Top 5 Challenges Faced by Security Operations Centers SOCs

In the Digital Warfare against Cyber threats, the SOC (security operations center) in any company or organization is the battle station and all the security experts and analysts play the role of “FRONTLINE WARRIORS”. These Enterprise Security Operations Centers, on an average, have to encounter anything between ten thousand and a million alerts every day, and as the warriors are under staffed, they have very little margins for judging the errors.

As in the case of the army where the soldiers need to be on constant vigil; similarly the frontline security experts too, need to be completely alert to any kind of suspicious activity and be ready to take prompt action be it real threats or perceived ones in the form of false positives etc.

As the hackers constantly improvise and improve their methods of attack, this has prompted the CISO to up their game and design their cyber security systems to keep up with the high level of sophisticated attacks unleashed by the hackers. Due to the scenario shifting from “if the attack occurs” to “when the attack occurs”; the cyber security team ensures that the system is designed to prevent attacks rather than act only when attacked. This further helps alleviate the damage caused by the breach to the organization.

In keeping up with this line of thinking, organizations today are setting up SOCs (Security Operations Centers) and CSIRTs (Computer Security Incident Response Teams). SOCs constitute highly skilled IT individuals solely equipped to deal with the safety and security of the IT framework. They work round the clock and keep an eye out for vulnerable spots that could lead to an intrusion. The scope of an SOC is much wider as compared to the CSIRT, which is more focussed on incident response management. The CSIRT team also constitutes skilled IT experts who may work in accordance with the SOC or work independently. Their job is to receive, analyze and respond to cyber threats.

Let’s look at the top five challenges faced by the SOC team:

1. Large Volumes of Security Alerts: The SOC team is attacked with a barrage of security alerts, some of which may be genuine and yet some may be false alerts. Now to go through these alerts and sort them is a mundane task and extremely time consuming. Precious analyst time is lost. Also, it is possible that in the process some of the real threats are overlooked causing real damage to the organization.

2. Lack of Skill Set and Developed Resources: One of the rising challenges of the SOC are the lack of a competent skill set necessary for protecting the resources.

   We can term this as Info-Security skills - set gap. In the ISACA/RSA study, it has been opined that 52.44 % of respondents felt that 1 / 4 of their available resources in their company’s are not competent enough to qualify to work in their respective domain and do not justify working in their respective positions.

   These resources who have the Info-skill gaps , pose serious threat to an organization. Because of this Info- skill gap, a resource is unable to identify how to secure the assets of the company, what tools to be deployed at optimum level, and what type of solutions to be deployed to avert the cyber attack.

   This downside poses a significant risk to an organization. If security threats are unable to perceive the risk and the importance of applying protective measures, it is bound to hamper the ability to mitigate risk and scale back the impending threats.

   This results in instability as people come and go and no effort is made to bridge the gap. Instead the ideal scenario is to educate the existing team by conducting appropriate webinars and sessions under the supervision of experts in the field. This would definitely yield positive results by reducing the time between incident detection and response time.

3. Management of diverse Security Tools. The use of multiple security tools such as SOC and CSIRT though extremely advantageous, has its share of challenges. The main being handling and monitoring data from multiple data points or sources.

   Typically a SOC deploys a combination of 15 to 25 or more security tools or technologies. This results in chaos as the SOC is unable to handle the multiple combinations of these security tools.

   This necessitates the need to have a centralized platform from where the information will be generated. Further, this allows the SOC team to have an eagle’s eye view on security and enables them to proactively manage and deploy the right tools bridging the gap between incident alert and response.

4. Explosive Growth in Endpoints. Almost three decades back, network designers pondered the prospect of toasters on the local area network. As incredulous as the notion was at that time, technology has incontestably improved and is being upgraded on a daily basis. There has been a massive surge in the use of endpoints such as laptops, mobiles, tablets, desktops etc. All the end point devices that are connected have to be maintained and controlled from a central single platform of the network, which is a huge task.

   The exponential growth of use of end points has put tremendous pressure on the security personnel who need to monitor these on a day to day basis. It is estimated that at least twenty two billion endpoints are in use on a daily basis. As per Cisco’s report it is estimated to double in size by the end of 2020.

   This poses a huge challenge for the SOC as they have to manage the increasing costs without compromising the security of the network.

5. Rapid changes in security standards and technology 2140 tpin last digits 0158 As organizations vary in sizes and security needs, a “one size fits all” solution won’t work. A tailor-made solution that caters to the different security needs depending on the type of businesses and the level of security requirements is recommended to keep data safe and secure. Even within a large organization, it is quite possible to have different layers of security frameworks. Moreover with the evolving range of threats, security standards too have to be revised and upgraded frequently.

   Security frameworks such as NIST, Gartner’s PPDR, CIAS, ISO27001 etc. are some of the best options that any company can opt for defining their security framework. Once the framework is shortlisted, the same will require acute planning, a bonded investment, good technology partners, and timely execution of the same.

Conclusions

We can therefore conclude that Security Operations Centre (SOC) team members or Computer Security Incident Response Team (CSIRT) experts are frontline warriors of any organization. With adequate knowledge transfer, training, deployment of good security tools and solutions, they will definitely be able to safeguard the organization from any type of breach or threats, just like any warrior does in the battlefield.