Few subjects change as fast as cyber security; being in this field is a great way to keep on your toes. With an ever-evolving IT landscape and a constant barrage of new threats, it should hardly come as a surprise that the cyber security best practices and procedures of today look very different than those from even a few years ago. Now with the state of cyber security constantly in flux, where is the Security Operations Center (SOC) headed next?
Changes to Security Operations Center Technology
Data-Driven Automated Decision-Making at the Fore
Simply put, the future of security operations is in automating responses to data-driven indicators of risk or compromise. And this will likely require advanced capabilities, including artificial intelligence (AI). This is completely understandable if you even cast a quick glimpse at the current state of the SOC: too much data, no reliable way to collect and manage it, much less make sense of what it means to the day-to-day operations or the strategic business outlook the SOC supports.
Right now, SOCs are spending much of their time attempting to wrestle their data into a manageable form. But the IT security field is moving so rapidly that business intelligence (BI), and eventually AI, seems to be the future. Ultimately, AI and machine learning will be used to make our systems smart enough to first guide us in the right decision, and then eventually make the decision for us entirely based on our technological or business priorities.
When you think about it, this approach makes a certain kind of sense: attacks happen at machine speed. Some malware and ransomware are modified automatically every few seconds. And the technologies used in the automated generation and curation of news content is reaching a level of sophistication that will make uniquely-generated individually targeted phishing emails nearly indistinguishable from normal messages.
All this means is that orchestration and automation, as guided through intelligent analytics, will be the most important roles of the SOC of the future. And reporting on the performance of these automation systems, in the context of business operations, will gain even more importance as actions become more automated and less “controlled” by humans.
I am not alone in this line of thinking. Gartner, for one, plans to change its SOAR acronym describing security systems from Security Operations Analysis and Reporting to Security Orchestration, Analytics and Response. This move further echoes the shift toward BI, then eventually to AI.
Verifying AI Performance
So what does all of this mean for your business? Straightaway, not much. As you begin to bring in automated systems into your SOC, your organization will inevitably go through a period of wariness and mistrust.
Things like rerouting a message, shutting down a port, turning off a besieged service or launching a counterattack can all be done by AI—but that does not necessarily mean you want to let automation handle that right away. Even those CISOs who embrace this new machine-centric approach will want to check for themselves that the AI is making good decisions based on the data.
In the period between today and full automation, AI will start by making small decisions at first, then larger ones as humans approve of its performance. If a phishing attack on one of your employees’ emails is successful, for example, then the AI can choose to take network access away from the user or their terminal. Of course, this is a fairly uncomplicated action to approve of, since you would likely do the same thing yourself by taking away the user’s laptop.
The key to ensuring trust in automation is keeping the false-positive rate (the number of times a remediation action is taken, when there was no cause) in check. False positives beleaguer many technologies that try to take over decision-making (SIEM systems are a common example). Transparency in AI decision-making is paramount to understanding how to adjust the systems to avoid false positives (or negatives, for that matter).
CISOs who want to allow AI to have greater influence and control will need to have these discussions and negotiations with the rest of the business. By starting with small slices, CISOs can make the business see the sense and utility in allowing the system to take actions such as automatically removing network access from phishing victims—even if (and especially if) that victim is the CEO.
In order to have these conversations, however, CISOs need to have confidence that the automated rules are able to outperform (in speed, cost or capabilities) their human equivalent. Unfortunately, proving this assertion is often easier said than done as AIs decision-making becomes less and less “human” or understandable by humans. This has caused serious controversy in fields such as criminal sentencing, where AI algorithms are used to calculate the probability of recidivism for the offender.
If humans are unable to understand how the AI makes its decision, the argument goes, then the process fails to be transparent and appears to be an arbitrary application of justice. While IT security is not nearly as socially charged as injustice in sentencing, the problem is the same. Impeding business operations in the name of security, when the rationale is not understood will cause mistrust in and trouble for the security operation as a whole.
The natural tension between the CIO and CISO is one of access to technology, where the former’s position tends to want to maximize that access in the name of more flexibility for the business. The latter looks to minimize access in order to ensure control and security. While this is by no means a new conflict, the implications of it will only grow as we hand off more decisions to AI.
Common Data Access and Analytics
In order to enable this level of automation, security and business data alike must be brought together and organized for common and centralized access. This then enables a communication and analytics platform to transform the data into information that is accessible and actionable.
A solution for the first requirement has existed for some time: the “data lake” as a central, disorganized (or organized) repository for all security and related data. The second part is emerging now. Gartner’s SOAR describes such a system, and several companies, like ours, offer security operations BI analytics systems – and these will evolve over time to include AI.
The final piece of creating an effective automated SOC is putting in place the feedback mechanisms for automating responses.
Changes to the Security Operations Center Team
More Analysts (For Now)
Technological change will be the driver that causes a ripple effect throughout your SOC. To begin with, your IT security team’s makeup and skill set will have to change significantly. In the interim period between the SOC of today and full automation of the future, you will actually need more analysts.
