Security Operations Centers (SOCs) are on the front lines of defending systems, networks and devices. No matter how large an organization it protects, an organization’s SOC strategy is responsible for ensuring that technologies work properly without being affected by cyberattacks.
Technologies are constantly changing the way that SOC professionals operate. But what are the greatest SecOps issues facing these leaders today? And what has been a game-changer for SOC professionals?
The prevalence of cyberattacks, the relentless evolution and persistence of those attacks, and the need for ever more effective (or automated) solutions are continual. In addition, as the modes of working have also changed, so, too, has the approach to security.
Christian Sorensen, founder and CEO of SightGain, spoke with SOC leaders from some of the country’s largest and most complex companies to get their insights on the gamechangers that are shaping their security operations strategies and approach to work.
Here are a few of the most pressing SOC strategy challenges facing chief information security officers, cybersecurity executives and the systems they oversee today.
Ongoing Staffing Challenges Shape Security Operations Strategy
Among the most critical positions, and historically those that have been difficult to fill, are those related to endpoint security, data security and network security. Too often, leaders have spent too long searching for talent, constrained by proximity and geography.
Today, however, the remote workforce is alleviating some of the staffing issues that are traditionally problematic.
Paul Keener, senior vice president and head of cybersecurity operations for City National Bank, noted that the rise of remote work has been a game-changer.
“It allows us to build more effective teams because you’re not limited by geography. You’re not limited necessarily by location,” Keener said. “So, the talent pool widens out. You can give people the opportunity to live wherever they want as long as they do the job that they need to do.”
The efficacy of cybersecurity operations does not seem to be adversely affected by the shift to remote work either, Keener said.
“The difference between right now and what we were doing (is minimal),” Keener said. “The collaboration tools make it much, much easier to close the gap and close the distance. It doesn’t replace the human interaction, but in the event that you can’t go to Alaska for the one person that lives up there, (it works).”
How Shifting to Remote Work Influences SOC Strategy
The drastic shift in recent years to more remote work has forced organizations to think more broadly about the scope of networks, end-user computing and security.
Remote work has become the norm across industry sectors. Are businesses prepared to address the challenges of sustained, perhaps permanent, remote work as part of their security operations strategy? Josh Copeland, security director, (cyber), for AT&T, noted, that the shift has raised awareness and understanding about the impact of and need for cybersecurity.
“People are finally understanding what the cybersecurity impact is to the business,” Copeland said. “Before, it was, ‘I make widgets. I don’t need to worry about cybersecurity,’ but now they understand that all your machines run on computers,” Copeland said.
What’s more, those systems and networks – from the website, to ordering, to purchase orders to accounting and finance – are linked. The ongoing efforts to educate employees about the interrelationships of technology and their role in cybersecurity are paying off.
“Everything’s now interconnected. It’s all online,” Copeland said. “(There’s an) understanding that there’s now inherent risk that they have to not only take into account but mitigate. Now you can actually talk that risk with them and they understand, ‘This is a problem. This is something I have to address,’ rather than go to the corner and play with their computers.”
SOC Strategy Must Focus on Diagnosing and Analyzing Attacks
Cyberattacks are increasingly sophisticated, with complex threat vectors and attack modes. The rise of ransomware attacks, for example, has crippled many businesses and organizations from both a financial and reputational standpoint.
In addition, there has been a dearth of tools available to help SOC staffs understand how an attack occurred, what was compromised, and the status of affected devices and systems.
Fortunately, there is a change occurring in the cyberdefense industry. For Xavier Ashe, senior vice president of security operations for Truist, the recent advances in technology have been a game-changer.
“Moving from legacy endpoint security to the newer (technologies) — that deep telemetry on the endpoint — has made all the difference,” Ashe said.
Previously, IT staff would have to deduce whether malware did any damage before it was blocked. This work entailed pulling out drives, looking at images, poring through network logs as part of the forensic analysis necessary when an attack is discovered.
“Endpoint telemetry has really changed the way we do instant response and protection across the board,” Ashe said.
With more intelligence available on endpoints, the role of detective has become easier, Ashe noted. Instead of looking for artifacts, SOC professionals are able to look at the data to determine what processes and connections were made during the attack.
“You now know exactly what happened on that endpoint and it’s just getting better,” he said.