The evolution of the Security Operation Center(SOC)
Security Information and Event Management Platform (SIEM) have gradually become the center of SOC center. It creates a variety of interesting security detections(alerts) that security analysts have to respond to. Usually, a tier 1 analyst performs the initial triage of SIEM alerts and escalates high-priority ones to tier 2 or tier 3 for a more thorough threat hunting. The goal is to identify which actions the SOC team should take, how to stop a breach and how to prevent one in the future.
To assist the SOC team in quickly investigating and responding to security issues, new technologies are invented to assist security analysts such as Security Orchestration and Automation (SOAR). It is great to automate lots of low-level tasks and has great potentials but it also comes with a few challenges. First, security analysts have to know what to automate. Examples such as “if there are too many brute force logins, then lock down account” is not effective automation. Analysts feel risky to automate these responses because they lack confidence in the analysis.
The gap between Detection and Response
The gap between detection and response characterizes the manual effort required by security analysts to investigate each alert in order to either dismiss it as false positive or unveil the details of an attack to remediate it.
When a security alert arrives, a security analyst will ask…
- Is it real?
- What is the impact?
- How to clean up if it is real?
- How to prevent it if it is false positives?
- If it is worth automating it, how to automate it?
- Is it safe to automate?
Security teams are constantly facing these challenges. Unfortunately, their ability to review each alert and fully investigate potential threats is limited by the time-consuming effort that each alert requires. Consequently, security teams ignore early threat activity, only triaging high priority alerts which increases the risk of missing attacks.
The better response lies in better analysis.