SOC modernization: 8 key considerations>
CSO Online – Jon Oltsik
We are at a point where the scale and complexity of historical security defenses either arenât working or are stretched to their limits. This means CISOs need to think about security transformation, and as they do, every process and layer of the security technology stack is in play. My good friend Candy Alexander, president of ISSA International, and I will be discussing these trends during our RSA session on Tuesday morning (6/7). Considerations for SOC modernization planning The SOC architecture. Whether you call this a security operations and analytics platform architecture (SOAPA, ESGâs term) or a cybersecurity mesh (Gartnerâs term), disparate technologies like EDR, NDR, SIEM, TIP, and SOAR need tight integration. This mashup can only work if it is anchored with an open, customizable SOC architecture. Scale and performance. As the saying goes, âall data is security data.â his requires a highly scalable cloud backend that can ingest real-time data feeds and deliver acceptable response times for complex queries. Detection engineering. This means developing expertise with Yara rules (and Yara-L for Google Chronicle), Sigma rules, and Kestrel rules, while also participating in open-source projects like SNORT, BRO/Zeek, Suricata, etc. MITRE ATT&CK affinity. Yes, security tools should support MITRE ATT&CK, but this must go beyond simply relating alerts to tactics and techniques in the matrix. Rather, they should contribute to and participate in these more complete use cases. Risk-based context. To get this perspective, SOC modernization combines threat, vulnerability, and business context data for analysts. A quick look at the industry confirms this mixture is already happening. Continuous testing. SOC modernization will drive demand for continuous testing and attack path management tools from vendors like AttackIQ, Cymulate, Randori, SafeBreach, and XMCyber. Deception technology. Okay, this one may be a bit controversial as most cybersecurity professionals think deception technology is only appropriate for elite practitionersâthe infosec equivalent of Dumbledore. I believe itâs time that deception technology is added as a layer of defense (and more) for SOC modernization. Process automation. Technology integration makes things easier, low code/no code SOAR tools like those from Torq have alleviated the need for Python gurus, and many SOC technologies provide canned automation templates and workflows.
Link: https://www.csoonline.com/article/3658230/soc-modernization-8-key-considerations.html