Despite all the preventative steps being taken by organisations around the world, cybercrime is continuing to grow at an alarming rate.
Industry research shows that, during 2022, there was a ransomware attack launched every 11 seconds and the global annual cost of cyberattacks to business reached $20 billion. Most leaders realise it now a case of ‘when’ rather than ‘if’ their organisations will fall victim.
Interestingly, 94% of cyberattacks use email as their attack vector. An employee clicking on a link or opening a malicious attachment can grant an attacker access to an organisation’s entire IT infrastructure.
The benefits of a SOC visibility triad
To help to improve their level of resistance against cyberattacks, increasing numbers of organisations are embracing a strategy known as a security operations centre (SOC) visibility triad.
The components of this triad are:
- A security information and event management (SIEM) platform,
- Network detection and response (NDR) capabilities, and
- Endpoint detection and response (EDR) tools.
The SIEM platform delivers comprehensive visibility across an organisation’s entire IT infrastructure. The platform correlates multiple perspectives, from the operating system layer to applications, networks, and virtual machines. This allows security teams to make earlier detection of threats and respond rapidly before problems occur.
A SIEM platform also provides long-term retention capabilities which can be valuable when needing to comply with security and data protection requirements. They can also be an aggregation point for spawning organisation-wide orchestration and automation of protective measures.
Meanwhile, NDR capabilities increase the speed at which security teams can respond to an attack. This is because the majority of attacks begin at the network layer and so having comprehensive visibility is vital.
NDR is also invisible to attackers and so becomes more difficult to evade than other monitoring techniques. It can be even more powerful when combined with threat detection tools that incorporate behavioural machine learning (ML) capabilities.
EDR tools, on the other hand, provide deep visibility into all devices on which a software agent can be deployed. The tools can monitor for threats and contain then should they appear.
Being agent based, EDR can also work in isolated environment and even provide protection when devices are disconnected from the network. Many other tools are unable to achieve this.
The 3 ’Ps’ of a security strategy
As well as the SOC visibility triad, a resilient security strategy should also incorporate what are known as the three ‘Ps’: process, people, and partners.
Process is vital because this will determine how security teams undertake their monitoring activities and respond to threats when they are discovered. Processes can be enshrined in customised playbooks that will guide team members when an attack is taking place.
Teams can create effective processes by basing their work on good-practice frameworks such as NIST and ITIL. It’s also important to recognise that processes are not a one-size-fits-all concept but instead will need to be adapted to suit each organisation.
People are also a very important element in any security strategy, and typically they are grouped into three categories. Level 1 team members undertake triage of alerts and act as a first line of defence. Level 2 staff then carry out investigation of the remaining alerts and respond accordingly. Level 3 staff focus their efforts on escalating responses where required and undertaking threat hunting.
Effective and ongoing training is vital for each group. Members need to be fully appraised of the latest threats and the detection and response tools they have at their disposal.
Partners are the third category as organisations will need to rely on a number to have access to all the tools and capabilities that are required. Selected tools must also be effectively integrated to ensure effective protection is achieved.
In many cases, partners can be used to allow an organisation to outsource some or all of its security measures. A trusted security partner can monitor an infrastructure and take all required steps should an incident occur.
By understanding the SOC visibility triad and the three ‘Ps’ that comprise a security strategy, organisations can be well positioned to detect threats and neutralise them before they can cause disruption and damage. Undertaking this work today can reduce the likelihood an organisation will become the victim of an attack tomorrow.