and result in massive breaches of consumer data as well as fines and lawsuits under different data privacy regulations. SOCs must adopt a proactive cybersecurity strategy in order to stay on top of all threats.
Over a quarter of all SOCs receive well over 1 million security alerts from SIEM logs every single day, and the average SOC analyst can only properly handle approximately 20 to 25 alerts within that same span of time. Since alerts can compound at an alarming rate, it makes any SOC analyst’s job seem impossible, since there is no way that humans alone can properly manage every vulnerability in a timely fashion. Most of the SOC teams set a high threshold on these alert notifications so that they become artificially manageable.
On top of this, the International Data Corporation (IDC) projects there to be 41.6 billion IoT devices in use by 2025, and each new connected thing will add to a SOC’s responsibility of managing new cybersecurity vulnerabilities.
Breaches of consumer data can expose individuals to a variety of different attacks and consequences. For example, the personally identifiable information (PII) that most users entrust to organizations can allow a malicious user to hijack additional consumer accounts and access sensitive banking, financial and healthcare data, open up users to highly targeted phishing attacks, and even expose users’ employers to additional data breaches.
To make matters worse for SOCs, there is a surplus of unfilled cybersecurity jobs. The Center for Cyber Safety and Education found that the number of vacant jobs will amount to 1.8 million by 2022, an increase of 20% from 1.5 million open positions in 2015. If we recall that 34% of global CEOs are concerned with the availability of key skills, then it raises the question of how effective SOCs have been able to stay on top of managing all cyber-threats in order to keep their organizations and their organization’s customers safe from the hazards posed by malicious actors.
The severity of the consequences that can result from data breaches should speak for themselves, as additional stakeholders such as partners and customers can also be affected and a business can even be forced to declare bankruptcy due to the costs it may incur from reparations, fines, lawsuits and more. For example, it was discovered this year that the American Medical Collection Agency (AMCA) suffered an eight-month long breach that affected the financial, protected health information (PHI) and other PII of 24.4 million customers of its customers, including Quest Diagnostics, LabCorp, Inform Diagnostics, American Esoteric Laboratories and several other healthcare providers’ users. AMCA then proceeded to file for Chapter 11 bankruptcy after it had to take out a $2.5 million loan just to help cover expenses related to the breach.
SOC operations today are primarily reactive in nature, and the most work that organizations proactively do is patch their systems at some cadence. As a result of a reactive strategy, adversaries are left with a swathe of vulnerabilities that they may use to get a hook into the enterprise. In fact, most attacks that we have seen within the past few years have primarily used attack vectors such as weak passwords, open systems that lack passwords, phishing, stolen or spoofed certificates, or a combination of these.
Regardless of the type of SOC an enterprise leverages, it needs to be increasingly intelligent and self-learning so that it may provide a proactive cyber-defense strategy. To stay ahead of the curve, SOCs of the future must leverage of sophisticated tools, including specialized-Ai, in order to:
- Automatically discover all IT assets and users, a task that is imperative as more devices will continue to be integrated into corporate IT infrastructure.
- Continuously monitor all assets across hundreds of breach risk factors.
- Contextualize and prioritize threats so that SOCs can take proactive steps to mitigate any vulnerabilities based upon the threats that are most pertinent and even specific to the enterprise or kind of enterprise rather than just increasing the thresholds to artificially bring the alerts down.
As malicious actors continue to launch increasingly sophisticated attacks to steal sensitive information and infiltrate business-critical apps, it is imperative that SOCs employ the best strategies to protect their organizations. With specialized AI and sophisticated tools assisting its already valuable security personnel, the SOC of the future will be contextually aware enough to achieve the prioritization of all vulnerabilities which, in turn, increases both the efficiency and effectiveness of the entire process and the team.