As the epidemic began to subside, life gradually returned to normal, but the digital transformation in response to the epidemic, such as remote office and cloud applications, has not slowed down and is still booming; more than 70% of enterprises are willing to maintain remote office due to the benefits of flexibility. The state of road management has also changed accordingly.
However, remote work means that employees must perform business on weekdays and leave in a relatively secure network, and can no longer be in a controlled and protected environment; in other words, unlike the centralized IT environment of the past, remote endpoints, The cloud platform has become an “outsider place”, posing new challenges to corporate information management. How to make the Security Operation Center (SOC) continue to function in the new environment and protect the security of the enterprise’s digital environment has also become the focus of the information security team.
The epidemic has accelerated the pace of digital transformation, and traditional SOCs have been put to the test
An epidemic has made companies and enterprises around the world go through a major test, which is to support workers to work online, remotely, quickly and safely. Not only does this place considerable reliance on the enterprise’s cybersecurity team, communications protocols, and systems, it also exposes a technology gap between the corporate location and the remote home office; Mobile, a highly distributed workforce will continue to be targeted, and attackers will continue to exploit a situation that has been dormant for years.
At the same time, information security threats built on traditional security information and event management (SIEM) Detection management (SOC) can no longer provide a solution that is elastic and scalable to keep up with the speed of digital transformation, cloud initiatives and advanced attack activities.
This makes the traditional SOC environment face five major challenges, namely lack of visibility and context, increased investigation complexity, a large number of low-fidelity warnings generated by security controls, resulting in warning paralysis and “noise” leading to lack of system interoperability and lack of automation and coordination, and the inability to collect, process, and contextualize threat intelligence data. These can leave security analysts too busy to identify, manage and remediate significant threats.
Therefore, how to make the information security operation center continue to function in the new environment, protect the security of the enterprise digital environment, and also support the necessity of fully remote user workforce and ecosystem has become the number one priority for countless IT and security teams.
Information security provider Palo Alto Networks pointed out that the impact of widespread intrusion and home office has accelerated the need for newer and more flexible SOC operation methods and subsequent management. A perimeter-centric approach to network security is outdated, with security infrastructure and systems located far beyond the traditional Internet perimeter and extending to the cloud and to every connected device or endpoint. Both require some level of visibility and control over their activities and behaviors to effectively defend against intrusions.
Implementing four major steps and three key technologies makes SOC transformation easier
In short, the digital environment is constantly transforming, and enterprises also need to use new methods to solve the challenges of information security operations at this stage. So, how to shape a forward-looking SOC? In this regard, Palo Alto Networks proposes four major steps and three key technologies.
In terms of four major steps, the first is to audit the environment to help reduce the security risks associated with tool proliferation; the second is to automate workflow; the third is to use machine learning-driven intelligence to enhance human capabilities; Excellent security team.
After completing the above four steps, three key technologies need to be considered to formulate a complete security operation strategy in order to establish a flexible and efficient SOC.
First, understand the scope of the attack to strengthen the risk management function. After all, one of the fundamental components of SOC transformation is a strong risk management function. The second is to coordinate in the product stack to improve the efficiency of incident response; that is, to make good use of security coordination, automation and response (SOAR) tools to allow enterprises to define incident analysis and response procedures through a digital workflow format. The third is to introduce “Extended Detection and Response (XDR)” to improve security effectiveness; because the basic reason for establishing XDR is to prevent attacks more efficiently, detect attacker techniques and strategies that cannot be defended, and assist SOC Teams respond better to threats that require investigation.
To sum up, Palo Alto Networks emphasizes that the new SOC must be able to achieve three major items, which are effective defense measures to contain threats, use AI and machine learning to detect sophisticated attacks, and use automated mechanisms to speed up investigations.
Highly integrated, Cortex kits add fuel to SOC transformation
To assist enterprise SOC transformation, Palo Alto Networks has Cortex product suites (Cortex XDR, Cortex XSOAR, and Cortex Xpanse), which can be tightly integrated with each other to perform various security operations.
Cortex XDRTM blocks attacks at endpoints and hosts with world-class EDR for Windows and Linux hosts, and automates evidence collection, groups relevant alerts, puts these alerts in a timeline, and uncovers root cause Provides incident-focused detection and response capabilities by accelerating triage and investigation by analysts of all skill levels.
Cortex XSOAR provides a single platform for point-to-point incident and lifecycle management of safe operating procedures. Security teams of all sizes can take advantage of over 725 pre-built, integrated content suites, powerful security-focused case management, and instant collaboration to coordinate, automate, and accelerate incident response and any security workflow or security procedures.
As for Cortex XpanseTM, it can provide a complete and accurate inventory of the enterprise’s Internet-facing global cloud assets and error settings to continuously discover, assess and mitigate external attack areas, flag risky communications, assess supplier risk, or assess M&A target security.
In short, each of these three products has its own unique functions and advantages, but after proper integration, its positive effects will increase exponentially, giving enterprises top-level detection, investigation, automation and response capabilities , to help reduce the risk and impact of intrusion, allowing SOC teams to eliminate various threat cycles through continuous collaboration between the Cortex ecosystem. ( See Palo Alto Networks official website for more SOC details )
Daniel J. Brown
Daniel J. Brown (Editor-in-Chief) is a recently retired data analyst who gets a kick out of reading and writing the news. He enjoys good music, great food, and sports, with a slant towards Southern college football, basketball and professional baseball.