The Bedrock of a Post-COVID-19 Security Operations Center

The Bedrock of a Post-COVID-19 Security Operations Center
Author: Anup Deb, Palo Alto Networks
Date Published: 24 July 2020

Given the profound impact of COVID-19, a constantly evolving threat landscape, constraints of operating a Security Operations Center (SOC) remotely, increased remote workforce, disparate managed and unmanaged endpoints, an avalanche of phishing, malicious campaigns masquerading in the name of COVID-19 and the evolving business demands, sadly, a traditional SOC isn’t good enough. It is within this context that organizations are adapting quickly to respond to the pervasive risk and imminent exposure to threats – the need to redefine, re-engineer and re-architect their security posture and best practices.

Cybersecurity experts are helping organizations to reinvent their security operations, building a modern SOC on the premise of cloud-native analytics to combine AI/ML and user behavior analytics to monitor the spectrum of an organization’s infrastructure, including network, endpoints, and cloud, as a foundation to developing proactive protection, detection and response capabilities enforcing zero trust. This relegates a traditional SIEM primarily to collecting logs, generating alerts and meeting compliance needs. The evolving emergence and relevance of a technology category called XDR (Extended Detection and Response) is becoming critical given the need to defend increasingly powerful, sophisticated attacks and organizations’ critical assets. Organizations rarely store activity gathered from endpoint detection and response (EDR) or Network Traffic Analytics (NTA) or cloud in a SIEM due to cost, scale and visualization limits. The ability for an XDR platform to provide insights and context with the rich set of data to stitch together network, endpoint and threat activity can enable ML-based detection and simplify investigations.

Another key aspect of a modern SOC is the trend of bringing in process orchestration, combined with automation as a key driver to control threats and execute response actions with precision, scale and consistency. Let me illustrate the benefits of automation by sharing an example of a common use case of phishing alerts that continue to be a severe challenge for analysts. Today’s unprecedented environment has provided adversaries with an opportunity to exploit COVID-19-related support engagements. As a result, we are witnessing millions of malicious campaigns, including phishing, email scams and advanced malware as adversaries continue to attack organizations, disguising themselves as reputable institutions. Some spear phishing attacks are highly sophisticated and are sometimes indistinguishable from real emails, resulting in compromise through human error and most often lack of cybersecurity awareness and hygiene. Security analysts, as a result, spend a lot of time coordinating between teams following a set of processes. Imagine the life of an analyst who consumes a lot of time to coordinate across email inboxes, threat intel, endpoints, firewalls, ticketing systems and other tools. The challenge for an analyst is to navigate and pivot across different consoles, data conventions, and context, making it extremely difficult for security teams to investigate while minimizing risk. This problem can be handled by bringing in efficiency and agility through automation that substantially helps a security analyst to focus more time on productive areas such as threat hunting.

One of the most critical areas in ensuring an effective modern SOC is having both tactical and strategic threat management capabilities that add scalability to both external and internal data in real-time, to provide a comprehensive strategy to combat threat vectors. Any given incident is aligned to the MITRE ATT&CK framework that provides the basis for adopting techniques outlined by threat hunters, ensuring complete coverage and recommendations to detect against the unknown, both internal and external. Threat hunting services combine threat hunters with decades of deep experience in digital forensics, malware analysis, cyber threat intelligence and advanced data science that provides a perfect balance to reduce the time and resources that are required for identifying threats and vulnerabilities. This approach allows organizations to build a solid foundation to incorporate threat profiles and trend analysis within an SOC, forming the basis of proactive threat management. In recent times, related COVID-19 activity has led to a substantial increase in volume of attacks; threat hunting is a smart addition to an organization arsenal to combat the challenge.

The trends created and accelerated by the pandemic, and the proliferation of organizations’ infrastructure, has given us an opportunity to look inward and rethink security practices, augmenting the SOC across the key pillars of people, process and technology. The goal should be to drive strategic business outcomes by enabling modern security practices through zero trust, process orchestration and automation, collaboration and threat management. This forms the bedrock of a modern SOC.

About the author: Anup Deb leads the MDR Practice across the APAC region for Palo Alto Networks. Anup comes with a rich background of working in the cybersecurity industry, having specialized in the area of cybersecurity - risk and compliance domain. He is also a subject matter expert in incident response. Throughout, Anup has been an eminent speaker at industry events and conferences across the region. An active blogger, he possesses excellent communication and presentation skills and is decorated with multiple professional awards. Anup has also previously worked with emerging technology start-ups and leading IT companies globally.