Security operations centers (SOCs) tend to be forward-looking out of necessity: there’s always going to be new attacks, vulnerabilities or complications resulting from the use of new technologies.
But as organizations make remote work a permanent part of their operations, many SOC teams will need to make adjustments that are on a whole new order than the adaptions that they’re used to. Those adjustments will include rethinking some pretty basic fundamentals, including where the SOC should be, what tools it should prioritize, and emerging challenges it should start to prepare for now.
Here are some immediate recommendations for what SOCs should do to adjust and some longer-term ideas for how to future-proof SOCs for the long-term:
Dialing down the network noise
One immediate step that SOCs should push for is reducing all-day access to the corporate network and VPNs. It sounds somewhat counter-intuitive, but taking this step actually makes a lot of sense in the context of reducing the attack surface.
By reducing the need for all-day corporate VPN use, SOCs can prioritize incidents and anomalies that require their attention. Instead of asking employees to sit on the VPN all day so they can access a server for the two or three things they need, SOC teams should consider sending employees to internet-based portals to verify their identities, granting access, and then removing user access straight after. By using a simple smartphone push or OTP only when needed and instead of relying on the VPN ‘perimeter,’ the SOC team shifts its network access closer to a zero trust posture – improving security without being too invasive.
Pushing certain corporate assets onto the internet and giving them dedicated security controls reduces the overall 'noise' on the corporate network. Doing so allows analysts to spot abnormal behaviors that indicate compromise because there’s less activity for cybercriminals to hide in.
This should be an easy sell, as rethinking access to the corporate network can improve security and lower costs by reducing resource usage.
Achieving 20/20 cloud vision
Longer-term future-proofing demands that SOCs start to think through how cloud services will change an organization’s security posture. The coronavirus pandemic accelerated cloud transformation, and there’s no sign that that trend will slow down any time soon – Gartner predicts that the SaaS market will grow to $120.9 billion this year, up from $104.7 billion in 2020. These new apps and infrastructure can be problematic from a security operations perspective, but don't have to be. The key is visibility; or rather the right visibility.
Simply put, that means getting the right data out of your 'as-a-service' applications. If thousands of users have adopted Zoom, for example, are you getting as much data back from Zoom as possible? Is that data coming into a central location within the SOC, where it can be synthesized with your own on-premises data and used to paint a clear picture of what is happening? A granular understanding of everything is essential: be that on your traditional network, or newer cloud resources.
Plan for global SOCs
We’re not all going back into the office anytime soon: from how businesses budget for office space to how they hire new employees, it’s clear that some degree of remote work is being baked into the future of the office now. That’s true for SOCs as well: they’re effective, allow organizations to tap global talent, reduce costs and can help ensure wider coverage in case an attack begins in the middle of the night.
If remote SOCs are going to be a permanent part of a business’ operations, then security leaders need to plan accordingly and provide them with the communications tools they need to collaborate effectively. Analysts need resources that plug into internal messaging tools like Slack or Teams; ideally, their tools would automatically push out alerts and updates noting when Analyst X is working on Problem Y, how far she got, and when Analyst Z should take over.
SOCs also need to ensure that multiple people can look at the same incident at the same time: some tool kits aren’t designed to allow multiple users to remotely review an incident together simultaneously. Building that function becomes critical when we’re all working in separate locations.
Another change that SOCs should start thinking through in order to plan their longer-term strategies are endpoints, which are going to become a huge piece of the puzzle when it comes to building next-normal levels of visibility. Remote employees may be switching between multiple personal and professional devices and mixing the types of activities they’re using on both. They may also be using unsecured networks alongside their family members, who will also be mixing their personal and professional lives. On top of that, remote workers could be distracted from their normal ‘good’ security practices.
To deal with this scenario, security operations teams need to ensure that the incident detection and response on these endpoints is up to scratch and should establish measures to control access from non-corporate devices. They should also look at ways to understand what sensitive data is coming from personal devices such as smartphones or tablets.
Alongside ingesting data from all these new endpoints, different data types should be combined to improve the overall picture of threats; this might involve, for example, merging behavioral analysis with other threat-related data, such as vetted threat intelligence and intel from threat hunters.
By embracing automation, skilled security analysts can become more efficient in hybrid working environments. Machine Learning (ML) is already perfectly capable of understanding data it is fed and can report anomalies without any human intervention. So, for example, an automated ML approach could spot that a user who hasn't worked in the early hours of the morning during the previous 60 days is now doing so – and understand that that’s an anomaly worth flagging.
This is the kind of valuable insight that ML can provide to the security team without them having to do anything but feed it data. Along similar lines, automated workflow processes should be embraced to help handle some of the day-to-day SOC tasks, such as incident reporting.
Focus on what’s really important
With the pandemic leading to a surge in cybercrime, it’s clear that SOCs will have even more incidents and anomalies to contend with. As we dig in during the pandemic, security operations will require security analysts to focus on what's truly important. Analysts shouldn’t be tied up dealing with an employee clicking on phishing links – that can be handled pretty seamlessly by an automated workflow. Instead, their time should be spent looking at the unusual: anomalies and incidents that are challenging, unique or that require an experienced, human, analytical mind to be dealt with effectively.
It’s essential that security leaders take the time now to plan for the next wave of challenges and opportunities the SOC will face and take steps to future-proof their security operations. In doing so, they will be able to embrace the changes that lie ahead and prepare for the next normal.