Transforming SOCs into Cyber Defence centres
Rise in cyberattacks and increasing risk to critical infrastructures has been lately plaguing financial institutions, businesses and governments. Today, digitization of business operations, data driven business models, and large number of connected devices are driving most businesses. While undergoing evolution, cyber threats to businesses are also striding towards advanced levels of sophistication. To fight against such threats, organizations require prepared and proactive approaches and accept that their systems are always vulnerable; or otherwise, they can be the next victims of cyberattacks. Consequently, the need of early detection, quick response and suitable action is mandatory against the pace and intensity of attacks.
SOCs are performing analysis and identifying threats, which is incomplete cycle and takes very reactive approach. Transforming SOCs into cyber defence centres, can speed up threat detection and allow proactively responding to threats. Security operations centres have already started transforming into cyber defence centres, accumulating new technology functions such as advance threat hunting, intelligence, Big Data analytics and AI/ML to augment overall security posture. Along with functionalities against external threats, cyber defence centres should exhibit capabilities to address insider threats as well. Having deployed all these functions, organizations can question themselves to understand what are the parameters that measure the strength of CDC and the much needed capabilities?
Traditional CSOC
Traditional CSOCs are usually restricted to the following five steps.
Comparison between existing traditional functionalities and the need for added capabilities depict the importance of transformation to CDC. It should be boosted with additional capabilities to stay one step ahead of adversaries.
- Identification: Is the primary focus on identification of potential risks?
- Active detection: How effective is security incident detection?
- Quick response: How quick is the response rate if an incident occurs?
- Data Enrichment and new technology adoptions: They say data is the new oil, this is applicable in security operations as well. Open hunting and intelligence are purely data dependant activities. More data and advanced technology adoption place CDS at a proactive state.
- Automation: Role of AI and ML has turned as a boon for cyber security. Deep learning models are playing vital role in threat classification, identification and prediction. Automation is replacing some tedious duties which is very effective, and hence it is one of the principle factors to measure the strength of any cyber defence centre.
- Skilled Engineers: With Automation skilled workforce is another equally significant factor. At least in security, automated processes can direct you till binaries but choosing either 0 or 1 requires precise human intervention.
Capabilities needed to build cyber defence
Attacks can happen round-the-clock, hence cyber defence centres also must function faster around-the-clock. Adding all the capabilities blindly makes no sense. Studying the problem and addressing those with the right choice is more sensible, because security operation cost is a factor which can’t be ignored while building CDC. For any defence centre, it’s essential to adopt smart technology, key functionalities and skilled workforce as per the security requirements. Following niche capabilities are major constituents of advanced cyber defence centres.
- Security Information and Event management
- Threat Hunting
- Threat intelligence
- Vulnerability prioritization
- Fraud detection
- Security orchestration and automation
- Sandboxing
- Surface & dark web capabilities
- Incident response
- Forensics
Together with the above capabilities, collaborative approach such as platformization add value to defence centres, where multiple entities can come together to share information, contribute to the platform and also leverage from the same. Technology is evolving day-by-day, hence the list of capabilities are never ending, but organizations should keep pace with rapidly changing surroundings.
To know more and discuss on this topic, be a part of the 10th Best Practices Meet. Register here.