When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap.

All these roles will require the right skills and the right data. Alongside filling those positions effectively, supplying the right insight on what is taking place will be essential. Without the right level of insight, these roles can easily be overwhelmed by the sheer volume of alerts and false positives.

Filling the security information

The main problem is that there is so much information coming into the SOC continuously that keeping up is a near-impossible task. Without the right approach in place, it becomes easy for analysts to be overwhelmed by the wrong kinds of signals.

Filling the information gap therefore involves looking at how to make the most of the data that is coming in, without paralyzing the process or relying on manual intervention. While artificial intelligence and machine learning have been suggested as routes to achieving this, in reality they will only be part of the approach. Achieving the right security posture will instead involve looking at the data, the analysis and the real-time requirements together.

Typically, security teams use alerting and information from their tools to flag suspicious activity that is taking place. This data tends to flow into a Security Incident and Event Management (SIEM) product for analysis. However, SIEMs were developed as an approach to work with traditional networks and on-premise applications, rather than the world of cloud and containerised applications that we are moving to today. These new systems put out so much more data that traditional SIEM approaches – and the SOC processes that rely on SIEM – are no longer fully fit for purpose.

To fill the gaps that exist here, making use of cloud for scalability is one approach. Cloud environments tend to be elastic, unpredictable, and highly dynamic, so taking the same approach to handling data is desirable. As the types, quantities, and sources of data continue to increase, SOC teams may go from handling data being created at a rate of 1TB/day, then scaling up to 70TB/day and back down again, all in a matter of hours. Without the flexibility of capacity planning that cloud provides, SOC teams risk losing or missing data due to unpredictable spikes.

Building continuous intelligence

For many SOC teams, the ability to analyze data in real-time is currently enough. However, the lack of skills and the increasing quantity of data means that this won’t be the case forever. Instead, the ability to analyze will have to be linked into more recommendations and automation for decision support.

It’s important to make the distinction clear between real-time analytics and what Gartner calls continuous intelligence. Real-time analytics is the ability to take in data and process it for people to use; continuous intelligence builds on this by providing more context, analysis and recommendations as part of that process. For SOC teams, this is similar to the “observe – orient – decide – act” (OODA) loop developed by military strategist and US Air Force Colonel John Boyd, where data is used to provide better decision options and lead to better outcomes as actions are taken.

OODA can help security teams work in the moment by processing context information more quickly. For continuous intelligence purposes, the loop uses automation to pull in all the necessary data across IT assets and services, analyze the relevant information and then provide recommendations to the SOC team on what issues are worth investigating further, what may warrant watching over time, and what is effectively “business as normal.”

These recommendations for actions to take can help SOC staff concentrate on where their efforts are most required, rather than facing a barrage of alerts with no guidance on where to prioritize. As actions are taken, the data coming in can be analyzed again to ensure that actions have had the right impact and priorities are re-assessed continuously. This helps the SOC team understand that their actions always have the most potential good impact.

Looking ahead, the number of skilled IT security professionals needed will continue to grow. As security technologies and automation approaches develop, existing and new security staff will be able to handle more data and in more intelligent ways. The SOC of the future will need to keep up with all the new data sets, applications and infrastructure that businesses require. By taking an approach based on continuous intelligence, those teams will be more efficient and more productive.