There is a rising appetite for SOC modernisation and transformation among Australian companies, driven by a desire to enhance security maturity, improve resilience against cyberattacks, and reduce risk in a digitally-driven world.

SOCs today are challenged by a complex and varied threat landscape and attack surface, comprising devices, disparate and remote workforces, and cloud and AI services.

There is a lot riding on the shoulders of SOC security analysts.

Their workloads can be substantial as they face pressure to properly manage cyber risk and to detect, investigate and respond to potential threats before they can manifest as security incidents.

Not all of these efforts result in incidents being prevented. As joint research by Exabeam and IDC shows, over one-third of respondents in the Asia Pacific and Japan (APJ) region experienced significant security incidents in the last 12 months “that required additional resources to remediate”.

The challenges facing the SOC and its analysts teams are very real. From our observations of the industry and conversations with customers, it’s clear that more organisations are interested in a SOC modernisation or transformation, for three key reasons.

Reason #1: Things have gotten too complex for analysts alone

SOC analysts are drowning in data, which is having a negative impact on their mean time to detect and respond (MTTD/R) to abnormal behaviour in their extended networks and environments.

There’s no shortage of log data available, but the challenge is determining which sources are most useful for the purpose of identifying and investigating a particular pattern of behaviour. Through customer workshops and proof-of-concepts, we have frequently seen how an optimal combination of logs can shave hours off threat detection times, which has a flow-on impact to the security team’s ability to respond. Conversely, too many data sources can overcomplicate the view of the environment, and make it more difficult to recognise malicious patterns of behaviour that are consistent with known types of threats.

Even once the number of log sources is optimised, there is complexity in understanding what the combination of these logs has found. To keep pace with the high volume of daily alerts, many CISOs have invested in machine learning (ML) or automation capabilities to streamline operations and help security analysts better manage time-consuming or mundane tasks. Following a systematic approach can decrease false positives and lead to high-fidelity alerts that security analysts can prioritise. Improving the analyst experience reduces fatigue and allows teams to focus on targeted and strategic tasks.

Certain threat detection, investigation and response (TDIR) platforms can also simplify the path to modernisation or transformation by effectively acting as an overlay to all existing technology systems in the SOC. This means the complexity of legacy technology setups is no longer an insurmountable challenge for organisations contemplating a capability uplift to their SOC.

Reason #2: SOC resourcing levels require a resolution

Every year, the SANS SOC survey collects data on the number of FTE resources in the SOC, and every year the result is much the same, yet the size of IT environments, networks and the threat landscape continues to grow year-on-year. The trend is fairly clear: SOC resourcing remains relatively stable over time, but the team is expected to continue to build capability to deal with a dynamic operating environment, without additional headcount.

This constant requirement to do more with less, and pressure on SOC analysts to distinguish between normal and abnormal patterns of user or machine behaviour within their environments, lends itself to being solved with increased use of security tooling, particularly automation and machine learning.

According to the Exabeam and IDC survey, APJ organisations estimated 41% of their security teams’ time is spent on TDIR. Greater automation can cut the amount of time required, particularly for investigations where an analyst needs to move in and out of systems to research the information they need.

Recognising that SOCs will always have resourcing issues, modernisation must come to the fore to ensure that lean SOC teams can remain effective in spite of the pressures of the role.

Reason #3: You can’t fight what you can’t see

A SOC is only as good as the level of visibility it has over the organisation’s environment, including its network and any third-party services in use. The Exabeam and IDC survey shows that as organisations broaden their exposure points at the edge and in the cloud, limited visibility is a major problem. SOCs only see 62% of the organisation’s IT environment, on average.

SOC modernisation, through the use of a TDIR platform, represents a pathway to improved visibility.

For example, there is often confusion about which combination of logs can provide the best visibility for a specific cybersecurity threat or detection scenario. A desirable characteristic of a TDIR platform implementation or modernisation program is gap analysis, enabling organisations to identify blind spots and receive recommendations on how to address them.

In addition, user behaviour analytics can provide additional visibility of risk, based on building a better understanding of how people interact with devices, systems, services and data stores. This contextual visibility enables the SOC to more accurately determine what controls they should be putting in place to reduce the risk of threats materialising in the environment.

A more well-rounded picture of visibility strengthens the SOC’s ability to see into all corners of the operational environment, and protect against threats.