Security Experts:

Improve Data Utilization to Modernize the SOC

The Ability to Think Global, Act Local is One of the Hallmarks of a Modern Security Operations Center

If you want to modernize your SOC to focus on detection and response you need to start by capturing the right data. A central repository, continuously updated with new data and observations, and curated to ensure relevance, provides the foundation you need. The next challenge is improving data utilization by collaborating with the teams and organizations that make up your entire enterprise, to mitigate risk across your environment. Basically, you’re applying the concept of “think global, act local” to security operations to achieve enterprise-wide risk management. 

When I talk about collaboration here, I’m referring to passive collaboration, or sharing information across teams and systems from a single source of truth. Often, when one team member researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. Or they may take action based on the information and consider it no longer important. But the reality is that the information could still be important to someone else working in a different context. Even if you recognize this behavior as unproductive and try to do something proactively to change it, security teams are organized into silos and each use their own tools so utilizing data across teams to take advantage of potential synergies is complex. And when organizations are geographically dispersed, collaboration tends to be even more cumbersome, inconvenient and less likely to happen. Passive collaboration simplifies the complexity by seamlessly incorporating collaboration into security operations.

Think about the following scenarios:

● Government entities with distinct threat intelligence teams and missions that are federated and need to collaborate and share relevant intelligence. 

● Commercial organizations with locations worldwide or segmented business units that have different risk profiles based on geographic-, partner- and sector-specific nuances. 

● Managed Security Services Providers (MSSPs) that provide multi-sector or geographic coverage to their customers.  

A subset of data needs to be sent to each team or location for consistent detection around the globe and to ensure global security risk is covered. However, privacy and data segregation requirements unique to teams, locations and customers further complicate the ability to utilize data across these entities. The trick is to enable and manage collaboration as part of existing workflows without further burdening your already stretched security team.

Typically, organizations have one central team responsible for collecting, analyzing and prioritizing internal and external threat and event data to provide relevant threat intelligence. To enable passive collaboration of threat intelligence, this team needs the ability to further curate the threat intelligence based on parameters set by the entities they are working with, so that each time data is transferred it is already curated for local consumption.

Bi-directional communication is also important so that the central team can collect feedback on the disseminated intelligence. This feedback enables them to better understand the security posture of the global organization with respect to specific threats they are tracking, highlighting trending intelligence and pinpointing areas of weakness in the coverage. As each subsidiary manages security incidents, uncovers new threats or finds additional context around known threats, this feedback can also be stored in the central repository, which serves as organizational memory.  When new data and learnings are added to the platform, intelligence can be automatically reevaluated and reprioritized.

Finally, data within the central repository and in local repositories can be shared across existing security infrastructure manually, automatically or some combination to harden security controls. Enterprise-wide, the right data can be sent to the right tools for a better defensive posture. 

The ability to think global, act local is one of the hallmarks of a modern SOC. Collaboration with teams across the organization to utilize data more efficiently and effectively, dramatically improves detection and response and is critical to achieve enterprise-wide risk management. 

Learn More at SecurityWeek's Threat Intelligence Summit May 25-26, 2021

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.