The security operations centre has come a long way since the early 2000s. It wasn’t even called a SOC in those days.
According to Gigamon, leader in cloud visibility and analytics, it was more like a combination of people with different roles trying to figure it out when a security incident hit and hope they could get the network back to a running state without any disruption to business or loss of sensitive data.
It was the culmination of teams coming together between that two-person team managing antivirus and firewalls, the network operations centre (NOC), desktop support, and the LAN admin with ‘God’ rights to the domain controllers.
Gigamon’s ANZ Manager, George Tsoukas, says: “Fast forward to today, we have SOC tier 1, 2, and 3 analysts, incident responders, threat hunters, threat intelligence analysts, Red Teams, Blue Teams, and it keeps going. What does this all mean?
“This is ‘fusion’ as some organisations like to call it. In laymen’s terms it’s coming together as good guys to defend against the bad guys.”
Yet why is it still so difficult as a defender, even with so much support in cyber security? Really it comes down to a few key needs. There is still a need for extended visibility, a need for experienced professionals, and a need for collaboration amongst these teams.
Long-term visibility
Some of us have experienced investigations where we couldn’t retrieve essential because it happened was a long time ago, or maybe some just didn’t have the infrastructure, hardware, or expenses to support the data they needed?
What if none of this mattered and everyone always had 365 days of visibility at their fingertips, and in a matter of minutes were ready to answer any difficult questions they needed to resolve in an investigation?
Certain vendors deliver exactly that. They give security teams the historical visibility to carry out thorough investigations and to hunt for threats that may have been loitering for nearly a year.
Experienced security professionals are hard to come by. Regardless of an organisation’s size or maturity there’s always a need for security experience. No matter how good a tech team are, there’s always a time when they will get stuck, or wish they had the experience to deal with the new issued that emerged.
What if you had brains and experience of incident responders by your side, helping with playbooks and guiding a team towards what to do next? In addition, what if you had an idea of what to do next but didn’t quite know how to execute?
At least one security vendor offers technical success managers to come in and help. They can ensure that a security team can use their technology quickly and effectively. They work together with the team to provide guidance and best practices, enabling the home team to focus on threats rather than tool and vendor management.
There’s definitely something to be said when an organisation’s techs don’t have to ‘figure it out’ and learn yet another query language. Today’s SOC has to learn how to write and create playbooks in their EDR, SIEM, SOAR, and possibly many other tools. One less thing to learn and figure out is always a good thing.
Too many vendors view security analysis as a solitary endeavour, but that’s not the case. Defending against the adversaries together is the essence of collaboration. An organisation can have industry’s best security professionals, with strategic security partners by their side.
Security teams don’t work in a vacuum, and they need tools that let them coordinate their efforts. Parallel hunting does just that. It lets analysts search for multiple events at once while allowing them to coordinate their investigatory efforts across their teams.
Incident responders and security analysts need tools that work right ‘out-of-the-box,’ especially during high-pressure security incidents. Guided playbooks give security teams the tools to identify attacker – all within a few mouse clicks.
