What about our SOCs?
Despite hefty investments in cybersecurity and Security Operations Centers (SOCs), we face a widening gap between the perceived and actual threat coverage provided by these investments.
Sophisticated advances in IT technologies are driving new threat opportunities in fresh attack vectors. These attacks bring to life new innovative cybersecurity tools, which in turn encourage hackers to develop even more elaborate threats and attacks. According to multiple analysts, this multi-dimensional arms-race has resulted in a typical enterprise using 50 to 70 security products, with 10 to 20 security monitoring tools, each offering a different angle and solution to this burgeoning challenge. With all these products and tools, why are we facing a widening gap between the perceived and actual security served?
The role of the SOC is to maintain and ensure a high level of security by continuously monitoring the company’s security status and responding to incidents promptly and reliably. The SOC team uses a wide range of products and technologies (such as SIEM, SOAR, or XDR products) to view various aspects of the company operations and offer the ‘muscle’ they need to react when threats arise.
The security team’s use-cases and playbooks detail clear workflows and processes that guide them on how to handle the various issues and cases as they occur. The use-cases define the rules and policies that the SOC products should be configured with, as they monitor events coming into the SOC from various log sources. For example, to avoid rogue access attempts, a use-case may require the configuration of a rule on the SOC’s SIEM as follows: in case of more than 5 sequential failed administrator login attempts to a critical server, open a high priority ticket for further inspection. Today’s SIEMs typically have hundreds of rules and policies, all applied to execute and implement the various security use-cases defined by the SOC over the years.
Mind the Gap, It’s Widening!
’Let’s look at a concrete example. We recently interviewed and analyzed the SOC of an enterprise with 8,000 employees in the telecom business. The company has taken significant strategic and proactive cybersecurity steps over the years. They’re spending roughly $1.5M – $2M per year on cybersecurity and over the past 5 years have built a SOC dedicated to managing and responding to threats. The SOC has a well known SIEM that collects and processes over 1 billion events per day from 81 log source types throughout the network. Our analysis revealed that more than half of the log source types are not covered by any rule. Furthermore, the company has configured 927 rules on the SIEM to implement the use-cases that need to be handled by the SOC staff. However, based on our analysis, only 11% of the rules were actually effective in triggering events that required handling. This example is one of many in which the organization is exposed to risk. Despite all investments, we are not properly covering all inputs. We are ignoring too much critical data and leaving too many holes. There are simply too many blindspots that prevent us from seeing our real security status.
Getting to the bottom of it all
We are experiencing a case of diminishing returns to our security investments, or in other words, making more investments doesn’t necessarily result in better security. As the effectiveness of SOC security controls deteriorates fast, without continuous maintenance of these rules, our investments have less impact and turn out less secure over time. Even if you originally built everything correctly, and configured the right use-cases and policies, threats still change and evolve over time.
As part of our interviews, we found that most companies overlook the need to maintain the rules applied by the SOC. Many systems, including the SIEM, the beating heart of the SOC, are configured and tuned as part of the product’s onboarding and as part of the vendor’s original customer success efforts. However, over the product’s installed lifetime, the efficiency and value of the initial rules will deteriorate due to lack of continuous maintenance. For example, many rules become worthless as a result of broken field mappings, following a product update. Furthermore, In today’s evolving cybersecurity space, neglecting to update SOC systems with new rules will have a detrimental impact on the company’s security posture.
Clearly the deteriorating value of SIEM rules contributes to the gap between perceived and actual security in the SOC and the company. The actual security level decreases over time, while the security needs of the company increase.
It is time to mend our SOCs
Our SOCs need to be repaired and made more robust. The first step requires a continuous security improvement mindset. Security engineers need tools to identify the health of applied rules and detect potential issues such as broken field mappings. Second, SOC engineers need to leverage data from the SIEM and incoming logs to identify new rules that can be applied. Third, the SOC team must continuously seek out recommendations for new rules based on collective cybersecurity operations experience, threat intelligence and common security frameworks (e.g., MITRE ATT&CK). Alongside the vital role of recommending areas for improvements, the SOC must have tools that will automatically repair broken rules and promptly implement new rules without risk of unintended consequences.
Unleashing the true collective security power of our SOCs requires us to harness the “energy” of all security products in these SOCs. Only by continuously assessing, examining actionable insights, and actively improving and deploying repairs can we overcome the ever evolving cyber threats.