An insight into the 1st year of SOC automation operations

It has been slightly more than a year that SOC Prime has been set on its current mission – to bring efficiency into most sophisticated Cyber Security technologies through automation, knowledge consolidation and fusion existing of market-leading technologies. Using the trendy phrases, we claimed that we would make “Cyber Security actionable” through automation of detection of known threats and by providing tools and freeing FTE to the combat the unknown ones. And while many companies out there strive for same purpose, we believe that no single solution or organization can battle the adversaries alone and there is clearly a need for collective defense system. Well, I am proud to announce that today we finished our first steps to make this goal come true. It is today that SOC Prime announces unification of our two core products, Predictive Maintenance for SIEM and Integration Framework, under a single platform for Security and Intelligence Management.

These days we can firmly state that current speed of security breach detection can be improved and it can be drastically lower than the infamous 200 days. And one of the first answers lies in automating many routine operations of a modern SOC and fusing together the technologies that have long been established in the industry. As many of you, our team has spent years in first-line operations of SIEM deployments and as many of you, we have gone through all the fun and challenging stuff of parser-writing, Use Case development, sizing, scoping, finding workarounds and making all these complex systems do what they are meant to – detect security incidents! Now if we think about this for a moment, an accurate detection depends on multiple factors including: availability of Log Data and external feeds, quality of the data consumed by SIEM that starts with correct parsing from the moment it is extracted from the log source and ends with categorization & enrichment, performance of the platform itself that needs a constant attention of its administrator, accuracy of asset and network information and last, but not least – security of the SIEM system itself.

All of this has been a thorough manual job for over a decade, and all of this is now changing as we apply more advanced toolsets to make our daily jobs easier and use our resources more efficient. This is what our Predictive Maintenance module is built for – improving the visibility into the heart of your SOC and giving you full insight and answers at an instant, right when you need them. There will be no more doubts or room for taking a wild guess on whether a SIEM has captured data you need and can provide it when it is needed, now you can rely on the facts and see a full picture at any point of time.

Yet, SIEM itself is but a piece of a solid security infrastructure and it needs to interconnect with a plethora of devices and security technologies. As noted by SANS in the beginning of 2015 more than 52% of companies responded to the SOC survey that they have little visibility into configurations and vulnerabilities of their assets that in turn reduces incident response efficiency. While vulnerability management and compliance assessment systems have been around since 1999 and have achieved a great success in both accuracy and speed of performing their jobs there is still a gap between operationalizing them when it comes to SOC. And this gap is closed through full integration of Vulnerability Management technologies with SIEM, and thus is one of first things we took care of via our Integration Framework.

Together with our first customers and partners we now prove in practice that framework is the basis for Continuous Vulnerability and Asset Monitoring. Now any company in the world can automate Vulnerability Management, Compliance & Configuration assessment platform operations in its SOC. Since not every company is the same when it comes to size, infrastructure, industry specifics and regulations, we have developed our platform to be available to all through pure SaaS and on-premise editions, deployable on VMware ESXi, Microsoft HyperV, Amazon AWS, KVM & Proxmox virtualization platforms. However, are the integration and automation going to take security as a whole to the next level of evolution? Not yet, and we have much more coming up in next few months. Stay tuned for updates!