Expert Insights: Modern SOC Automation – The New L1 Analyst

The Security Operation Center (SOC) is vital to keeping your organization safe in today’s evolving cybersecurity landscape and novel technologies. Rapid deployment of new technologies like cloud computing, the Internet of Things (IoT), and mobile devices have all widened the attack surfaces for organizations. SOCs must adapt to these changes and devise strategies to secure these new technologies while mitigating their risks. We must look into improving SOC operations by using modernized tools.

Cybersecurity Exchange got in touch with Praveen Ganesa, Senior Security Analyst at RHB, Malaysia, to discuss the emerging trends and challenges associated with SOCs. He has over seven years of demonstrated experience working in the information technology and services industry. Praveen is a network and information technology professional with a degree in networking and security. He has both skills and foundational education associated with digital security. He also has extensive experience in information security, which includes using SIEM tools and monitoring systems, conducting security incident response, managing information security policies and standards, performing vulnerability assessments, and carrying out SOC operations.

Praveen offered a few key insights and tips for security teams on managing security operations seamlessly in today’s digital age.

Edited excerpts from the interview are as follows:

1. What are the biggest challenges you face as a SOC practitioner?

One of the few challenges that I face is the need for more resources. As a SOC, we are constantly growing and onboarding multiple new technologies to secure the organization. By doing so, we are increasing the amount of data intake into the SIEM, which leads to the creation of new use cases. With the increase in events or alerts in the SIEM and the lack of resources to handle them promptly, there are instances in which we will miss out on an alert from a different tool. So, the best-case scenario is first handling events with a higher severity rating.

Besides that, analyzing the existing tools in the market and determining the most suitable tool are the biggest challenges. Many SOARs or SIEM tools are available in the market, and all of them have features that can help the organization, but ultimately the main factor besides the relevance is the price. We have a fixed number of resources, and implementation should yield results. Stakeholders want to know the benefits of having a particular technology and its cost, so even after its implementation, we must ensure the technology is worth the investment.

2. What are some of the most exciting developments in the industry over the past year?

Well, one of the exciting technologies that caught my attention is user behavior analytics (UBA). User behavior analytics is a cybersecurity process for detecting insider threats, targeted attacks, and financial fraud that tracks a system’s users. UBA looks for patterns in human behavior and then analyzes their findings to detect potential threats. UBA solutions use artificial intelligence (AI) and machine learning (ML) to analyze large datasets to identify patterns that indicate security breaches, data exfiltration, or other malicious activity that might otherwise go unnoticed by security, IT, and network operations personnel.

3. How do you think SOC operations will change in the future?

In the future, there won’t be an L1 analyst in SOC, as most of the tasks and analysis might be automated, and what used to be a monitoring scope might change into a response and action scope. So once the automated process checks and even detects it as suspicious, a SOC analyst would have to further confirm this detection and follow the relevant SOP to act. But ultimately, even if the process gets automated, the final touch or call will fall to humans. So even if an AI determines that an activity is malicious, a human analyst will have the final say.

4. What is the most beneficial aspect of modernizing SOC operations?

Modernizing SOC will improve the security posture and, hopefully, reduce costs. Tools such as extended detection and response (XDR) that collect threat data from previously siloed security tools across an organization’s technology stack for easier and faster investigation, threat hunting, and response will seem better than a modern SOC. When we look into improving our SOC operations, having tools that cover all domains would be efficient. Implementing unique technology for each domain will make it more secure but won’t be cost-effective.

5. What are some challenges of implementing a modernized SOC operation?

The migration of current technology to newer technology. We must consider the compatibility and synchronization ability with other technologies within the organization’s environments. There are cases whereby only a specific version of the operating system is supported or only a particular log type is readable by the tool. These elements will fall into place if we try to build a stable ecosystem. Understanding the interaction between the technologies will be taxing, and implementing and testing its functionality is another tedious journey. Another challenge will be the all-time factor of time and money: the time it takes to complete the implementation and the project cost will always be a factor to be considered. Even after implementing new technologies or event policies, we would need to train the current support team to prepare for the newer technologies. This training also takes up resources, but it’s required.

6. In what ways can companies benefit from implementing a modernized SOC operation?

Hopefully, the SOC analyst workload will be reduced with the correct implementation. Companies will have much more streamlined security processes and better postures. If the current performance is ironclad, it will save them money in the near future, and companies can redirect these resources to upskill internal talents.

7. What does it take to be successful with a modernized SOC operation?

Proper planning and understanding of the current and future requirements of the organization. To ensure the flawless operation of SOC for the organization, we need to understand the existing issues and potential risks. By forming a strategy around it, we should be able to create a fully functional next-gen SOC that meets the stakeholder’s objectives.

8. Do you have any tips for aspiring professionals interested in learning more about modernizing SOC operations?

Well, most SIEM or technology providers will have their own version of SOC modernizing. Comparing different technology definitions of SOC modernizing will give you a clear understanding. Once you have studied or established your organization’s goals and targets, focus more on the technology matching the criteria. Always look into future trends and threats because the threat landscape is constantly evolving, so it’s best to prepare ourselves by understanding how much technology could address them.

9. What does it mean to be a SOC practitioner today, and how has your role changed over time?

The primary role involves more technologies and investigations, so I can’t say how it has changed. But as an analyst, the roles are migrating to be more proactive rather than reactive, so that’s a significant change that has to be noted. Analysts have to be on their feet and stay vigilant about existing and potential threats since we have to gather the relevant indicators of compromise and provide them to our FW and AV teams for blocking.

10. Is there anything else you’d like to add about your role as a SOC practitioner today or any other thoughts on how modernized SOC operations are shaping the future of security?

The main takeaway from this is that the security domain and threat landscape is growing side by side, and as a SOC practitioner, I have to be aware of these changes. We need to ensure that the right policies and rules are in place. We need to make sure the current technology that we have in place will be able to protect us from a zero-day attack. It’s a nearly impossible task, but we must cover all grounds. My suggestion is more of a rule of thumb: educate the organization’s staff and members. Cybersecurity awareness training should be enforced in organizations to ensure all members are aware of or have a common understanding of potential security risks. Most attacks directly result from phishing, where users either click on malicious links or download malicious attachments because the source looks legitimate. With proper cybersecurity education, we can reduce these types of risks.