Light Dark
March 6, 2018 By Paul Dwyer 3 min read
Intelligence & Analytics
Risk Management
Security Services

The mission of the security operations center (SOC) has historically focused on the coordination of a multilayered defense to detect, prevent and manage threats that could compromise the integrity of the technology infrastructure, business services or data. The security operations center framework allows users to stay ahead of emerging threats by analyzing security intelligence feeds, identifying relevant vulnerabilities, building use cases, developing rules, adding data sources, optimizing response procedures, and supporting ongoing rule tuning and management.

However, several key trends are transforming the security operations center mission, processes, functions, staffing and core capabilities. Below are four of the most significant changes driving this evolution.

  1. The migration to cloud-based infrastructure is transforming infrastructure and the associated monitoring into commodities. This approach relies on current technology and leverages automated patching to reduce exposure to known vulnerabilities.
  2. According to IBM X-Force Threat Research, the current threat landscape consists of 58 percent known threats and 42 percent unknown threats. This ratio is changing — in less than three years, the number of unknown threats will likely exceed the number of known threats.
  3. Cybercrime is growing around the world. Fraud and cybercrime are the U.K.’s most common offenses, with an estimated 3.6 million fraud crimes and an additional 2 million related to computer misuse. While other areas of crime, such as theft, are dropping, 1 in 10 adults reported that they had fallen victim to fraud or some other form of cybercrime, including a 39 percent increase in fraud against U.K.-issued cards.
  4. Digital transformation is changing nearly every aspect of business operations. It will require security professionals to be partners in the collaboration, planning, design, deployment and monitoring of these new processes.

Overhauling the Security Operations Center

To adapt to these trends, security teams must update their vision, mission and strategy to manage the transformation of SOC capabilities. Most SOCs begin their journey with a focus on infrastructure monitoring, which has long been considered the minimum level of monitoring for the SOC. As companies move more of their infrastructure to the cloud, however, this monitoring is increasingly the domain of cloud providers. The SOC must shift its focus toward validating the monitoring that is provided as part of the cloud service offering.

As the ratio of known to unknown threats skews toward the latter, the SOC must also find more efficient ways to deal with known vulnerabilities and create new capabilities to deal with unknown hazards. IBM is working with its clients to automate many of the activities related to the management of known threats, including:

  • Threat taxonomy;
  • Use case requirements;
  • Rule requirements and design;
  • Rule tuning and rule performance assessment;
  • Automation of level 1 monitoring functions (e.g., review alert, check for duplicates, check for false positives, public and private contextual data enrichment, classification decisions and disposition decisions);
  • Rule response procedures; and
  • Automation of mitigation steps.

This work must be automated through a combination of scripting, machine learning and cognitive analytics and executed by data scientists who are well-versed in these advanced analytical methods. Investment in this automation will free up SOC teams to identify and analyze unknown threats.

Watch the full session from Think 2018: Security Operations Centers and the Evolution of Security Analytics

The Transformative Power of Advanced Analytics

With these new tools and skills, SOCs can help position clients to use pattern analysis, statistical analysis, affinity analysis and machine learning models to streamline the task of monitoring the infrastructure, application, data and business process logs to detect unknown threats. The addition of big data tools, quantitative analytics and machine learning enables SOC teams to identify not only threats, but also a broader range of key business risks.

These trends will transform the security operations center into a risk analytics center that uses automation to track, manage and prevent both known and unknown threats. In addition, these capabilities will enable the risk analytics center to address a broad range of business risks using advanced data analytics.

The increasingly sophisticated capabilities of the risk analytics center will accelerate changes to security operations center best practices. As the silos within organizations break down to make way for more collaborative approaches to managing risk, the scopes within the SOC and risk analytics center will become broader, allowing them take on a more active role in managing an increasing number of business risks beyond traditional cyberthreats.

Learn more about building your security capabilities across all environments

 |  |  |  |  |  |  |  |  |  | 
Paul Dwyer
Partner - IBM Security

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature