By Rick McElroy, Carbon Black Security Strategist
The threat landscape is evolving. Your endpoints don’t just live within the safety of your corporate network – they’re out in the wild exposed to millions of new threats every day. With non-malware attacks on the rise that are even harder to detect than traditional malware, security professionals are realising it is no longer a matter of if they will be breached, but when.
To harden defences against advanced attacks, security operations centres (SOCs) from every industry have recognised the need for a proactive security posture that arms skilled teams with the people, processes, and technology to rapidly hunt and detect cyber threats. Speed stops breaches, but too many SOCs become beholden to their security stack and get caught up in alerts, reducing triage efficiency and blurring the lines between high-and low-priority threats.
Striking the balance between people, intelligence, and automation can be extremely difficult, and to illustrate the different areas that decision-makers in today’s SOCs need to master to remain agile, we believe there are five essential steps to consider:
- Invest in your team
46% of organisations notice a “problematic shortage” of cybersecurity skills and 87% claim it’s difficult to recruit and hire new cybersecurity talent. Building a high-performing security operations centre can be challenging with a scarcity of skilled defenders.
So, it’s essential to assemble and mentor a dynamic team with the right skills to learn more about your environment as it grows.
- Build on the basics
Do your people know what your tools are doing? A bigger budget for tools and tactics can definitely help speed up your current processes, but don’t breeze past the basics. 80% of hacking related breaches leveraged either stolen and/or weak passwords. You can focus on proactive and more offensive security once you’re confident in your current deployment, configuration and tuning.
- Perfect your process
Don’t wait until after an incident to make sure you have all the data you need. 61% of SOC’s surveyed claim they’re currently centralised into a single SOC. Only 9% are centralising all of the data their tools generate. For a SOC to function efficiently, data about every new process and every file modification should be centralised in one place to maximise visibility and streamline response during an investigation.
- Learn from every attack
88% of breaches fell into one of the nine patterns from the three years prior. Sometimes the best threat intel comes from inside your own environment. If threat hunting in a high-powered SOC is finding a needle in a haystack, don’t shovel the same hay twice. When you identify a new attack pattern, harden your defences for the next one.
- Embrace the community
Security teams around the globe are expected to wake up in the morning, come to work and stop every single attack. When an attack hits, don’t go it alone. Participating in threat sharing can reduce the average cost of a breach by 8 million pounds.
For a thorough analysis of these and many more crucial elements of a high-speed SOC, download Carbon Black’s free guide on “Building a High-Speed SOC.”