Building the SOC of the future

Andy Milne at Forescout discusses how a combined IT and OT SOC can create a faster, comprehensive and more cost-effective approach to threat management

 

Often, the Security Operations Centre (SOC) is all that stands between an organisation and a potentially devastating cyber-attack. Yet, today’s SOC’s teams are fatigued. Not just from thousands of alerts, false positives, and burnout, but from a rapidly changing threat landscape.

 

It’s no longer just about IT. Operational Technology (OT) and IT have merged, leading to shared responsibilities in managing critical infrastructure. This convergence has fundamentally changed the threat landscape as malicious actors now have a bigger attack surface to exploit points of weakness.

 

Despite the risk, many organisations continue to operate in silos, with OT and IT systems secured through separate security processes and solutions. Whilst OT security does require specific tools and expertise, one area where organisations can leverage their existing resources and personnel is the SOC.

 

Whilst an OT SOC requires more time, effort, and technical expertise than many organisations are initially prepared for, those that can consolidate OT security within an existing IT SOC will achieve greater visibility of the assets at risk, as well as comprehensive threat mitigation.

 

Overcoming convergence roadblocks

Integrating OT security into the SOC can come with its challenges, especially if it is still a relatively new concept or skillset. For example, on the IT side, cyber-security activities have evolved to the point where they’re increasingly automated in the SOC. But on the OT side, many organisations still rely on manual activities.

 

Merging cultures

With that in mind, one of the first challenges facing organisations is the bringing together of culture. IT and OT teams traditionally have distinct sets of objectives, priorities, and communication styles. IT teams are typically focused on maintaining the confidentiality, integrity, and availability of data and applications, while OT teams prioritise the reliability, safety, and resilience of operational systems. 

 

The parallel, and sometimes conflicting, roles and priorities of IT and OT teams leave ample opportunity for security oversights and vulnerabilities.

 

Bridging these two cultures requires a shared understanding of each other’s goals and workflows, as well as a willingness to compromise and collaborate.

 

Complexity of technology

Secondly, there is the complexity of the technology environment. A converged IT and OT environment can involve a mix of legacy and modern hardware and software systems, ranging from cyber-physical systems such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems to enterprise resource planning (ERP) and customer relationship management (CRM) systems. 

 

Integrating these disparate systems into a cohesive security architecture requires deep expertise in both IT and OT, as well as the ability to understand the vulnerabilities within each system.

 

Threat intelligence 

Thirdly, there is the challenge of threat intelligence. IT and OT systems are exposed to different sets of threats and attack vectors. Cyber-criminals are increasingly targeting OT systems, which are often seen as easy targets due to their outdated and unpatched technology stacks.

 

Conversely, IT systems may be vulnerable to supply chain attacks, where attackers compromise upstream vendors or partners to gain access to the IT environment. A converged IT and OT SOC requires a holistic understanding of both threat landscapes, as well as the ability to share threat intelligence across teams.

 

Compliance

Finally, there is the issue of regulatory compliance. IT and OT systems are subject to different sets of regulatory requirements and a converged IT and OT SOC must adhere to these standards while also ensuring their approach to security is aligned with the organisation’s overall risk management strategy.

 

Creating a converged IT and OT SOC

Transitioning to a converged SOC is essential in today’s cyber-security landscape, but it will take time and thought to execute. This integration requires not only specific technology investments, but an alignment of disparate IT and OT specialists with widely varied understandings and approaches to security.

 

When we think about how to bring IT and OT together, a good way to break down and process these silos is to standardise the data and terminology. By providing a unified view of all assets including IT, IoT and OT, along with the visualisation of traffic flows between these systems, everyone has the same level of visibility.

 

Once everyone can ‘see’ the exact same dataset, they can then work collaboratively towards the common goal of securing the entire organisation. This in turn will streamline processes, improve efficiency, and save money.

 

Assessments

As a first step, it is essential to assess the organisations IT and OT environment to understand the opportunities, gaps, risks, and vulnerabilities.

 

By evaluating the existing cyber-security measures, such as policies, procedures and technologies, and examining how they integrate across both environments, the SOC can prioritise its efforts and actions around them. This will also allow the SOC to identify opportunities to leverage existing cyber-security infrastructure and capabilities.

 

Policy development

Following this assessment, the SOC can then develop comprehensive security policies for a converged environment. The policies should factor in three key elements: people, process, and technology.

 

When done correctly, the processes will ensure a flow of real-time information so that the SOC can operate efficiently, detecting and responding to incidents, whilst also aiding decision making.

 

Security controls

Next, an integrated security architecture will enable different security controls to exist within both the IT and OT environment. This includes applying network segmentation, intrusion detection, access control policies, privilege management, and endpoint security software so that the SOC has increased visibility and access to real-time monitoring of advanced threats.

 

People 

Beyond building the right architecture and selecting the right tools, you need the right people. A converged SOC requires expert industrial and OT knowledge, however, it can be difficult to find appropriately trained staff.

 

Instead, organisations should consider how they can leverage the existing team, whether it is providing appropriate cross-training or supporting education to build out the original SOC’s skills over time.

 

Building a data-driven SOC

But there’s another element to consider when implementing a converged SOC – the power of automation. With SOCs currently receiving an estimated 11,000 alerts per day, or 450 alerts per hour – most of them low fidelity, low confidence alerts and false positives – the SOC team can end up missing critical threats, increasing the risk of a cyber-attack or breach.

 

By leveraging automated risk assessment platforms and tools across the organisation, SOC teams are empowered to detect, investigate and more intelligently respond to the broadest range of advanced threats in real-time. Using vast amounts of data, automation can improve a SOCs threat assessment and response capabilities, from workflows to orchestration and response mechanisms.

 

This approach can also speed up the identification of threats and reduce the time to respond to them, as well as increase the accuracy of the response.

 

Essentially, the SOC of the future must be data driven in order to reduce the risk and magnitude of a successful attack on an organisation. It is therefore essential that systems and tools can seamlessly integrate to provide access to data from technologies, threat feeds and other third-party sources - and then have the ability to drive action back to those technologies once a decision is made.

 

With the increasing convergence of IT and OT environments, organisations can no longer rely on just having one area under control, they need a security strategy that addresses both.

 

By taking the key challenges and steps outlined above into consideration, organisations can successfully establish a converged SOC that protects critical operations and reduces the risk of cyber-threats. 

 

---

 

Andy Milne is Regional Vice President of Northern Europe at Forescout

 

Main image courtesy of iStockPhoto.com