The SOC team is also under pressure because of the growing number of different tools they need to juggle. Everything from endpoint monitoring and SIEM tools to log management and behavioural analytics packages require constant attention.

Enlarged attack surface

Additional challenges are posed for the SOC by the fact that attack surfaces have increased. Rather than all IT resources being housed in an on-premise data centre and protected behind a firewall, components can now be located across multiple cloud platforms and remote-working locations.

This results in additional risks that must be managed, and SOC teams must find ways to ensure they have visibility of all resources at all times. They also need to ensure that all components within this distributed infrastructure are compliant and have the most up-to-date security measures in place.

Teams also need to remember that they are still responsible for the security of assets placed on a cloud platform. The cloud provider is responsible for their platform, but not for the security of applications that run on it.

Strategy and process

SOC teams also face challenges when it comes to the strategies and processes on which they rely on. In many cases there can be a lack of focus, or a sense of which activities should be given priority.

Some may also not be keeping abreast of the new threats and risks faced by their organisation. This could result in a new technique being used by cyber criminals going unnoticed until an attack is actually underway.

The processes within an SOC may have not been reviewed on a regular basis. With the threat landscape constantly changing, so too must the methods being used to identify and neutralise those threats.

Many SOCs are also not taking advantage of the increasing number of automation tools now on the market. These tools can free security analysts from mundane tasks and free them to focus on more value-adding activities.

Overcoming challenges

Dealing with these challenges requires a number of steps to be taken. The first is a review of the use cases currently being deployed within the SOC.

It is unrealistic to think that use cases developed some years ago will still be able to cope with new and emerging cyber threats. For this reason, each should be reviewed on a regular basis and tested to ensure that it is still relevant.

Undertaking this process will help to reduce the number of false positives that are being triggered, lowering the workload for the SOC team. It will also lessen the likelihood that significant events will go unnoticed.

Unified threat management

Another step that can be undertaken within an SOC is to adopt a unified threat management strategy. Rather than having a large number of specialised tools that must each be monitored separately, increasing numbers of SOCs are deploying new solutions that can handle multiple tasks.

These tools can collect security data from multiple locations across the IT infrastructure, assess whether observed activity is normal, and flag any seemingly abnormal activity for closer inspection by a team member.

Beyond the SOC

To ensure effective protection against cyber threats, it’s important for everyone within an organisation to be aware that responsibility for security extends well beyond the SOC. All staff must understand the role they play in reducing the change of a successful attack.

These responsibilities range from being aware of the dangers of phishing attacks to taking care when connecting to centralised resources from a remote location. Staff should also be encouraged to report any incidents that appear to be unauthorised or unusual.

By ensuring all staff are aware of the importance of IT security and their role in maintaining it, organisations can be best placed to withstand threats both now and in the future.

Michael Bovalino is the ANZ country manager at LogRhythm.