SOC integration: Creating a well-built portfolio vs. a frankenstack
The security operations center (SOC) is the linchpin of any organization’s cybersecurity effort. Whether you operate your own or outsource it to a service provider, it’s important to keep it running smoothly. That means ensuring that data on security incidents flows easily throughout all stages of the incident response process.
However, the average SOC isn’t keeping up with cybersecurity threats as they grow in volume and velocity. A Trend Micro SOC survey found over half of all SOC teams (54%) were overwhelmed by alerts. The resulting SOC staff burnout affects companies’ ability to effectively respond to cyber threats. And with teams feeling overwhelmed, over half of respondents (55%) lacked confidence in their ability to prioritize or respond to alerts.
SOC interoperability is key to success
One problem for SOCs is an inability to easily hand off data from one part of the incident response chain to the other. Incident response spans stages ranging from detection all the way through to containment, mitigation and optimization as teams integrate the lessons learned from an incident into their future operations. These stages require multiple tools, ranging from network and traffic flow analysis to vulnerability management to endpoint detection and response (EDR).
A SOC often evolves over time, meaning that designers often buy best-in-breed tools from different vendors. These tools don’t always play well with each other or have an effective SOC integration flow. That leaves SOC analysts passing information between tools manually. It introduces delays into a discipline that is under pressure to reduce response times and creates more opportunities for human error.
This is a pressing problem for SOCs. A 2020 Cisco-commissioned Enterprise Strategy Group (ESG) study found that 60% of companies use over 25 different security products, with one in three using over 50. The Trend Micro survey found that 42% of SOCs had stopped using some tools due to a lack of integration.
Companies recognize the benefits of breaking down information silos in their SOC. The ESG research found that almost two-thirds of respondents consider a product’s potential for broader technology integration as critical.
Approaches to SOC product integration
SOCs have two options open to them when integrating cybersecurity products for a joined-up approach to incident response.
- A portfolio-based solution, offering an end-to-end suite of cybersecurity tools from a single vendor, integrated via a dashboard-driven system. This minimizes the integration challenge. Examples include IBM’s Cloud Pak for Security and Cisco’s SecureX.
- Build a best-of-breed stack that integrates products using other tools. Security information and event management (SIEM) tools have traditionally been useful for harvesting and collating data from sensors around an organization’s IT infrastructure, including firewalls, intrusion prevention devices and routers. These can prioritize infrastructure events for further investigation.
A tool that complements the SIEM is the security incident response platform (SIRP), which offers a collaboration system for multiple analysts to work on incident investigation and response. These SIRPs typically feature either pre-built integrations with security tools or the ability to write your own. There are commercial SIRPs, along with open source alternatives such as TheHive.
The portfolio vs. best-of-breed approach isn’t mutually exclusive. Both IBM and Cisco allow users of their integrated platforms to exchange data with third-party products that support their technology.
Send SOC security SOARing
Whichever approach you take, the ultimate goal will likely involve increasing your level of SOC automation. Together, SIRP and SIEM can help generate and manage incident response cases for the SOC.
Security orchestration, automation and response (SOAR) take things to the next level by automating more incident response practices, taking some of the burdens from human SOC operators. This won’t replace the human altogether. Instead, it helps them to focus their attention during the incident response process.
Advice on your SOC integration journey
As with most technology endeavors, the journey to an integrated, automated SOC involves a trade-off between choice and convenience. Along the way, SOC designers should follow some useful road signs.
Master SOC basics first
Implementing technology such as EDR can work wonders for those with immature SOC automation, accelerating it to more expert levels. However, it’s important to walk before you can run. The worst kind of SOC is one that has all the gear but no idea.
Establish a base level of organizational and process expertise before striking out with new technologies. One of the most essential SOC automation requirements is the creation of libraries detailing common best practices for easy automation.
NOC and SOC integration is key
The SOC often stands alone, but it shouldn’t. Organizations often run a network operations center (NOC) to keep their data communications infrastructure running properly. Data from the NOC can be valuable in identifying potential threats. A team combining these two centers is worth more than the sum of its parts.
For that cross-team integration to work, though, the two teams must speak the same language. That means bridging two sets of priorities: the SOC focuses on locking down vulnerabilities and dealing with exploits, whereas the NOC is all about the performance and reliability of packet flows.
Making cybersecurity more effective
When building an integrated security stack, your SOC must extend its scope to include internal processes and external teams.
It’s a tall order for a center that may already be struggling to keep up with a rising workload, but focusing on these issues will produce more effective cybersecurity protections in the long run.
- Cybersecurity Tool Sprawl Drives Plans to Outsource Detection and Response, Trend Micro
- ESG Analyst Whitepaper: Integrated Product Platform, Cisco
- Benefits and Challenges of SOAR Platforms, Carnegie Mellon Software Engineering Institute
- What Is a Security Platform?, Cisco
- IBM Cloud Pak for Security, IBM
- TheHive Project, TheHive