The turning of the annual calendar was celebrated globally in a way not seen in a generation, but 2021 will not magically remove the world’s problems, as you probably have discovered by now. We are all still inheriting the mess of 2020 – at least for a little while longer – and cybersecurity is no exception.
In a year that began with the emergence of COVID-19 (which ushered in new challenges and threats, from pandemic-themed phishing emails to sophisticated and targeted attacks aimed at companies researching a vaccine), perhaps the industry’s toughest battle emerged toward the end with the SolarWinds Sunburst attack.
2021 infosec prediction:
solarwinds was the tip of the iceberg.
— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) December 18, 2020
The hack heard ‘round the world, which McAfee ominously described as a “precision-guided smart cyber weapon,” may act as a blueprint – and a harbinger – of what is to come. Yet the biggest stressors plaguing the modern security operations center in 2021 will not be SolarWinds, but instead the usual suspects: alert fatigue, false positives, growing attack surfaces, disparate detection tools, skills shortages and manual and inconsistent processes.
Which leads us to five trends security operations professionals should keep an eye on in 2021. Nothing listed will be necessarily surprising or even new, but they encapsulate the way the SOC scene is heading – and if you do not keep up, you may be left behind. Let’s get started!
1) Focusing on Detection of Threats, Not Handling of Alerts
“Alerts are not the problem. Threats are.” Those were the words of renowned security thinker Anton Chuvakin during a presentation at last month’s SOCstock virtual event. With the average company forced to field tens of thousands of events per day, organizations that are alert focused, versus threat focused, run the risk of drowning in SIEM-generated logs without truly understanding how their adversaries operate and what is contributing to their susceptibility.
To achieve this, analysts must collaborate with others, including network infrastructure staff, penetration testers, threat hunters, as well as who Chuvakin describes as “detection engineers” (responsible for writing detection rules). More technically speaking, grouping alerts by type, which can be enabled through automation via a SOAR platform, will prevent analysts from working tedious cases and free them up to concentrate on achieving greater visibility and situational awareness into attacks that are occurring.
2) Engaging Outside Help to Form a Hybrid SOC
The aforementioned pressure points facing security operations teams (overload of alerts, expanding attack surface, skill shortages, etc.) happen to also be some of the primary reasons why the modern SOC is continuing to call on third-party service providers to help offset their internal limitations and amplify their detection and response capabilities. The relationships and needs that end-users require from their MSSP and MDR vendors will be unique, but in general, the most optimal partnerships are a mix between what you do well and what the provider does well.
To again quote Chuvakin, “Every modern SOC is a hybrid SOC.” Third-party outsourcing for duties such as malware analysis, threat intelligence and EDR management is expected to continue to grow in 2021, receiving a big boost from the ongoing COVID-19 impact, which has forced some organizations to sacrifice security for business continuity. MSSPs and MDR providers can help provide agility, scale and cost savings during these rough-and-tumble times. These arrangements also free up organizations to eventually gain the internal knowledge that they were originally lacking, which led to calling on a provider to help fill the gaps in the first place.
Heard from MDR provider earlier today that most clients want containment actions taken without asking first for approval, some even for critical assets. Interesting!
— Augusto Barros (@apbarros) January 13, 2021
3) Embracing a Cloud-Heavy or Cloud-Native SOC Strategy
Another area of tech experiencing accelerated customer demand are cloud tools and services, which allow organizations to keep costs in check, remain agile and obtain faster time to value , especially as a large portion of the workforce remains remote. Similarly, inside the security operations center, the cloud is arriving to take advantage of these same benefits, where some businesses are ditching the traditional model of data centers and server infrastructure in favor of cloud-native SOC-specific platforms and security processes that integrate with cloud-native tools to drive visibility, detection and response and help deliver on security models like zero trust.
4) Going Remote
Speaking of uprooting tradition, the days of in-person SOCs may be waning. Dedicated, in-house facilities are designed for maximum productivity and comfort for analysts and engineers (and, depending on how many bells and whistles these command hubs contain, present a “wow factor” for touring prospects and customers). COVID-19 has forced security operations teams to do their threat detection and response in completely remote settings. But as the months have gone on and early gaps and vulnerabilities have been filled, SecOps pros – with the help of smart leadership and collaboration tools – are learning that virtually everything they do can be accomplished remotely, in many cases just as well as in physical space.
5) Maximizing Capabilities by Skills, Not Tiers
In the “tiered” SOC model, junior analysts triage inbound events and escalate those they can’t close out quickly to more experienced staff. It’s a time-honored staple of security operations. But this model is changing, especially as more perfunctory tasks are largely solved by automation. In a Cyentia Institute research report we produced in 2019, findings showed that barely over half of survey respondents still work in traditional ‘tiered’ SOCs made up of different analyst levels. The rest form teams of mixed roles and experience. A SOC categorized by skills instead of tiers are more flexible, ensuring everyone is delivering what they excel at — and, hopefully, enjoy doing. This paper from Deloitte and Google Cloud does a great job of expanding on this notion.
The theme that binds these five trends and enables them to thrive is automation. The role of artificial intelligence and machine learning is nothing new to security, but its influence within the modern SOC is only expanding. Currently best applied thanks to technologies like SOAR, automation aims to reduce human intervention in time-consuming and often mundane tasks, from enrichment through response, work that can contribute to burnout. Automation, however, will always have its limitations, even as it matures to take on more cognitive processes. This assures that humans will always have a key role to play in the modern SOC.
Dan Kaplan is director of content at Siemplify.