Hybrid SoC: What is the hidden value proposition?
Date: 15 July 2022
Cyber Management Alliance's flagship Wisdom of Crowds events are unlike any other cybersecurity events across the globe. They are unscripted and spontaneous, yet at the same time, they’re a hotbed of knowledge exchange, ideas and new solutions.
One of the hallmarks of these events is the first-hand access that the IT & security executives get to the latest technology solutions, products and services. They get the unique chance to understand new cybersecurity solutions directly from their founders and developers as well as the unmatched opportunity to ask questions, challenge these solutions and figure out the best way to make the most of the new technologies.
At the recent Wisdom of Crowds event in London, Rob Demain, CEO & Co-Founder of e2e Assure, delivered a keynote address that not only showcased the strengths of his product but also helped the audience understand where the high-performance SoC is headed next and what’s the true hidden value proposition of a hybrid SoC (Security Operations Centre).
There’s lots of ways in which a SoC should be helping organisations today and it goes beyond just looking at alerts. SoCs that just look at alerts and bounce them back at the organisation are yesterday’s SoCs. The crux of Rob’s address captured how new-age businesses should be getting a lot more bang for their buck now from SoCs.
There are several key things that a high-performance SoC should be doing today. Some of these, as mentioned by Rob, include:
- Simulated Attacks and Continuous Testing
- Incident Response
- Help develop Cyber Strategy
- Vulnerability Management
- Threat Hunting
- Be an Extension of the Customer’s Team
- Modernise and Optimise Security Tools
- Autodiscover & Enrich Data from across the Network
In the keynote address, however, Rob focussed his attention on the first two functions - automation and honeynets
SoC Automation - Automated Alert Analysis
Through his keynote address, the main point that Rob was trying to drive home was that as far as automation is concerned, the SOC should actually be automating the analysis of alerts. Alert fatigue is a common phenomenon with SOCs as analysts get bored, frustrated and spend less time on the alerts. There’s not a lot of value in that process and that’s a challenge for every SOC.
Demain also talked of how two years ago his team committed themselves to the mission of dealing with the challenge of alert overload that all SoC analysts face and taking the automation of alert analysis from 5% to 90%.
Some of the benefits of SoC Automation include:
- Keeping up with alert loads
- The ability to not tune stuff out (or miss stuff)
- Analysts get the time to do their real job - threat hunting, vulnerability analysis, threat intel & incident response testing and planning etc.
- Analysis of each alert consistently ensures quality
- Alerts can be used for more automation
Another problem that SoCs have is knowledge transfer during shifts and alerts and ticketing.
To address this, Rob explained, “You can do a shift handover but with e2e Assure’s SoC model, it’s the computer that’s worried about remembering the critical stuff and if something happens across the shift transfer window, you’ve got it covered because it will pop up and alert the next person and remind them if something hasn’t been handled.”
One of the audience members corroborated Rob’s point by adding, “This gets particularly challenging when you have an outsourced SoC. There’s stuff that needs institutional knowledge which the outsourced guys just can’t have because they don’t get that exposure so this is actually music to my ears because. This has been a major drawback for us when it comes to outsourced SoC.”
Rob clarified that this is why, at e2e Assure, they opt for a hybrid model where the SoC works as an extension of the client’s team and they don’t do full outsourcing either because context is key. It is important to get intel about things the business is actually worried about into use cases.
Honeynets & how to employ them
Next, Rob jumped into talking about Honeynets and why every business must leverage them to understand their internal threats.
A honey net is basically something which presents itself as something it’s not - honey systems, honey services, honey tokens etc. - there are several words being used to refer to this basic concept.
So why do organisations need to use honey nets in their networks?
“It’s because if you think you’re going to get compromised, you probably already have (or your insider or third-party is going to get compromised). If you assume that you’re going to get breached at some point, you will put some tripped wires internally to catch them. Because you may not yet know but maybe you do have threats internally, it could be your employees who are doing things that could be threats. It’s really hard to detect insider threats in a SoC business and this is a really good way,” Rob explained.
Responding to an audience question, Rob also clarified that you don’t necessarily need a SoC to use honey nets. You just need some monitoring software which can keep a check on the things being accessed.
You need security monitoring to do this and it is highly recommended that every business does this. Businesses should ideally even build an Incident Response Playbook that’s different for honey nets because it might be anybody in the organisation who’s rummaging through your network - it could be an eyeopener.
This keynote address was the ideal presentation of what Wisdom of Crowds events stand for - a great opportunity not just for open discussion and collaboration, but also for actively encouraging businesses to engage and connect with each other.
The USP of our Wisdom of Crowds Live Events is that they create a conducive and informal environment that provides a unique and exciting opportunity to connect and collaborate with potential clients.
The Wisdom of Crowds Live Events put vendors in the enviable position of participating in this unique gathering and contributing to lively discussions, Q&As, as well as one-on-one exclusive meetings with experts who work for solution providers, ensuring they receive first-hand knowledge of the latest cybersecurity technological breakthroughs to aid their decision-making process.
Find out more about participating as a delegate and/or sponsor at the Wisdom of Crowds events.