Security Operations Center (SOC) Automation: Why It Matters
Security is not a simple problem that can be easily solved by spending more money. The Target breach of 2013 is a great case in point. Target has a significant IT security budget and a wide range of controls in place. Yet the company still managed to get taken to the tune of 40 million credit card numbers and 70 million customer records. Most large enterprises and government agencies also have a wide range of security solutions in place. But many still have a problem shrinking the exposure window after a threat event takes place.
Again, the Target attack is instructive. It all started with malware installed on point-of-sale terminals in November 2013. Both Symantec and FireEye products identified malicious activity and triggered alerts. However, no action was taken. Attackers started stealing data on December 2 and even had time to upgrade the malware. This activity triggered yet another flurry of alerts from FireEye. On December 12, the Department of Justice notified Target of the breach and Target removed the malware by December 15. All in all, it took Target over a month to remediate a problem for which it was receiving continuous breach notifications.
Target’s story is not uncommon. It happens all the time in commercial and government organizations big and small. Although discovery and remediation times are getting better, 36 percent of breaches still take days to discover, with those taking weeks and months comprising over 27 percent, according to the 2015 Verizon Data Breach Investigation Report,.
Many cyber security professional are having trouble figuring out exactly how to shrink the time gap from threat exposure to discovery, and then from discovery to threat mitigation. Even though many government agencies are trying to move towards a consolidated security platform, it is unreasonable to assume that an agency will have a single security solution from a single vendor, with a single policy management interface. This will simply never be the case, especially in government agency environments, where there are multiple security vendors at play, with disparate consoles, policy management tools and different personnel responsible for each security piece.
So how does a government agency go about minimizing time to threat remediation? One solution is to consider a security orchestration and automation solution. A security orchestration and automation solution takes feeds from all components of an agency’s IT infrastructure, understands the data and, finally, feeds back configuration and policy changes to firewalls, intrusion prevention systems (IPSs), data loss prevention (DLP) systems, end points and other components of the security infrastructure. In laymen’s terms, in a Security Operations Center (SOC) environment when a SOC operator gets an alert, he or she needs to follow a certain script to investigate and remediate the alert. This is usually time consuming and replete with human error. A security orchestration and automation solution can automate most of the actions required of a human, thereby speeding up response times and minimizing operational errors. Minimal or no human intervention required.
Here at SwishData, we have partnered with CSG Invotas to help government customers solve the security orchestration and automation challenge. With the CSG Invotas Security Orchestrator (ISO), your agency can minimize the time gap between threat discovery and remediation to, literally, seconds. CSG Invotas’ ISO is the premier incident response platform on the market and has compatibility with hundreds of security vendors, including:
- Microsoft Windows, Windows Server and Exchange
- Intel Security / McAfee
- Palo Alto
- Bit9+Carbon Black
You can find out more about the CSG Invotas solution here.