Skip to content
Security Operations

The Second Critical Step to Building the Modern SOC

November 25, 2020

The new Devo eBook, Building the Modern SOC, presents four evolutionary steps for creating a highly automated and efficient security operations center (SOC) that empowers analysts. This is the second in a series of posts about the four steps that highlight some of the most important concepts. The first post covered Step 1, which is about establishing a foundation of centralized, scalable visibility. This post excerpts Step 2, extracting intelligent insights from your data.

The Four Steps, which Devo recommends you implement in order, are:

  1. Establish a foundation of centralized, scalable visibility.
  2. Extract intelligent insights from your data.
  3. Supercharge your analysts with the power of automation.
  4. Streamline processes and achieve higher SOC productivity.

Once you have centralized all your data in the cloud, you need to make sure your analysts don’t drown in it. After all, analysts are ultimately responsible for analyzing data and turning it into insights for decision-making. The key to extracting value from your centralized data comes from deploying real-time alerting that’s built for the needs of your business. Too many alerts—in other words, alerting on everything, which is the default for many SIEMs—generates noise, but not results. A tsunami of alerts slows down the detection process and overwhelms analysts.

What analysts really need are high-signal detections that focus on the known, the unknown, and the specific entities involved in a threat. High-signal detections give analysts what they deserve—data they can actually use to see and stop the threats that matter most to your organization quickly
and accurately.

The Value of Threat Intelligence

For effective detection, the most important weapon in your analysts’ arsenal is threat intelligence. When there are too many IOCs for analysts to focus on, how do you make sure team members are matching against everything they possibly can? Speed is important, but accuracy is critical. To keep ahead of the relentless assault of threats, analysts must be able to match IOCs at scale, and in real time, in a seamless, no-touch way. That’s why the key to accelerating and simplifying investigations is automated enrichment.

Analysts need the full threat picture, and they need it instantly to defend against sophisticated, relentless attackers. Automated enrichment enables analysts to see a clear, complete picture of the threat landscape without having to spend valuable time manually querying multiple tools. A next-gen SIEM must provide a context-rich view of entities, alerts, and prior learning to speed detection and, ultimately, triage and investigation.

Seek a SIEM solution that automatically enriches events and investigations with:

Auto enrichment improves operational efficiency and frees analysts to apply their expert knowledge to intelligently detect, triage with confidence, and move to investigation quickly and decisively. Research shows it takes skilled nation-state hackers less than 19 minutes from the time they compromise the first device in an organization to move laterally toward the assets and data that matter. Speed is vital for detecting threats before they harm your business.

Key takeaway

Detection without context and intelligence is like throwing darts while blindfolded. You might hit the target, but the odds of a bullseye are slim. Analysts need automatic context so they can do their work efficiently and effectively. They need to know who is doing what (“Is this a domain controller or an intern’s laptop?”). Context greatly improves the ability to triage and investigate alerts and enables analysts to focus on the threats that matter most to your organization. In the 2020 Devo SOC Performance Report, 68% of respondents say one of the top reasons working in a SOC is so painful is because there are too many alerts to chase. Give your analysts tools that streamline their workflow and how they triage those high-quality alerts so they can quickly pinpoint the most dangerous threats.

The next post in this series will cover Step 3, which is all about supercharging your analysts with the power of automation. But if you can’t wait, go ahead and download the full eBook Building the Modern SOC.

More Data. More Clarity. More Confidence.