The Great Unknowns for SOC Teams
In my last blog, I introduced the 9 Cs of Cybersecurity value. My goal was to help security teams keep pace with ever-evolving attack surfaces and attacker methods – we vendors, partners, and, indeed, all human beings need to work together to move security forward. One major way to do so is to erase the unknowns …
- of attack surfaces: Extend security beyond the data center network and endpoint to the public cloud, SaaS, the cloud-based identity.
- of modern attacker methods: They can easily bypass prevention tools leveraging authorized services and APIs.
- of siloed technology and tools: Remove anything that does not integrate or automate for enriched context, workflows, or response.
Recent Vectra research found security teams struggling to keep pace with cyberattacks. The lack of visibility, the lack of detection of modern attacks, and poor integration were cited as the top 3 reasons security tools fail to live up to their promise for 79% of security decision-makers. The reason: the great unknowns.
The burden of the great unknowns falls squarely on the shoulders of security operations center (SOC) teams. 83% of security teams feel outgunned against modern threats. The legacy tools they have in their arsenal are not keeping pace, as evidenced by the 72% of security teams who believe they may be compromised but do not know it. Visibility, threat detection, integration – these are promises security providers have made, but, according to security teams, many are failing to deliver on the promises.
Here at Vectra, we like to think upstream and discover the why. What we found is that the challenges SOC teams face boil down to 3 things:
- Coverage: the promise to ensure secure applications and data wherever they may be.
- Clarity: the promise to see threats in places others can’t and to stop them.
- Control: the promise to integrate and automate attack defense from beginning to end, top to bottom.
There are no more perimeters, and prevention does not suffice. Today, it’s all about defense-in-depth, trust but verify. We’ve all heard the cliches. (Even I have been guilty of using them on occasion.) But if we scrap the cliches and soundbites and think upstream, the one simple truth is that attack surfaces are expanding.
Data center networks and endpoint attack surfaces have always been under attack, but now we have AWS, Microsoft Azure, Microsoft 365, GCP, hundreds of SaaS applications, and dozens of cloud-based identity products. We have API calls from one service to another, weaving everything together into a perfect symphony. To SOC teams, this becomes the great unknown; to an attacker, it is a dream come true. Two-thirds of all attacks leverage authorized services and APIs to gain access to an organization’s applications and data, clearly giving them the upper hand. To eradicate the great attack surface unknowns, SOC teams need unified visibility to threat activity across all five attack surfaces – from data center networks and endpoints to public cloud, SaaS, and identity. They need coverage.
I empathize with the SOC leaders, architects, and analysts. They are getting hammered from all sides, and with SOC analysts in short supply, many are leaving their current jobs for greener pastures. Attackers have gained the upper hand. Tweaking and tuning tools is not what SOC teams signed up for. Legacy rules-based tools like SIEM and IDS fly blind into modern, high-speed attacks. So – think upstream? The answer to retaining and growing SOC talent and turning the tables on attackers is to erase the unknown that is modern attacker methods. It starts with reimagining the SOC workflow. Today, “we pump everything into our SIEM” is something we often hear, and we get it. The SIEM is a “single pane of glass” (another security cliché). But how can security create a rule for an attacker method that has not been identified? Even worse, once an attacker method becomes known, constantly tweaking and tuning SIEM rules and IDS signatures is an exhausting, inefficient, and ineffective method to tackle modern attackers.
Applying traditional approaches to modern attacker methods creates latency in the SOC workflow and incident response process. The last thing we need when it comes to detecting and responding to modern attacks is latency. Why give attackers more time? No, the best remedy for latency is context, which comes from coverage. Without complete coverage, SOC teams always lack context. Pumping more data into a SIEM does not equal coverage. Constantly tweaking and tuning technology does not deliver context. Erasing the attacker method unknowns requires removing latency from the SOC workflow. To this end, SOC teams need technology that captures, analyzes, and integrates context from all five attack surfaces at speed and scale. Arming oneself with rich context on attacker methods reduces latency in SOC workflows dramatically. It eliminates alert triage, it integrates and automates prioritization, investigation and response processes, and playbooks. SOC teams can then operate with what they truly need to erase attacker method unknowns – greater clarity.
When an ever-expanding attack surface meets ever-evolving attacker methods – coupled with a shortage of people and skills – it is no wonder that 83% of security teams feel outgunned and 72% think they may be compromised but do not truly know it. Despite growing investments in technology and tools, SOC teams still struggle to realize the value of their investments, largely because their tools often do not work together as promised. When technology and tools become siloed, the SOC suffers. When SOC teams jump from one tool to the next to identify and combat modern attacks, they effectively give attackers the upper hand. SOC teams need integrated technology and tools, and they need to work together to get ahead of attacks. They need to regain control.
All Together Now
With complete attack surface coverage, security teams get the context they need to achieve clarity, resulting in control. Coverage provides telemetry collected across all five attack surfaces – networks (NDR), endpoints (EDR), public cloud (AWS, Microsoft Azure, GCP, etc.), SaaS (Microsoft 365), and identity (Microsoft Azure AD). Clarity comes from analyzing said telemetry and surfacing and alerting to threats that truly matter. True control is realized when everything has been integrated and everything is working together to automate context enrichment, workflow, and response. The result: Erase the unknowns and build a more effective, efficient, and resilient SOC.
Erasing the Unknown with the Security AI-Driven Vectra Platform
Vectra is the leader in Security AI-Driven Threat Detection and Response. Only Vectra optimizes Security AI to help SOC leaders, architects, and analysts erase the unknown. We create the signal that sees attacks in places others cannot.
- With Vectra, you have coverage. Get attack visibility with context across all five attack surfaces – public cloud, SaaS, identity, network, and endpoint.
- With Vectra, you have clarity. Reduce alert noise more than 80% by pinpointing attacker methods and prioritizing the threats that matter most to the business.
- With Vectra, you have control. Integrate with your existing stack for context, workflow, and controls to stop threats with less work, less tools, in less time.
For more information on the Vectra Platform, visit our platform page.