Niall Browne, Chief Information Security Officer at Palo Alto Networks, offers insights into the core principles on which the SOC of the future should be built.
We’re all feeling the impact of the COVID-19 pandemic. It has changed everything, from how we live, to where we work, to how we communicate. With our collective attention turned to the well-being of our people and communities, it seems like a moment to take a pause.
But cyberattacks don’t stop. The threat landscape persists. And insidious bad actors are looking to leverage chaotic situations in hopes of catching us with our defenses scattered or adrift.
Many businesses and governments must continue vital activities. They play a central role in the recovery process or simply provide services that keep the economy moving. With employees working at home, securing the remote workforce has moved front and center.
Organizations are facing an unexpected paradox. On the one hand, their activities may have been deemed “non-essential” and their staff sent home in hopes of flattening the curve. And yet there is little doubt that providing continuous, high levels of cybersecurity remains essential.
That means you have to keep your cybersecurity brain center—your Security Operations Center (SOC)—up and running. The SOC must continue to identify and remediate threats, constantly and in real time. This requires a new mindset. It means rethinking how SOCs are operated from this point forward.
Ditch the Frankenstein Model
You’re all familiar with Frankenstein’s monster, that lifeform thrown together in a laboratory. Sadly, too many SOCs are built and operate on the Frankenstein model, with different, disjointed tools that don’t communicate well with each other, cobbled together to create this lumbering form.
These SOC products don’t integrate, do not support automation and are being held together through the heroics of the SOC engineers. No matter how hard you try to force the different parts of the SOC together, it still looks and moves like Frankenstein’s monster.
Manual Playbooks Aren’t the Answer
Another challenge is that those security engineers manning your SOC are relegated to using manual checklists—playbooks—they’ve put together to try to determine which alerts to respond to and how to react. There is little automation or intelligence, but plenty of inefficiency.
This means that SOC engineers are taking each alert, finding the playbook for that corresponding alert and manually running through the steps to investigate and remediate the event. It could be that the playbook has a dozen sequential steps and takes an hour to painstakingly run through. In the interim the SOC analyst is missing dozens of new alerts.
This has to be one of the most inefficient business practices in technology, and the worst part is that companies have accepted this as the normal way of doing business.
Now that many SOC engineers have been sent home, those inefficiencies have been amplified, and the Frankenstein model is beginning to stumble badly.
In short, Frankenstein may once have been an acceptable operating model, but it doesn’t scale. And it doesn’t work, not in your SOC under “normal” conditions and definitely not now.
Charting a New Path
With your SOC teams working remotely, this is actually an opportune time to rethink your SOC’s design and management. At Palo Alto Networks, our SOC is based on three core principles, and these could be easily implemented by any organization.
Principle 1: Interoperability
Your SOC should be built using products designed—from the start—to interoperate. This is critical, as you can’t move from manual to automated without first conquering the Frankenstein model. All products must be able to communicate with one another regardless of where your tools are located, where the data activity is occurring and where your people are working.
Principle 2: Automation
Only once interoperability has been adopted as a core principle of your SOC can you begin the critical work of automation. All the important actions must be automated rather than rely extensively or solely on manual intervention. Playbooks are now automated, running 24/7/365, and are triggered to handle the steps essential to prevent, detect and remediate potential problems. Searching for indicators of compromise, isolating the users and systems, launching forensics or other tasks all should take place without SOC administrators’ manual operations. Instead of overwhelmed SOC analysts having to run through manual checklists that could take a mind-numbing hour, the necessary remediation happens automatically—in minutes, or even seconds.
Principle 3: Collaboration
Not only does collaboration have to take place within the SOC itself, it also must happen among all your users. Most SOC analysts have developed their own playbooks from scratch over a period of years. And, what’s even more problematic is that even if an SOC analyst creates an exceptional playbook, only that particular SOC benefits from the work. Keep in mind that many organizations have different SOCs in different locations.
Collaboration must be a key principle here, and who has taught us the lessons of collaboration better than hackers, who routinely share tips and tricks to force their way into our data. If hackers collaborate, why shouldn’t cybersecurity professionals?
We have created hundreds of automated playbooks to propagate across SOCs, potentially saving organizations years of effort and large sums of money. But why stop there? Your SOC strategy should promote collaboration across your entire organization. If your credit card company detects suspicious activity, it typically texts you and asks you to validate via a yes/no question. The same should take place for potential security events. A text can be automatically generated by your SOC to ask a user if they logged into the network from Russia at 3 a.m. If the answer is no, an automated remediation playbook can be triggered.
Now, instead of having a physical SOC with perhaps 10 engineers, you have a virtual SOC composed of everyone in the company—perhaps thousands of people. Collaboration is an exceptional force multiplier in re-architecting your SOC and securing your company.
A Smart Model for the Future
For business executives and board members who are fanatically concerned about improving their cybersecurity profile but lack a deep technical knowledge, we recommend you talk to your CISO and SOC analysts. Ask them about these three principles and find out exactly how your organization’s SOC can be improved in an era of remote work.
When your organization applies these three principles, it no longer matters if your SOC engineers are working in an access-controlled room or in a VPN-connected home office. That’s not only comforting for organizations trying to cope with today’s remote-access work environment, it also liberates them to rethink the way they design and operate their SOC.
Security is central to our lives and our work. This pandemic has struck us in ways most of us could never have imagined. As organizations cope and look to the future, it’s time to consider a more innovative SOC model that can do more for your security.