3 sour notes interrupting security operations harmony

interrupting security operationsGreat musicians and instruments alone do not make beautiful music. It is the conductor who leads the orchestra and turns the collection of sounds into perfectly executed harmony. Likewise, security operations teams need more than just experienced professionals and best-of-breed tools – they need orchestration.

The SIEM does an excellent job gathering all the different types of security data and identifying correlations according the pre-set rules, but relying on the SIEM alone to orchestrate security operations leaves the security operations center flooded with alerts and no efficient way to address them. This is what is driving SOC managers to put an end to alert overload and bring harmony and peace of mind to the busiest SOCs in the world.

Too many tools and too much data

On average, SOCs have 50 to 100 security technologies deployed across large networks that often span several physical locations. Each solution is selected on its own merits, a process that leads to a multitude of vendors. A recent Gartner forecast of the worldwide endpoint detection and response market found that “Organizations with security budgets of $10 million or more use products from an average of 13 security vendors, which is too numerous for most organizations.”

IPS, antivirus, EDR, WAF, DLP, SIEM, asset management and vulnerability assessment tools; each constantly monitors its own part of the network and creates alerts for any and all suspicious activity. In addition to creating complexity, this multitude of technologies also increases the annual subscription costs. It’s an impressive, costly, labor intensive operation that gathers enormous quantities of data. Modern SOCs gather terabytes of cybersecurity data every day. But deploying tools and gathering data isn’t enough to keep digital assets safe.

False sense of security

The multitude of security vendors, tools, version, updates and alerts gives SOC managers a false sense of security that they have “all their bases covered.” Intuitively, this approach makes sense. If one tool provides good defense, then surely ten tools will protect the network even better. So SOC managers pile on overlapping layers of tools and solutions from an assortment of vendors. Unfortunately, this also produces a damaging side effect that counteracts the effectiveness of the solutions and can weaken security.

Incongruous tools and alerts

The multitude of vendors and solutions is the source of SOC cacophony. It produces millions of logs, all of them sent to the SIEM. The SIEM tries to create a correlation engine to identify the alerts that represent real threats and must be addressed with highest priority.

Managing the SIEM requires huge investments in time and energy of highly skilled experts who constantly change and tweak rules to keep the SIEM operating on a day-to-day basis. Even after the security team conducts extensive maintenance work, the SIEM still creates hundreds and thousands of alerts that need to be addressed one by one. Each alert must be checked and cleared by highly skilled analysts and is oppressively time intensive, especially considering that most of the alerts will turn out to be false positives.

Alert overload also serves as camouflage for malicious actors; distracting the SOC team with a barrage of false positives helps malicious activity slip under the radar. Incongruous tools and alerts create ideal conditions for advanced malware to penetrate a network.

Creating harmony in the SOC

Vendor consolidation – SOC managers must overcome the cacophony of alerts created by security tools and the SIEM and reign in ballooning operational expenditures. This has led many SOCs to pursue tool consolidation. Tool consolidation must also include vendor consolidation. Many times, it is better to implement a full suite of products from one vendor, even if one or two are not considered best-of-breed, because the resulting harmony significantly reduces ongoing operation costs of updating, maintaining and fielding alerts from so many incongruous tools. The improvements in synchronization, simplification and organization create a net win for the level of network security attained.

Automation and orchestration – To bring calm to the alert storm, SOC managers must implement a system that can sit on top of the SIEM, receive all its data streams, and automatically orchestrate all the various tools and alerts together in a holistic manner, to effectively identify the few alerts that pose a serious threat to the organizational network so analysts can focus on what counts. This holistic view allows SOC automation and orchestration solutions to alleviate alert and tool overload to bring harmony to security operations.