Today’s security operations center is all about reducing the number of alerts with emerging technologies – and enhancing old-school human collaboration. Here’s how some real-world SOCs are evolving.
Blame it on the success of the SIEM. For many security operations center (SOC) managers, the security information and event management system was both a blessing and a curse: It was a way to consolidate and correlate security alerts from firewalls, routers, IDS/IPS, antivirus software, and servers, for example, into a centralized console. But with the recent wave of new security tools, threat intelligence feeds, and constantly mutating threats, SOCs are drowning in anywhere from thousands to a million security alerts daily.
“A lot of companies have tool fatigue right now. There are a lot of tools that are partially implemented and not getting the care and feeding they need,” says DJ Goldsworthy, director of security operations and threat management at Aflac.
The flood of alerts and out-of-tune tools, compounded by the industry’s persistent talent gap and high turnover rate for junior-level SOC analysts, have forced some organizations to rethink and retool how they organize and run their SOCs.
In many cases, the evolution is being spurred by another tool: The new generation of security orchestration and automation tools that streamline and automate some tasks with automated playbooks is replacing some of the more manual tasks of clicking through each and every alert, looking for that deadly needle in the haystack…
Another tool that’s changing Aflac’s SOC operation is deception technology – a sort of next-generation honeypot – to further minimize its false-positive alerts. Goldsworthy calls its Attivo Networks deception tool “an insurance policy for the unknown.”
Goldsworthy says deception decoys give SOC analysts a “unique perspective” about attackers and their methods, which they then can share with other members of the team and, in turn, respond accordingly with proper defenses. “Deception also allows our security team to collaborate with and enable the business by allowing for more rapid adoption of new technologies because deception can be deployed wherever the business needs IT to go,” he says.