The security operations centre (SOC) has come a long way since the early 2000s. It wasn't even called a SOC in those days.
It was more like a combination of people with different roles trying to figure it out when a security incident hit and hoping they could get the network back to a running state without any disruption to business or loss of sensitive data.
It was the culmination of teams coming together between that two-person team managing antivirus and firewalls, the network operations centre (NOC), desktop support, and the LAN admin with ‘God' rights to the domain controllers.
Fast forward to today, we have SOC tier 1, 2, and 3 analysts, incident responders, threat hunters, threat intelligence analysts, Red Teams, Blue Teams, and it keeps going. What does this all mean? This is ‘fusion' as some organisations like to call it. In laymen's terms, it's coming together as good guys to defend against the bad guys.
Yet why is it still so challenging as a defender, even with so much support in cyber security? It comes down to a few key needs. There is still a need for extended visibility, a need for experienced professionals, and a need for collaboration amongst these teams.
Some of us have experienced investigations where we couldn't retrieve essential data because it happened a long time ago, or maybe we didn't have the infrastructure, hardware, or expenses to support the data needed.
What if none of this mattered, and everyone always had 365 days of visibility at their fingertips, and in a matter of minutes were ready to answer any difficult questions they needed to resolve in an investigation?
Certain vendors deliver exactly that. They give security teams the historical visibility to carry out thorough investigations and to hunt for threats that may have been loitering for nearly a year.
Experienced security professionals are hard to come by. Regardless of an organisation's size or maturity, security experience is always needed. No matter how good a tech team is, there will always be moments where they get stuck or wish they had experience with a specific problem at hand.
What if you had the brains and experience of incident responders by your side, helping with playbooks and guiding a team towards what to do next? In addition, what if you had an idea of what to do next but didn't quite know how to execute?
At least one security vendor offers technical success managers to come in and help. They can ensure that a security team can use their technology quickly and effectively. In addition, they work together to provide guidance and best practices, enabling the home team to focus on threats rather than tool and vendor management.
There's definitely something to be said when an organisation's techs don't have to ‘figure it out' and learn yet another query language. Today's SOC has to learn how to write and create playbooks in their EDR, SIEM, SOAR, and possibly many other tools. One less thing to learn and figure out is always a good thing.
Too many vendors view security analysis as a solitary endeavour, but that's not the case. Defending against the adversaries together is the essence of collaboration. An organisation can have the industry's best security professionals, with strategic security partners by their side.
Security teams don't work in a vacuum, and they need tools that let them coordinate their efforts. Parallel hunting does just that. It lets analysts search for multiple events at once while allowing them to coordinate their investigatory efforts across their teams.
Incident responders and security analysts need tools that work right ‘out-of-the-box', especially during high-pressure security incidents. Guided playbooks give security teams the tools to identify attackers – all within a few mouse clicks.
Article by Gigamon ANZ manager, George Tsoukas.