Not Your Parents’ SOC? Building The Modern ‘Cyber Command Center’ | Straight Talk

SUBSCRIBE NEWSLETTER

The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.

This article is by Featured Blogger Jason Bloomberg from his blog Intellyx. Republished with the author’s permission.

Hackers are becoming more sophisticated in their attacks.

Detecting breaches in enterprise IT environments still takes months.

‘Zero day’ attacks – cyberattacks that target previously unknown vulnerabilities – can easily bypass most cybersecurity technology.

It’s time for the Security Operations Center (SOC) to rise to the challenge of modern enterprise cybersecurity.

AmerisourceBergen’s Three Cybersecurity Challenges

AmerisourceBergen is a leading wholesale pharmaceutical company that provides drug distribution and related supply chain services to pharmacies and healthcare providers throughout the globe.

I spoke with Umesh Yerram, AmerisourceBergen’s chief data protection officer, about how it handles cybersecurity. “We’re protecting healthcare delivery and its secure supply chain,” Yerram explained. “AmerisourceBergen actually impacts human life. We touch people’s lives.”

Yerram had a sober assessment of the cybersecurity challenges facing the company. “Threats over the last couple years have become more sophisticated,” he said. “There are new, more sophisticated threat vectors and new vulnerabilities.”

To address AmerisourceBergen’s cybersecurity challenges, Yerram focused his efforts on its Cyber Command Center (CCC) – a government and military term for what most enterprises call a ‘Security Operations Center,” or SOC.

The CCC faced three core challenges. First, identifying unknown threats, including zero-day attacks. “There are new threat vectors in the wild, and we wouldn’t know about them,” Yerram pointed out.

Second, the CCC had to find threats quickly – instead of the months that typical enterprises can take. “It takes a good month or two to learn that something happened in the environment. Enterprises are catching up but the time to detect is still too long,” Yerram said. “That’s why real-time detection is so important.”

The third challenge focused on the productivity of the analysts working in the CCC. “If a SOC analyst sees an alert, they don’t have to swivel chair to rule out false positives,” Yerram explained. “It takes a lot of time to do the initial triage.”

Supporting the SOC Analysts

The ‘swivel chair’ metaphor represents how SOC analysts typically have to view many different screens in order to tease out the story behind the firehose of alerts they have to deal with on a day-to-day basis. Not only can there be numerous false positives, but even for a bona fide threat, getting all the information together in order to analyze and mitigate the threat can be exhausting.

Such a situation can lead to SOC analyst burnout. “On a daily basis, SOC analysts are battling against increasingly sophisticated and highly-organized attackers,” explained Greg Martin, CEO and co-founder of JASK. “Yet they’re not able to perform to their true potential since they’re mired in alert triage, false neg/pos decision trees, swivel chair tool correlation, RSS and email list intelligence. Teams spend more time on routine threats and keeping their SIEM up and running than on protecting their organizations from the most dangerous, targeted attacks.”

Moving Beyond SIEM

SIEM stands for Security Information and Event Management, an earlier generation of cybersecurity technology that doesn’t rise to the challenges of the CCC. “We moved off a traditional SIEM platform. I call them ‘plasma TVs’ now, because they’re older technology,” Yerram said. “The traditional SIEM platform is past its expiration date.”

Instead, AmerisourceBergen purchased the Securonix Next-Gen SIEM Platform. “We use our Cyber Command Center for 24 x 7 monitoring,” Yerram said. “It’s based on the Securonix platform. Securonix provides a single pane of glass to detect threats and provides all the information in a couple of seconds with real-time queries. Our analysts are comfortable they have all the information they need.”

Securonix uses user identity and behavior analytics (UEBA) that leverages machine learning to create a baseline for what constitutes normal behavior across both human actions and technology. It then continually monitors activity, identifying anomalies that occur when an event diverges from the baseline. “If there’s a new threat vector, any deviation from the baseline focuses energy on the outliers,” Yerram said. “Our analysts can identify such threats on a real-time basis. That’s why we choose the Securonix platform.”

Finding the Needle in a Stack of Needles

Securonix CEO Sachin Nayyar explains his company’s thinking. “Security management has been primarily about threat detection – finding the needle that may be the cause of a cyber catastrophe for an organization, in a stack of needles,” Nayyar explained. “However, security management centered on detection of isolated anomalies has proven not to be actionable. Creating a list of threats without context, without recommended remediation actions, without an understanding of the actors and their motivations is useless in the modern Internet age.”

With the use of Securonix, AmerisourceBergen’s CCC is able to address its three core challenges: identifying both known and unknown threats, doing so in real-time, and providing SOC analysts with a ‘single pane of glass’ that gives them the functionality they need to analyze and mitigate any threats.

Yerram is sanguine about the CCC’s capabilities. “The paradigm has shifted. It’s not just maintaining the perimeter,” he said. “We need 360-degree visibility. You need to look at unknown as well as known threats. Securonix matched our vision.”

Intellyx publishes the Agile Digital Transformation Roadmap poster, advises companies on their digital transformation initiatives, and helps vendors communicate their agility stories. As of the time of writing, Securonix is an Intellyx customer. None of the other organizations mentioned in this article are Intellyx customers.