How Does a Security Operations Center Add Value To Your Cybersecurity Strategy?

This increased spending is in response to a rise in cyber attacks in the region, as it grows in global economic and strategic significance. When it comes to security, however, it’s not how much you spend that counts – it’s how wisely you spend it. You need the right strategy to ensure a fast return on investment, to protect your business and customers, and to avoid costly complexity.

Research shows cybersecurity spending is growing rapidly in the Middle East, expected to reach US$1.9 billion this year [1].

This increased spending is in response to a rise in cyber attacks in the region, as it grows in global economic and strategic significance. When it comes to security, however, it’s not how much you spend that counts – it’s how wisely you spend it. You need the right strategy to ensure a fast return on investment, to protect your business and customers, and to avoid costly complexity.

Consultancies like Gartner and IDC have championed the Security Operations Center (SOC) as the way forward for businesses who want efficient orchestration of their cybersecurity efforts. But is a SOC the right way to enhance your cybersecurity strategy? And is building a SOC, which is potentially a high-cost project, accessible and worthwhile for every kind of business… including yours?

What is a Security Operations Center?

To answer these questions and see the true value of the SOC, let’s start by looking at what a SOC actually is. You might be picturing a room with high-tech equipment and a team of serious-looking cybersecurity experts. However, not all SOCs look like that.

A SOC is a specialized facility for detecting, assessing, preventing and responding to cyber threats. The SOC might also be responsible for compliance with security regulations.

Arguably the main advantage is that security is centralized. This can help you:

• Enhance security by coordinating security monitoring and orchestrating the threat response,
• Gain greater control and insight by bringing previously-disparate security efforts together in a cohesive strategy. The SOC team continuously increases its expertise,
• Increase cost-efficiency by consolidating your security technologies and team.

For many businesses, then, the SOC does not simply add value to the cybersecurity strategy. It completely transforms it.

Does setting up a SOC take lots of capex and physical space?

A big question for businesses new to SOCs is: do we have the budget and space to build a dedicated cybersecurity facility? According to GBM’s 7th Annual Security Survey, 55% of the Gulf Organizations have their SOC onsite, and 81% prefer security operations on-premises [2].

However, SOCs come in many forms – and not all of them are located on-premises. The SOC approach is adaptable for businesses of all sizes. The main varieties of SOC include:

• The managed SOC service – Hosted and monitored off-site by a managed service partner, it does not require a large up-front investment and leverages the partner’s security expertise
• The virtual SOC – A reactive solution staffed by a part-time team with no dedicated facility, ideal for smaller businesses who want to run their SOC in-house
• The dedicated SOC – A fully in-house facility and team, suitable for larger enterprises

A cost-benefit analysis can help you choose the right kind of SOC solution for your needs.

How does the SOC fit your particular security strategy?

As we’ve seen, the SOC comes in a range of flavors. But the customization doesn’t end there. In fact, your SOC solution should be designed to fit your unique cybersecurity strategy and challenges. For example, if you…

• Need to manage insider threats; a SOC can combine physical data with cyber data to quickly identify perpetrators.
• Want to detect attacks more effectively; your SOC could monitor a huge range of activities including DNS records, firewall breaches, active “honey” accounts, and other suspicious transfers. More importantly, it can help you combine all this data to prevent and respond to attacks much faster.
• Are utilizing cloud to increase cost-efficiency; a SOC can help you monitor the effectiveness of cloud-based security services and manage business risks.
• Need Machine Learning for SOC – Although machine learning is not a silver bullet for cybersecurity, there will always be a man trying to find weaknesses in systems or ML algorithms & to bypass security mechanisms. What’s worse, now hackers are able to use machine learning to carry out all their nefarious endeavors. Machine learning services can aid in solving the most common tasks including regression, prediction as well as classification. In the era of extremely large amount of data & cybersecurity talent shortage, ML seems to be an only solution to move towards AI. In fact, 62% of the Gulf organizations are likely to invest in Artificial Intelligence for cyber security to predict attacks better. [3]

Below are a few cases where Machine Learning can be used in the SOC:

• Machine Learning for Prevention & Detection

The ability to continually & dynamically learn what’s “normal” in behavior, traffic patterns & usage across an organization’s environment helps machine learning-enabled tools to be more effective in finding & preventing new attacks. For security operations practitioners, machine learning an important ally in the identification of threats & proactive blocking of known bad activity. This will help focusing on faster investigation & incident response.

• Machine Learning for Incident Response

With machine learning, millions of variables & data points can be analyzed automatically to pinpoint anomalies that could be indicators of compromise. By ingesting threat intelligence & using a combination of both supervised & unsupervised learning security operations teams can use machine learning to make meaningful improvements to incident response programs. For example, to illustrate similar anomalies that have arisen previously, thus squeezing the window of diagnosis of the incident or shortening the investigation time, which in turn improves productivity by giving them key points of reference, enriching the data & even potentially deploying the proper incident response playbook. The security operations team can make real progress in driving down incident response metrics with the likes of MTTD & MTTR.

• Machine Learning for SOC Management

Less-often talked about is the application of machine learning to day-to-day SOC management since not many organizations & tools support the depth of machine learning capability. Machine learning has the ability to not only get smarter about the activity that flows through your SOC. As an example, your SOC may have one analyst who is phenomenal at handling web attack or phishing cases & is able to investigate as well as remediate them faster than other analysts. Machine learning can enable your SOC management systems & teams to get smarter & act faster for handling a particular type of threat by assigning to that analyst when the next such case arise.

These are just a few use cases. Your own SOC project should start with an assessment of your own use cases, which you can build your solution around & then gradually move towards automation using ML.

If you’d like to have more information about SOC and how GBM can deliver the SOC solutions and services you need, please visit our website .

[1] https://gbmme.com/newsroom/breached-or-not-breached-exploring-the-shift-from-prevention-towards-detection-and-response-in-the-gulf-region/

[2] https://gbmme.com/newsroom/breached-or-not-breached-exploring-the-shift-from-prevention-towards-detection-and-response-in-the-gulf-region

[3] Gartner, October 2018: ;https://www.gartner.com/en/newsroom/press-releases/2018-10-22-gartner-says-middle-east-and-north-africa-enterprise-information-security-spending-will-grow-9-percent-in-2019