For Security Operations Center (SOC) analysts or incident responders to do their jobs effectively, it is critical that they get access to the right data, exactly when needed. It is nearly impossible to continuously conduct threat detections, investigations, and to manage responses without the right data readily available. And there is no better way to miss real threats or to waste precious time than to make your analysts continuously chase data!
While at times, a SOC’s demand for data and the associated integrations can seem insatiable, this is for good reason. The key indicators associated with threats and breaches are unpredictable and are often scattered across time and place, and thus leveraging, correlating, and conducting analysis and investigations using these data are key. In fact, in the recently published eBook from the Cyber Resilience Think Tank, Transforming the SOC: Building Tomorrow’s Security Operations, Today, recommendation #7 was stated simply “Get the Right Data”. And without the right data on-hand, the automation of responses will remain an interesting theory and a perpetual future goal.
What is the Right Data?
What is the “right” data? Of course, this depends on your organization, but the data collected and used needs to support the key functions of a SOC, which are: Monitoring, Incident Response, Threat Intelligence Management, Threat Hunting, Vulnerability Management, Remediation, Reporting, and supporting collaborations with outsourced SOC service providers, if they are in use. And for this raw and voluminous data to be useful it needs to be collected, analyzed, and actioned in SOC tools such as SIEMs, SOARs, EDRs, and Threat Intelligence Management Platforms.
Given how popular email and the web are as attack vectors – far and away the #1 and #2 attack channels respectively - every organization should make the collection of security data from these channels a very high priority. What type of data from these channels are needed? Not surprisingly the list is too large to fit here, but includes: sender IP & email addresses, malicious domains, blocked URL clicks & web sites, lists of the most targeted users, and malware detected with associated file hashes, to name just a handful. And where should this data be consumed, correlated, analyzed, and leveraged for investigations? Directly into your SOC’s SIEM, SOAR, and Threat Intelligence Management Systems. What other way to make it immediately actionable by your SOC?
The Criticality of Your SOC
Given the criticality of your SOC and its central role in threat detection, investigations, and response, if your email and web security systems can’t easily feed data into these tools, make a move to security systems that can. Being cloud based is no reason for security controls to not be integrated. Losing security visibility with a move of security controls to the cloud is not acceptable and would be a significant setback for your SOC.
To learn how Mimecast and IBM are working together to make the SOCs of our joint customers more efficient and effective and to see demonstrations of exactly how the products work together, join us at this webinar.