Disrupt your SOC or be disrupted

Does the SOC really need to be disrupted? In an EY survey, 59% of enterprises admitted experiencing a material or significant breach. Despite the fact that SOC spend dominates an organization’s cybersecurity budget, more than half of these SOCs were actually ineffective in protecting their organizations from attacks.

At the Modern SOC Summit, Girish Bhat, Vice-President of Security, CI & Platform Marketing at Sumo Logic, hosted an in-depth discussion with DJ Goldsworthy, Global Director Security Operations and Threat Management at AFLAC, about the current issues facing security operations and whether disruption or evolution is the best path forward.

DJ has been thinking about these changes for many years. He’s been with AFLAC for more than five years, building up their cybersecurity capabilities with a focus on threat intelligence and enterprise vulnerability management and then taking on all security operations, incident response, forensics administration, and engineering. He’s been on the front line of cybersecurity seeing the challenges the SOC faces and has some solid advice for how to change the SOC to be more effective and efficient.

Know your attackers

As per DJ, it is important that we preemptively look at the direction that our adversaries are likely to go in and that becomes our target.. We can’t wait until they get there and then react. “Where I believe that we're heading eventually is AI versus AI. Things are going to accelerate to a pace that we can't really fathom right now,” says DJ.

DJ sees a future where adaptive attack engines are offered as a service, with cybercriminals building a framework at scale to launch sophisticated attacks. Using open source intelligence and adaptive frameworks and machine learning, the engine can acquire multiple targets per entity and quickly go through multiple stages of attack iterating, changing things like source domain or IP address. The infrastructure will be a highly variable set, so pure IP-based blocking won’t stop these attacks. Security operations will need to become very adaptive and very automated to keep these kinds of attacks at bay.

In looking at the current SOC situation, DJ was clear that the way forward will indeed be challenging, stating “I'm pessimistic about the state of affairs of criminal organizations and their intent but optimistic about our ability to get out ahead of them.”

The key is for the industry to accept some hard truths. When we look at the number of incidents that occur in the average company, it’s probably a couple dozen in a year. Yet, the average SOC has thousands, tens of thousands of alerts in that same timeframe. The simple truth is that incidents and near misses are quantitatively small numbers, but alerts are very high in numbers. And that means the SOC is missing the mark.

Building an autonomous SOC

To address the problem of too many alerts and the risks of missing attacks, DJ says “We have to be bold as an industry. Begin with the end in mind: the near zero alert SOC.” In reality, incidents and near misses are relatively rare, so the goal is to get those—and only those—as alerts. As DJ put it so well, “we need to make alerts more reflective of that reality.”

He also believes we need to be moving towards an increasingly autonomous SOC. We’re already painfully aware that there isn't enough time to wait for a human to review an alert and decide what to do. We have to change the paradigm of how a SOC operates by focusing on smart automation. Before the SOC can move towards automation, though, there is foundational work to be done in redefining the role of the SOC analyst from someone working in the system to someone working on the system, as DJ points out.

Analysts will be spending more of their time as coders, as threat modelers, as engineers, building more effective systems. Repurposing the SOC analyst and upskilling them is going to be a critical transition that we need to make collectively.

Over the course of two to three years, the SOC can increase automation to get closer to that autonomous SOC, where analysts are building truly adaptive, truly resilient networks that can withstand the impending acceleration of attacks. How do we get there? Is it better tools, more analysis, more people, or a combination of those and other factors?