Latest News

Taking a Data-Driven Approach to SOC Operations

Written by Cyrille Badeau, Vice President of International Sales, ThreatQuotient

Today’s escalating threat landscape means that security operations teams face a multitude of challenges.  This can make it challenging for them to keep pace with the sheer scale of threats, tactics, and techniques that bad actors frequently use.  When you consider recent ransomware attack statistics, it is easy to see that cybercrime has intensified, with a record-breaking number of threats of increasing severity taking place year-on-year. In fact, according to Cybersecurity Ventures, ransomware is expected to attack a business, consumer, or device every 2 seconds by  2031, up from every 11 seconds in 2021. Global ransomware costs are expected to rise from $20 billion in 2021 to $265 billion by 2031.

SOC teams are drowning in data

SOC teams are under pressure to detect security events and rapidly respond, this is hard to do when they are drowning in data. As the number of devices, elements, and sources of data increase, so does the number of tasks associated with processing that data into anything useful that the teams can utilise. Add to this the introduction of many new cloud environments, especially with the ‘new normal’ hybrid and remote workforce and this also generates a staggering array of event data.

Inevitably, security analysts can find themselves becoming fatigued with the volume of alerts as they face a growing backlog of investigation tickets that need to be resolved. Consequently, it is easy for ‘real’ alerts to get missed.

Furthermore, a lack of strong technology integration tools used for detection and investigation of incidents can also impede security analysts.  Many security technologies simply don’t interoperate and integrate well or easily, and sometimes they don’t have the ability to integrate at all. This can lead to SOC teams struggling to align data sets and coordinate detection and response across disparate technologies.

A lack of resources is compounding the issue

SOC teams often face a lack of resources and skilled experienced analysts capable of understanding how to detect and respond to security incidents.  To this point in the 2021 SANS SOC survey, lack of skilled staff was cited as the greatest barrier to full SOC utilisation.[1]   Add to this a real lack of unification in teams, whereas most SOC teams rely on a partnership with IT operations and other developer teams across the business.  However, often these teams work in silos with little integration and cooperation between them which means that detection and response to incidents can be hindered or limited at best.

As a result of the key challenges outlined above i.e. a lack of resources, limited cooperation and integration with other IT teams, a lack of technology integration and the sheer data overload of alerts and other notifications, the job of the security operations and threat intelligence teams is becoming increasingly difficult.

On the one hand they need all this data to understand more clearly what to look for and how best to prioritise.  On the other hand, the sheer quantity of data, many tools and processes are now ingesting and producing is overwhelming for teams already taxed with many other security operations tasks.

A more unified and centralised approach

This is where our extended detection and response (XDR) solution helps because it aggregates data between disparate security technologies to provide a more unified, centralised, and consolidated system. Our ThreatQ Platform ingests data from a wide variety of sources, normalising all this data (including removing any duplicate data) and correlates this to inform security narratives.  This then helps to facilitate and prioritise threats for investigation and focused detection, integration, and response.  It translates data for both investigation and responses and also exports to other tools and services for remediation.  For example, it also integrates with SIEM, NDR, EDR, SOAR and sandbox tools and many others.  This enables organisations to undertake customised risk scoring and reporting so that the business can accurately highlight the areas that they are most interested in analysing.

Once data has been ingested into ThreatQ, the platform compiles a threat library that includes a wide variety of threat details, including adversaries, indicators of compromise (IoCs), attack patterns, malware, vulnerabilities, documented incidents, campaigns and more. Additionally, a separate module – ThreatQ Investigations – can be used alongside the core platform which allows organisations to create collaborative visual models of threat data in order to explore all facets of threats and attack scenarios.  Tasks can also be created for threat hunting and other investigation functions.  And finally, we also have another module, our ThreatQ Data Exchange, which allows the SOC team to create dedicated threat intelligence sharing relationships with a variety of parties. What is great about this is that they can specify what data to send with a high degree of granularity and they can also obscure the source of data.

Taking a data-driven approach

In today’s escalating threat environment, security is high on the C-suite agenda where directors are demanding that SOC teams rapidly respond and neutralise threats to the business.  The only way to deal with this is through automation so that the SOC team can more easily aggregate a wide variety of data into a single location for analysis and correlation.  Therefore, for those businesses that want to organise security threat data and become more productive with better and more efficient insights across the SOC teams, they should look at using a solution like our ThreatQ platform.