The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
The new Devo eBook, Building the Modern SOC, presents four evolutionary steps for creating a highly automated and efficient security operations center (SOC) that empowers analysts. This is the last in a series of posts highlighting the most important elements of the four steps.
Previous posts covered Step 1, establishing a foundation of centralized, scalable visibility, Step 2, extracting intelligent insights from your data, and Step 3, supercharging your analysts with the power of automation. This post excerpts Step 4, streamlining processes to achieve higher SOC productivity.
The Four Steps, which Devo recommends you implement in order, are:
Once you have completed the first three steps, it’s time to assess your SOC team’s capabilities, evaluate analysts’ relative strengths, and identify any remaining gaps that require training or additional resources. You also will be able to see how these key performance indicators trend over time. Let’s look at ways to do that.
We have firmly established that context is king when it comes to enabling analysts to identify, triage, and respond to threats efficiently and effectively. To maximize the accuracy and speed of investigations, you should implement processes to ensure analysts don’t have to backtrack and waste time relearning things because the elements of previous investigations weren’t properly collected and organized.
Automating the process of capturing the knowledge of your team and the information they have gathered—IOCs, threat feeds, supplemental context, etc.—and putting it in an evidence locker for seamless access, results in a mother lode of context your analysts will use constantly as they focus on how to better detect and respond to threats. Think of this step as empowering your analysts with the data and analytics to discover patterns in how they detect, triage, and respond to threats, and to learn from those patterns over time.
The investigation evidence your analysts will have readily available includes:
Another benefit is that automating evidence collection will significantly reduce duplication of effort during investigations and decrease threat fatigue for analysts. Because we can’t forget that analysts are people, too. No one enjoys repetitive, unfulfilling work that requires little thinking or creativity. When analysts spend too much of their workdays robotically gathering information from multiple systems, it diminishes their ability to effectively triage and investigate increasingly complex threats. Analysts spend the same amount of time on triage and investigation regardless of whether a threat is real or not, or highly impactful to your business or not. Automation can change that for the better.
Why focus so much on process improvements? Well, many organizations do not believe their SOC is currently performing up to expectations. The 2020 Devo SOC Performance Report found that just 50% of respondents feel their SOC is effective, and only 55% are confident in their SOC’s ability to gather evidence, investigate, and find the source of threats. In other words, SOCs need fewer obstacles and convoluted processes so analysts can work more effectively. And worse, the survey showed that even in organizations classified as “high performers” (those that have relatively sophisticated incident response capabilities), only 51% of respondents believe their SOC has high interoperability with the company’s security intelligence tools. Yet another sign that much work remains to be done in many SOCs.
Intelligent deployment of technologies that automate the investigative workflow will empower your analysts to do what they do best—focus on the threats that matter most to your organization. When a threat appears that your analysts haven’t seen before, it’s impossible for them to respond as they’ve done previously, because there is no “previously.” However, when responding to never-before-seen threats, they don’t have to abandon technology and go old school with manual investigations. You can automate the process of data collection and analysis, along with pattern recognition. With that information in hand, your analysts can enter the fight fully armed.
Implementing all four of these steps will establish the underpinnings of a modern SOC and deliver the visibility, instant access to enriched data, and automation of alerts and workflow that enable your analysts to detect, investigate, and respond to threats with a higher degree of confidence than before.
As you embark on the journey of implementing these critical steps, ensure you select a next-gen SIEM that can deliver all four steps in a single, integrated solution. Taking a piecemeal approach—one solution for visibility and insight, and another for workflow and automation, for example—will unfortunately re-create the same weaknesses of current SOCs that have created such painful working environments for analysts.
It’s time to ensure the technology foundation of your SOC is built to maximize the day-to-day workflow of your analysts. Download the full eBook Building the Modern SOC to learn how.
By Kevin Flanagan
Sign up to stay informed with the latest updates from Devo.