Technology Record - Issue 27: Winter 2022

64 Until recently, these tasks have prevented SOC teams from maintaining the ‘big picture’ vision that is crucial for fully protecting the enterprise against cyberattacks. However, by automating as many of these tasks as possible, enterprises enable their teams to invest more time in analysing potential threats. Automation also provides the SOC team with better data insights, allowing analysts to react more quickly when an incident occurs. This speed and agility is crucial because the magnitude of the loss is directly related to the time it takes to detect and respond to an attack. By defining the response window – the minimum period of time after which the impact of an attack becomes exponentially greater – enterprises can lessen the associated risks. Strengthening the enterprise security posture When developing a modern and efficient SOC, organisations must implement a cloudnative SIEM. Unlike traditional SIEMs that are expensive to deploy, own and operate, cloud-native SIEMs have no upfront costs and can collect data at scale across all users, devices, applications and infrastructure, both on-premises and in multiple clouds. A SIEM like Microsoft Sentinel, for example, leverages algorithms to connect and master data streams, and to ingest and verify alerts. By acting as a single security analytics platform that covers multiple cloud environments, the SIEM reports to security analysts with actionable, timely information to help prevent attacks. Another pivotal part of a modern SOC is end point detection and response (EDR). This combines real-time continuous monitoring and collection of end point data with rule-based, automated analysis and response. Integrating EDR with the SOC supports a zero-trust approach, providing a centralised platform for monitoring end points and responding to incidents, often automatically. A data lake is also essential. It offers a centralised repository for storing, processing and securing unlimited quantities of structured, semi-structured and unstructured data from multiple sources. Once these cloud-native components are in place in the SOC, an MDR provider like CyberProof can offer multiple services, including orchestration and automation. This involves leveraging solutions to enable a full overview of the enterprise, making it easy to streamline threat and vulnerability management, incident response and security operations automation. Doing this alleviates the stresses of increasingly sophisticated attacks, growing volumes of alerts and long resolution time frames. MDR providers can also offer strategic, operational and tactical threat intelligence services, delivering evidence-based knowledge about existing or emerging threats to enable enterprises to make data-driven decisions. To support this, MDR providers can employ threat hunters to evaluate an enterprise’s network and develop security baselines, proactively pinpointing any policy violations within the network. This strengthens the cybersecurity ecosystem by incorporating a more proactive approach, while reducing the attack surface. Once an organisation has a modern, cloud-native SOC and the support of an MDR provider, it is well-equipped to effectively protect its critical assets against ever-evolving cybercrime. Tony Velleca is CEO of CyberProof, a UST company V I EWPO I NT Impact over time as a number of assets lost Maximum impact Response window Actual reponse time 250 0 50 200 150 100 Minute 1 Hour 1 Hour 6 Hour 12 Impact over time