Are SOCs failing? People-centric security is key in attack detection
Are SOCs failing? People-centric security is key in attack detection

Whether it's machine learning, next-generation anti-virus (NGAV) or endpoint detection and response (EDR), no matter how good the technical systems and capabilities, they are worthless without the right people to support them. While there is evidence to suggest that passive monitoring techniques, often used in SOCs (Security Operation Centres), have some success in detecting low-level threats, they have never been enough to overcome sophisticated attack techniques. Rather than waiting for a technical system to fire off an automated alert, a more proactive approach is required.

The secret to this is people-centric security. Crucial to the success of SOCs is a team of highly skilled individuals to provide support and to interpret and investigate any findings appropriately. However, simply having a team of experts is not enough. Rather, organisations need to remind themselves that their people are at the heart of its success. The effectiveness of a SOC largely relies on constantly stimulating the skills and intelligence of that team.

SOCs – are they failing?

When you see organisations spending huge amounts of money on security measures that fail to spot 95 percent of simulated attacks, it's hard to believe SOCs are effective. In order for an organisation to see a clear return on its SOC investment – an investment that can currently see millions spent and effectively nothing gained – it needs to ask where its efforts are best focused.

One of the first mistakes organisations tend to make when securing their cyber-activity is to jump to a preconceived solution without first thinking the problem through. For example, they may assume that by purchasing technology to “monitor” their huge quantity of firewall logs, they will be secure.  But very often, less is more. There is a risk that SOCs will end up with a mountain of data that is almost impossible to process, along with a huge number of daily alerts - of which the overwhelming majority are false positives.

In any SOC, it's people who are at the heart of success, and a very smart and intuitive team is needed for an attack detection system to prove effective overall. However, such employees would not stay interested in a job that, in the extreme, consisted of mind-numbing attempts to process a mountain of alerts that were very hard to verify and were overwhelmingly false positives, whilst simultaneously being blind to a large number of critical attack scenarios. A SOC team needs to be tackling work that is rewarding and intellectually stimulating. If an organisation's SOC is set up to enable its analysts to focus on the important aspects of the job – the parts that deliver results – instead of overwhelming them with huge quantities of data that they cannot effectively action, they will be able to improve their skills, develop experience and remain engaged in their role.

Instead of jumping to a solution that doesn't solve the underlying problem, the trick is for organisations to focus on what matters to them and the resulting requirements. Organisations need to ask themselves what type of threat actors they are trying to protect themselves from; what specific types of attacks do they need to detect; and which parts of the Cyber Kill Chain they should be focused on. These questions can all be addressed by taking a more personal/people-centric approach to an organisation's cyber-security strategy.

Threat hunting

In addition, a more proactive approach to the use of SOCs can be complemented by the technique of threat hunting, a method which focuses on actively seeking out signs of attack. Threat hunting is focused on generating hypotheses of attacks and proactively hunting in order to acquire evidence to prove or disprove its validity.

Regardless of how advanced the technology becomes, threat hunting will remain a people-centric activity with the tech enhancing the capabilities of the team, rather than supplanting them. Knowing what to look for is essential, and it is not just about looking for attacks that are in progress, but seeking out traces that point towards attacker activity in the past or activity that shows an attacker positioning themselves to launch a more significant attack in the future. The most successful people for this job are security professionals who take an ‘offensive' approach and have been trained in attack techniques - someone who has experience in successfully compromising organisations and so best understands the tell-tale signs to look for.   

Enhancement not replacement  

Rather than replacing SOCs, threat hunting teams can work alongside an existing SOC feeding into their normal working practices. No amount of programming can quite match the intuition or adaptability of an experienced threat hunter, and this will make all the difference in successfully detecting a targeted attack and responding effectively so as to contain the incident before the attacker's end goal has been reached. Consequently, it is vital that organisations aim to take a people-centric approach to their cyber-security strategy.

Failing security teams start with assumed technology solutions and use people to get the most out of the technology. Successful security teams start with the right people and use technology to get the most out of the people.

Contributed by Luke Jennings, Chief Research Officer for Countercept at MWR InfoSecurity

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.