How Ready Is the SoC Team to Meet the Attack?

Publication Date

December 28, 2023


Rapidly developing new technologies such as IoT, 5G, cloud, OT and digital transformation projects implemented by institutions to provide better service to their customers not only lead to an expansion of the surface for cyber attacks, but also to an increase in quantity. In fact, research shows that 27% of IT professionals receive more than 1 million security alerts daily. A 10-person security operations center, or SOC, would not be able to manage this volume of alerts without the help of automated tools.

Over the years, as the sophistication and volume of malicious actors has increased, automated detection, prevention, and response have become must-haves, and SOC teams have become increasingly reliant on automated solutions to detect and prevent threats and perform repetitive operational tasks such as alert monitoring and triage.  

Relying too much on AI in security?

It has developed advanced, AI-based tools such as next-gen antivirus, next-gen firewalls, and security orchestration, automation, and response platforms to address the increasing volume and complexity of threats. Unfortunately, even the best AI cannot detect and prevent 100% of threats to our organizations, and some attacks may eventually succeed. When this happens, we are completely dependent on the skills of our incident response teams, for which unfortunately many attackers are prepared. I wonder how ready our SOC teams are and have we become too dependent on these tools? 

A 2020 VMware survey shows that 92% of US businesses participating have seen an increase in attack volume, with 84% reporting increased sophistication of attacks. Not only are attackers becoming more effective, but our attack surface is expanding with new points of difference, including supply chain vulnerabilities, application vulnerabilities, and human error. Industry leaders acknowledge the impact of increasing attack sophistication on the cybersecurity industry overall and warn that major breaches like the recent SolarWinds attack can no longer be considered outliers. 

It is a result of the collective failure of our technologies and human factors (incident response teams) to fail to detect, alert and prevent these high-profile attacks. Working in the incident response team role; They are tasked with analyzing information provided by security tools and conducting investigations that enable them to quickly identify the source of the threat, understand the organization’s current risk, understand its root cause, and before damage occurs. This same threat, or threats with similar characteristics, may arise in the future and must be remedied. But it doesn’t matter how much we invest in tools when the people using those tools are not skilled and trained to use them.

How do SOC teams typically work?

During an active cyber attack, SOC teams operate in one of three scenarios:

  • Scenario 1. Automated prevention tools detect and block the attack before it enters the network. Typically, these will be less sophisticated attacks and attackers. We analyze the attack after the incident and tighten our security policies.
  • Scenario 2. Our detection tools issue an alert. We review the alert and determine that it is not a false positive, and immediate investigation is required if necessary. Once the attack is found to be successful, it’s a race against time, our response time directly causes the overall cost to the company following the breach.
  • Scenario 3. Attackers can successfully infiltrate our network under the radar without any warning. This is the worst case scenario. Attackers actively engage in lateral movement to elevate access privileges and find where private data is stored or find a critical application that they can encrypt and use for ransom. Successful organizations address this difficult but common scenario by using regular threat hunting processes where teams constantly trawl the network looking for suspicious activity that could detect an attack in progress. These operations are typically done through (EDR) and SIEM platforms.

The last two scenarios are the most common in high-profile attacks and require significant expertise from SOC teams. Even though you may have invested in state-of-the-art SIEM and EDR platforms, teams need to be skilled and trained in understanding where to look for evidence, how to analyze it, and how to analyze it to understand what it means. To control the attack, it is necessary to act according to the evidence. Since they will need to do this quickly, they need to be extremely proficient with the tools.

They must also work effectively as a team under severe time pressure. While one team member is looking for suspicious activity in the EDR, another may be using the SIEM platform to review logs and try to correlate them with EDR indicators. They need to sift through the corporate knowledge base to find threat intelligence related to these findings and then find similar cases from the past.

The human element proves to be quite important

The element of human reaction speed is critical. According to IBM, the average total cost of a 2020 corporate data breach worldwide was $3.86 million, costing a business an average of $8.64 million. At the same time, it took approximately 280 days to identify and contain these violations. Industry research has shown that the cost of a breach increases with attack time, so faster response time is a critical component for businesses to strive for when budgeting for new tools or supporting better skills development and training for their teams. Going forward, knowledgeable SOC teams will respond much faster than those with less proficiency or weaker tools.

Most organizations fail due to inadequate investment in technology. On the contrary, there are organizations that have some of the newest and most expensive tools. But it does not have teams with the skills to use the tools effectively in an incident or threat hunting scenario. Compare this to a nation that purchases the latest combat-ready jet fighters to defend its airspace and then assigns pilots trained only in basic takeoff and landing.

As threat actors’ tactics become more common and prolific, it’s more critical than ever for SOC teams to consider. Enterprise security tools – while great in their own right – are ultimately only as complex as the cybersecurity experts who use them. We can’t assume that tools will do the job on their own, and we can’t underestimate the importance of our teams’ skill level. Effective defense requires a combination of advanced tools available on the market and advanced skills of cybersecurity teams.

According to Cybersecurity Ventures, in 2021, business leaders’ security budgets will be; It is now more important than ever to train, retain and increase the skills of SOC teams to ensure they have the ability to operate expensive tools. These tools are excellent, but only when used by skilled hands. In the wake of unprecedented cyberattacks, we know that these expensive tools will only become more effective as the professionals who operate them improve their skill sets. To this end, corporate leadership should prioritize strengthening the manual skills of the SOC team to prevent the next major breach or reduce the ultimate cost to their organization and their customers if they are affected .

SOC Team Training

Real simulated training can be provided to take the Soc team’s experience, skills and teamwork to the next level. By training with real simulation exercises, your team will be both technically and mentally superior when the real attack occurs. You can increase the maturity level of your team by measuring the maturity level of your employees with the training they will receive and receiving the necessary training.

If you are wondering what you can do to increase the knowledge and skills of your SoC team, you can contact us via our contact information.