Make your SOC work smarter, not harder

Read time 2min 40sec

A study by Imperva from 2018 estimates that just under a third of enterprises receive more than a million cyber alerts every day, yet an analyst will only be able to process about 10. This leaves them vulnerable to ‘alert fatigue’, according to Dimitris Vergos, sales engineering director for emerging markets at Splunk.

Vergos suggests that organisations should find a balance between the traditional model of a SOC (having Tier One security professionals monitor and analyse alerts before passing them onto Tier Two analysts), and a modern approach that uses SIEM and SOAR (security orchestration, automation and response) tools.

Striking this balance implies a shift in the focus and role of the security operations centre, he told delegates at this year’s ITWeb Security Summit.

“If we look at the legacy components of the SOC, operations were centred around human monitoring and situational awareness. Today’s SOC is more analytical and depends on creating a nerve centre where everything security-related is under one roof.”

Splunk envisions the SOC of the future as one where 90% of Tier One security professionals’ work will be automated, but, Vergos says, the human component can never be removed.

“Humans and machines need to work hand-in-hand so there can be hand-offs. While we’re busy investigating, threats don’t stop coming in. The time analysts save by automating certain tasks means they can free up more than half their time to optimise detection and response.”

Vergos says the repetitive nature of threat detection is the best scenario for SOAR tools as the redundant activities and actions can be put into a playbook. He also suggests using a scoring mechanism to determine what threats can be handled by machines and what threats should be escalated to a human. Historical data can also be used to teach the machine to automate certain tasks.

“For SIEM, any type of data is security data; a nerve centre is crucial to creating an ecosystem around all your solutions and products,” he says.

What’s normal?

“SIEMs today work by also leveraging behaviour analytics and not just alerts; so they’re not just relying on ‘if x happens, an alert must be triggered’.”

“Create baselines for specific situations, to filter what’s normal and what isn’t. Then correlate sequences of events so that when the events happen, an alert can be triggered.” He adds that while remote work may have altered employee behaviour patterns, it’s not only important to create a baseline for anomalies but to also correlate the data with historical data.

“The sky’s the limit with automated incidence response tools such as SIEM and SOAR, but we’re not all at the same stage of the maturity curve, so it’s important to understand your part of the journey for a successful security operations centre.”

See also