Enterprise security operations centers (SOC) have existed for the sole purpose of detecting and responding to threats to an enterprise – external or insider. In the cybersecurity realm, the protectors have never been ahead of the adversaries, and more often than not, have fallen significantly behind and have struggled to recover from cyber attacks. The challenge centers around the efficacy and relevance of detection algorithms and methodologies. Everything is dependent on detection, and yet, many enterprises almost exclusively continue to treat the symptoms – e.g., alert volume/noise, triage/response automation etc. – without addressing, yet alone solving, the core ailment: inferior detection.
For data breaches and cybersecurity threats, SOC processes haven’t changed much in a decade. Logging common data sources (e.g., raw events like domain controller logs and processed events like firewall alerts) into a SIEM (e.g., Splunk) is typically the starting point. Then come threat detection rules, typically 100’s of them, being written by threat/intel and sometimes IR analysts, on the SIEM, to produce somewhat noteworthy ‘incidents’ to investigate, followed by ad-hoc threat hunting by professionals using tools, human observation, scripts etc. to find other noteworthy ‘incidents’ the mundane rules in a SIEM may have missed or not raised as an ‘incident’.