Building a Future-proof Intelligent Security Operations Center (SOC), Part 2
Security Intelligence Platforms (SIP) are universal and extensible security analytics solutions that offer a holistic approach towards maintaining complete visibility and management of the security posture across the whole organization. Only by correlating both real-time and historical security events from logs, network traffic, endpoint devices and even cloud services and enriching them with the latest threat intelligence data it becomes possible to identify previously unknown advanced security threats quickly and reliably, to be able to respond to them in time and thus minimize the damage.
They are in a sense “next generation SIEM solutions” based on RTSI technologies, which provide substantial improvements over traditional SIEMs both in functionality and efficiency:
- Performing real-time or near real-time detection of security threats without relying on predefined rules and policies;
- Correlating both real-time and historical data across multiple sources enables detecting malicious operations as whole events, not separate alerts;
- Dramatically decreasing the number of alarms by filtering out statistical noise, eliminating false positives and providing clear risk scores for each detected incident;
- Offering a high level of automation for typical analysis and remediation workflows, thus significantly improving the work efficiency for security analysts;
- Integrating with external Threat Intelligence feeds in industry standards like STIX/TAXII to incorporate the most recent security research into threat analysis.
Another key aspect of many SIP products is incorporation of Incident Response Platforms. Designed for orchestrating and automating incident response processes, these solutions not only dramatically improve a security analyst’s job analyzing and containing a breach, but also provide predefined and highly automated workflows for managing legal and even PR consequences of a security incident to reduce possible litigation costs, compliance fines and brand reputation losses. Modern SIP products either directly include incident response capabilities or integrate with 3rd party products, finally implementing a full end-to-end security operations and response solution.
By dramatically reducing the number of incidents that require interaction with an analyst and by automating forensic analysis and decision making, next generation SIPs can help address the growing lack of skilled people in information security. As opposed to traditional SIEMs, next generation SIPs should not require a team of trained security experts to operate, relying instead on actionable alerts understandable even to business persons, thus making them accessible even for smaller companies, which previously could not afford operating their own SOC.
Now, what about the future developments in this area? First of all, it’s worth mentioning that the market continues to evolve, and we expect its further consolidation through mergers and acquisitions. New classes of security analytics solutions are emerging, targeting new markets like the cloud or the Internet of Things. On the other hand, many traditional security tools like endpoint or mobile security products are incorporating RTSI technologies to improve their efficiency. In fact, the biggest obstacle for wider adoption of these technologies is no longer the budget, but rather the lack of awareness that such products already exist.
However, the next disruptive technology that promises to change the way Security Operations Centers are operated seems to be Cognitive Security. Whereas Real-Time Security Intelligence can provide security analysts with better tools to improve their efficiency, it still relies on humans to perform the actual analysis and make informed decisions about each security incident. Applying cognitive technologies (the thing closest to the artificial intelligence as we know it from science fiction) to the field of cybersecurity promises to overcome this limitation.
Technologies for language processing and automated reasoning not only help to unlock vast amounts of unstructured “dark security data”, which until now were not available for automated analysis, they actually promise to let the AI to do most of the work that a human analyst must perform now: collect context information, define a research strategy, pull in external intelligence and finally make an expert decision on how to respond to the incident in the most appropriate way. Supposedly, the analyst would only have to confirm the decision with a click of a mouse.
Sounds too good to be true, but the first products incorporating cognitive security technologies are already appearing on the market. The future is now!