Sponsored: It’s Time to Consolidate the SOC

The one constant of cybersecurity is its rate of change. The technology you knew yesterday was acquired, bundled and updated into a consolidated tool that provides the solution for today. That consolidation is inevitable given the breadth of solutions and vendors working to address always-shifting security operations requirements. Not all segments of cybersecurity are responding equally to consolidation though. In particular, a critical segment that is long overdue, the security operations center (SOC), has not undergone its shift—yet.  

Deploying a highly automated and centralized SOC is still a newer concept for some agencies, particularly those that haven’t yet invested in security automation and response (SOAR) platforms. But the growing volume of disparate, niche SOC solutions suggests we’re on the verge of rationalization and consolidation in this space. That’s a good thing for several reasons.

Consider the typical model of SOC roles and responsibilities. SOC staff are allocated to a tiered skill structure: Tier 1 is entry level, responsible for information intake, ticket creation and triage. Practically speaking, the least skilled analyst determines what the most skilled analysts work on. Tier 2 analysts manage escalated tickets, working with curated data from multiple systems to reach a target outcome. Tier 3 comprises the highest skilled, analyzing trends and determining protective remediation that may be required across the organization. It’s all intense work, typically requiring 24/7 staffing.

It also requires significant manual effort; so bright minds developed SOAR technologies to help offset the burden. Almost all Tier 1 activities can be automated, allowing those analysts to be retrained for higher level tasks. SOAR can be used to perform triage and assign an incident a severity score, allowing Tier 2 and Tier 3 to work incidents based on repeatable and consistent severity determinations. Automating Tier 2 investigative outcomes produces a well-vetted volume of information to hand off to Tier 3, which can then leverage automation to remediate as necessary. 

This “retrain don’t replace” model means incumbents are skilled up more cost effectively, with more compelling career opportunities aiding staff retention. The force multiplier effect is especially valuable given the cyber talent shortage.   

Equally important is the technology itself. While SOAR platforms represent a big step forward, up to now they haven’t encompassed the range of capabilities needed to address all necessary SOC functions without complex integrations. Considering that a SOC is intended to be a highly collaborative environment and a nexus for processing all organizational security issues, maintaining siloed systems just doesn’t make sense.

One big gap is in automated knowledge management, where issues and outcomes from past cases can be instantly discovered and mined to help solve new ones. Machine learning can link raw data and cases over time to identify commonalities that analysts can then apply to current work, speeding time to issue resolution. Ready matching to past case notes provides a wealth of information that helps train and upskill analysts in real time. 

SOAR technology can also address common documentation challenges. SOAR tools can create incident documentation in real time throughout the investigation. They can also help validate analysts’ actions over the long term, correlating to the established process to make sure it stays accurate and up to date. While many SOCs do employ a knowledge management solution, it’s a separate system that must be integrated into the SOAR platform, increasing overhead and inefficiency.

Another concern is the disconnect between threat intelligence and security incident response management (SIEM) technology. While many SOCs will use a SIEM platform to identify threats and send alerts, that’s not enough. Agencies tend to use a breadth of curated threat intelligence, paid and/or open source, to intake data on a range of threats — malicious IP addresses, indicators of compromise (IOC) or other abnormal behaviors, bad domains or digital certificates, and more. Using multiple intelligence feeds results in lots of redundancy and data to be normalized. 

For example, an agency might use 20 different feeds, each with its own threat rating system, so risk scoring varies. A threat intelligence platform (TIP) can automate the handling and rationalizing of diverse threat feeds into a single registry, allowing for SIEM alert prioritization and saving precious time in the event of an attack. But a separate TIP is yet another security tool to learn and manage.

All of these consolidation opportunities matter for agencies struggling to keep pace with today’s threat environment. They reduce cost, as agencies must pay for redundant platforms; they enhance workflows, as integrations across those multiple platforms are required; they reduce training, because fewer systems mean less to learn and remember; and they provide staff augmentation, performing the tedious, repetitive aspects of analysts’ work much faster and making them virtually foolproof.  

At Palo Alto Networks, we clearly see the coming requirement for SOC consolidation, and are already preparing for it. Our new Cortex XSOAR platform (formerly Demisto) is the industry’s first extended security orchestration, automation and response platform with native threat intelligence, knowledge management, and collaborative case management, combined into a single comprehensive solution. Driven by the goal of streamlining our internal SOC environment, we shaped Cortex XSOAR to meet our own demanding standards, then used it to gain some impressive results:

• Eliminated the need for 24/7 staffing by automating initial triage and notification.
• Reduced events requiring manual interaction by 98%. 
• Increased alert fidelity with data enrichment; for example, from a single IOC, we now pull data from multiple other sources and assign priority before human review.
• Used machine learning to determine each analyst’s capability in different investigation types, then used those insights to assign new incidents, increasing efficiency.
• Generated dynamic lists from intelligence feeds to use in automated blocking and response.
• Addressed the volume of endpoint alarms through automating endpoint response alerts — isolating the host at the firewall, blocking user access, or removing a malicious file.

Agencies can also realize these kinds of improvements, whether they’re just standing up their SOC or updating and optimizing a currently deployed SOAR platform. Taking a strategic approach and thinking ahead to that not-too-distant, consolidated SOC future which will serve federal CISOs well in protecting their agency mission, more efficiently and economically, for the long term.

For more information, please visit: https://www.paloaltonetworks.com/services/soc