This is because during this period—what we like to call the era of trust-building—not only will you have to process and analyze the security incident, but you also must analyze the analytics (BI and AI) response and performance in order to ensure that the system is doing exactly what it should be (and you can explain it). This period may last months or years.
Why do I think it will take this long? Because there are existing examples in both healthcare and financial services. Both have had predictive models for years that can, somewhat reliably, flag fraudulent transactions.
In healthcare, the fraud detection problem is complex and the outcome matters quite a bit to the customer (e.g. Do we pay for this or not?), and business decisions have consistently come down on the side of caution, with very few claims payments denied through automation. In financial services, where, arguably, the outcome doesn’t matter as much (e.g. If your credit card gets declined, you can call the bank and sort things out quickly.), it took years to get to the point where credit card transactions were declined automatically based on analytics.
The way that you handle incident response (IR), too, will be significantly changed from the standard operating procedure of today. Right now, skilled professionals who can do incident response are few and far between, which means that most organizations have a forensics partner or Managed Security Service Provider (MSSP) on call for when an emergency strikes.
If your organization were to be attacked tomorrow, placing the call and assembling a competent team to stop the bleeding would involve major effort on your part. With centralized access to information, the potential exists for IR to be organized through the same automation channels that are well-defined and well-understood by everyone involved.
IR, specifically, will likely require human intervention for the foreseeable future. It is right after an incident happens that there is the greatest scrutiny on the operations of a security operations center. However, ready access to a central store of security knowledge and analytical support should act as a force-multiplier for in-house staff, enabling faster initial forensics and more surgical deployment of external resources.
Changes to Reporting
Today’s reporting is messy, cluttered and laborious. If your organization is like most right now, you probably have dozens of disparate systems deployed in your network, each releasing floods of data. An unlucky someone (perhaps you) is then tasked with harvesting this data and collating it manually in a spreadsheet or database.
Because of how complex this data is, and how independent each source is from the next, most organizations are relegated to counting events but not much in the way of creating security operations metrics such as key risk or control indicators. Rather than observing trends, organizations are forced to tally up disparate events, divorced from any meaningful context or information about their effect on business performance.
The more complex that your reporting becomes, the harder it is for nontechnical users to understand the process and the results, making it seem that each report is bespoke. Without a standard, it might seem that you are grading your own paper. Imagine for a second if a CFO presented a financial report to the board using a completely different set of standards than those set forth by the Generally Acceptable Accounting Practices (GAAP). They would likely not be around very long.
The SOC of the future will change all this, with automated, standardized reporting becoming the norm. Although you may not use the same metrics in the course of your operations as your peers, you should be using the same fundamental concepts to create and choose the metrics you track. Back to the financial services example, GAAP specifies how to calculate basic values such as revenue, assets or profit. However, it is up to the business to decide whether to use a specific metric: for example, return on assets or return on invested capital as their measure of financial performance.
Similarly, SOCs of the future will make these fundamental building blocks available by nature in the systems that are producing the data. They may customize their ultimate “measuring sticks,” but each of them will be based on fundamental, established metrics.
Changes to Security-Business Interactions
The Transformed CISO
One consequence of security becoming automated, is in the changing nature of the CISO. When security operations, including analytics and response, are automated, the CISO is relieved of the drudgery of data management and, to a large degree, of being the focal point of day-to-day security decision-making.
Industries that came before cyber security benefited when analytics and automation created new realities for technology and business leaders, who were no longer burdened with the drudgery of data management. Similarly, the CISO’s future role shifts from being a technologist or a security analyst to being a business strategist for the organization, who happens to specialize in information security and management, much like the CFO is a business strategist who specializes in finance.
This evolution of responsibilities is not unlike the one that the CIO has undergone in recent years. Many CIOs began as technologists but were eventually invited over to the business side of things, where their job was to be an executive who understood technology.
In the future, we may see the role of the CISO being combined with that of the CIO or CTO in many organizations.
Another consequence for the security-business interaction—and perhaps the most significant one—is that your employees will just stop being aware of security. Rather, security will be part and parcel of the fundamental way of conducting business, baked into every process and interaction as part of the push for transparency and metrics, across business and security operations.
The SOC of the future will build in security early on during the development stage, rather than coming in later, trying to secure an environment when it is already too late. As we mentioned above, the fundamental end goal is for security to become much more automated and less manual.
In certain respects, this is already happening; we see it in trends such as forced automatic updates to Windows 10 and the push for moving data to the cloud, where it is centralized and easier to access—and there is a building consensus that it is more secure there as well.
This prompts the question, “What will it take for you to trust in automation (AI or BI) for IT security?” For sure, the boundaries will be different for each organization. Trust will come with transparency and reliability of automation.
Of course, no system is perfect, and when a significant incident occurs, there will be a desire to assign blame, whether that be the product or the person who decided to trust it. The key is to have the security and business operations metrics needed to evaluate both sides of the equation (automated vs. manual operations).
Each organization will find a balance between human and machine they feel comfortable with, but what we predict, because history has shown it, is that balance will be shifting far more toward machine automation as the SOC marches forward.