From Overwhelmed to Optimized: Transforming the SOC

Most monitoring programs were initially established by enabling as many security alerts as possible across the entire stack, pushing them to a SIEM, and tasking a subset of Analysts to become the SOC and tune the SIEM as much as possible to curate and prioritize the “right alerts at the right time”. This rapidly resulted in the SOC become overwhelmed with alerts and unable to identify the most pressing priorities. The SOC may have since grown or moved to a partner and the underlying SIEM itself may have changed, but many are still struggling with the same challenges but at a greater scale.
Many enterprises have begun adopting a new foundational approach to solving these challenges or more specifically, enabling the SOC and their tooling to respond to top priorities, as early as possible: positioning continuous contextual asset-based intelligence at the core.

Why Asset Intelligence?

We ultimately flood the SOC with alerts because it’s unclear which alerts from all connected assets visible to the stack and the SIEM could have a direct business impact or have the potential to do so if not quickly detected and addressed.

Our businesses are both powered and exposed by our connected assets, yet it’s often unclear how each asset is used by the business or how assets are at a high risk of leading to a material business impact. The individual tools in the security stack are unclear of how each asset registering malicious or suspicious activity relates to the business. This limits the ability to effectively establish severity based on business impact and in turn, leads to the prioritization of alerts based on only very limited technical context. When each tool has been configured to over-alert such that “nothing is missed” and prioritization is based on such limited technical context, the SOC is faced with a constantly overwhelming list of conflicting priorities.

Positioning asset-based intelligence at the core of the SOC’s prioritization engine unlocks the ability to centrally validate and prioritize, deprioritize or dismiss each alert based on its business value, the actual opportunity for exploitation, and the potential impact that exploitation could have on the business.

Operationalizing This Concept At Scale

There’s an overall recommended approach when it comes to modernizing and optimizing the SOC around asset intelligence.
Before we get to this recommendation, the first and foundational step is to adopt a modern continuous asset discovery, identification and intelligence platform that augments or replaces existing asset discovery and inventory solutions. This enables the move from static, incomplete CMDB data with limited contextual value to continuously consumable asset intelligence that guides prioritization.

At the highest level, SOCs should position the intelligence platform between the rest of the security stack and the SIEM / SOAR to validate and triage every incident for suppression or response.

Subsequently move from managing asset-based monitoring and alerting policies within each individual platform by integrating the stack and migrating to a consolidated set of contextual policies that are maintained primarily within the intelligence platform.
From there, focus on orchestration and identifying and optimizing capabilities through regular business risk and threat intelligence-based threat hunts.

Addressing The Common Challenges Preventing Progress

The common challenge preventing many teams from moving to this modern model are resource constraints. The team is already overwhelmed and undertaking optimization projects to address long-term challenges and position the SOC for the future when simply attempting to keep their head above water can make it challenging to even get started, let alone continuously optimize.

Experienced partners can often be the most effective means of achieving and maintaining our SOC optimization aspirations. For organizations looking to achieve these outcomes, Armis Managed Threat Services (MTS) is here to help. Armis’ consultative experts work closely with your team on enabling highly curated and high efficacy monitoring and alerting capabilities that evolve with your business and threat landscape. These capabilities are continuously assessed though active threat hunts designed to both identify covert threats and optimize corresponding detection capabilities. Throughout, the team works closely with your SOC and partners to ensure that their objectives are being met and optimizations realized against the right business and team priorities.

We manage the asset intelligence platform and help you realize the maximum operational benefits at scale.