Is your Security Operations Center or SOC struggling to act effectively and quickly when real incidents strike? Many enterprises still struggle despite extensive incident response mechanisms in place. Let’s look at the background and see how we got here.
As enterprise IT grew over the decades, the industry split itself up into distinct domains — Infrastructure, Endpoints, Applications, Identity, Operations, and Governance, to name a few. These domains were created because they each represent different core functions and areas of expertise. IT Security could be considered a significant domain on the list above. Still, since it applies as an overarching layer on top of the others, it is easier to manage as a distinct subdomain underneath each primary IT domain.
Security is compartmentalized into separate domains for the same reason IT is — to manage the complexity, so infrastructure security, endpoint security, application security become separate disciplines and bodies of knowledge.
It was a necessary step during the early days of IT to divide and conquer. Let network engineers design and build networks, server ops teams run servers, application teams create and run applications, and then spend months or years (with perhaps yet another specialty team), integrating the pieces into a functional whole. A few years go by, and IT systems start getting compromised and hacked; thus, the IT cybersecurity industry is born, and a security subdomain was spawned as needed in each respective IT domain.
Fast forward 30 years, and we still see this disjointed security model in play today in nearly all enterprises.
There is far more complexity to manage today versus 30 years ago, so “Hooray for security domains!” you may say. The problem, however, is the limits of an enterprise’s IT security effectiveness, are sewn into the basic model. Complexity was managed but also introduced, by breaking security down into core elements. The confusion is most apparent in the realm of security operations.
SOCs need to react (or better, predict) quickly and accurately as events unfold. Security information pours in from a wide array of sources, often in huge volumes. The SIEM technology sector has done a halfway decent job of dealing with the first steps of ingesting and managing security data from across the security domains. But steps beyond these initial ones are where we see the effects of disjointed IT security play out.
Any enterprise holding tabletop incident response exercises notice something very quickly: there are a ton of moving parts in a modern environment, and not only a lot of them, but interdependent moving parts. Each of those parts has a security function tied to it. Picking up after the initial step of managing security data, the SOC has many options across the security subdomains for action. Still, options do not guarantee an efficient and accurate incident response. Accuracy is critical in complex, interdependent enterprise IT systems.
That’s the bad news.
The good news:
- The security industry has been steadily working towards breaking down the silos between security domains, and
- Much of the SOC’s incident response activities (especially the early steps) are repetitive and formulaic.
Stay tuned for part two of this post, where we will discuss the good news. In the meantime, check out NTT DATA’s solutions for integrated security.