1. Alert handling powered by AI and machine learning
Achieved through machine learning engines in Security Information and Event Management (SIEM) and Network/End Point Detection and Response solutions (NDR/EDR)
The reason why this is so important is that alert fatigue is one the main challenges that SOC analysts struggle with today. Analysts often need to handle thousands of alerts per day, validate their relevance and importance, and eliminate false positives. According to a Ponemon study, less than 10% of security alerts are reviewed by analysts, illustrating the scale of the challenge and the need for machine learning.
Machine learning will improve the validation and prioritisation of incoming alerts meaning detections will be less dependent on the skills and the experience of the security analyst which will result in an overall more consistent quality of the SOC service.
2. Automated and orchestrated response
Delivered through a Security Orchestration Automation and Response solution (SOAR)
The big win this is bringing to an SOC is that it will significantly speed up the response time resulting in reduced attack damage. Concrete cases have proven that the time to resolve a security incident could be reduced by more than 70%.
An additional side effect is that the additional context SOAR provides will simplify investigations for security analyst allowing them to make more effective remediation decisions.
The benefits of this are obvious. It will leave the SOC team more time for skills-based tasks by reducing manual processes and by reducing the time reacting to false positives.
3. Elastic scalability combined with low operations and maintenance cost
Achieved through a cloud-delivered Security Information and Event Management (cloud SIEM)
SOC maintenance and updates can be costly and time consuming, and could easily represent between 50K and 100K per year depending on the size of the SOC.
Additionally, due to the already scarce resources in most SOCs, focus needs to be on detection, investigation and response, instead of operational tasks.
Another driver for cloud SIEM is that the log sources that a SIEM handles are increasingly generated by cloud applications and systems. Being elastic by nature and able to scale, elasticity is therefore also expected from the SIEM.
4. Support diverse data sources including cloud logs and detections from EDR and NDR combined with threat intelligence
Security logs only provide limited coverage and context and in certain cases, could even be manipulated by attackers to wipe their tracks – which limits the effectiveness and coverage of an SOC.
So cloud, end point and network data are crucial to see the complete picture and run active investigation and threat hunting.
5. Mapping to the MITRE ATT&CK framework
ATT&CK stands for ‘adversarial tactics, techniques and common knowledge’ and is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It consists of 100s of attack techniques used by a wide variety of hacker groups.
It’s a reference point for the SOC provider to measure their attack coverage and discover detection gaps, allowing them to prioritise what investments are needed to improve the effectiveness of the SOC.
This can be achieved by leveraging breach and attack simulation technology to validate the Mitre ATT&CK coverage of SIEM, EDR and NDR technology used in the SOC. These simulations can confirm the SOCs ability to detect specific attack campaigns.
Westcon NGS provides partners with the expertise, experience and technologies they need to deliver Next Gen SOC services, enabling them to benefit from the recurring revenues that this market is driving.
Find out more about Westcon NGS here or contact your local Westcon account manager. If you want to understand how our NGS portfolio can address Next Gen SOC requirements or specific use cases, reach out to our pre-sales teams for a demo.