Although organizations are increasingly investing in legacy cybersecurity solutions, it is clear that these systems are failing to deliver on their promises and are unable to proactively protect in today’s non-signature attack threatscape.
Over the last decade, both cyber threats and cybersecurity spending have increased at an unprecedented rate. According to Cybersecurity Ventures, cybercrime would cost businesses $10.5 trillion per year by 2025.
Is it necessary for businesses to invest more and more in this new, unpredictably modern threat landscape? Or should they get smarter by rethinking their approach to zero-day, non-signature attacks and abandoning legacy networks and knowledge?
The following are the top four factors that can help guide SOC strategy in 2021 and beyond:
A modern SOC should not be solely reliant on human operators and their personal experience
The intersection of human operation and technology is at the heart of the modern approach to Security Operations Center (SOC) development. Is human feedback enhancing technology, or is it preventing SOCs from fully using modern technology? In a traditional SOC setting, can today’s technology even deliver on vendor promises?
Human operators and their personal experience should not be completely reliant on a modern SOC. For the past 15 to 20 years, the issue has been a foundational problem with not just the methodologies used by SOCs, but it should be questioned if the problem is actually exacerbated by the technology.
The cost and ineffectiveness of incremental stacking of correlative analysis platforms
The cost of running a security operations center has skyrocketed in recent years, due in large part to the additive existence of common security technologies, each of which comes with a hefty operating price tag to deploy, run, and maintain.
Vendors often overlook a critical foundational problem when piling platforms on top of each other to accomplish a single goal: how to function inside and across multiple proprietary data silos.
Customers must compile and format data into the vendor’s unique, proprietary format, according to how vendors place their SIEM platforms. This is the only way for the SIEM to get the data it needs to compare to historical data in order to identify anomalies.
The use of log data as a foundation for prevention, detection, remediation, or analytics is ineffective
The fundamental flaw that prevents SIEM from delivering on the commitments made by vendors is simple: log data is always incomplete, inappropriate, and ineffective when it comes to real-time threat prevention and detection.
A log-based solution is only as current as of its most recent aggregation by definition. This strategy is completely inadequate, given the expansive existence of today’s typical corporate network infrastructure. Log data will still be incomplete, pre-summarized, and severely restricted in its ability to provide SOC teams with insight into what is really going on at a higher level of granularity for the summarized data.
The amount of money spent on cybersecurity for data retention and analysis is out of control and mostly unnecessary
Businesses sift through the same data repeatedly in order to find and understand information. This work reflects a significant investment in both financial and human capital. When all of that effort and commitment results in a security “solution” that isn’t a solution at all, it’s not a winning strategy.
Log data is used in traditional cybersecurity approaches. SOC teams must massage, extract, transform, normalize, and merge log data into a central repository in order for these systems to function. It’s the only way to convert the data into the proprietary format that the third-party security solution needs.
Companies must factor in not just the initial expense of SIEM software, but also the continuing costs of licensing and data retention. These are costs that will rise at an exponential rate as the amount of data needed for accuracy grows.