The typical security operations centre (SOC) setup relies heavily on intrusion detection systems (IDS) and logs, as well as manual processes for analysis and security metrics. According to the 2017 SANS2 SOC survey, most SOCs perform the multiple functions involved in prevention, detection, response, remediation, vulnerability management, and compliance, often with two to five full-time SOC employees.
This poses several challenges:
Lack of visibility beyond logs
Visibility into the network packet data, for example, helps detect the movement of sensitive data or command and control channels.
Lack of scalable tools and searching across multiple platforms
In a typical SOC, security personnel don’t have time to shift between platforms. There is a dearth of tools that can access all the platforms simultaneously and make fast queries. What is needed is a single platform without having to log in and out of different systems.
Pressures of responding in real-time attacks in progress
Analysing logs are a reactive approach to determining the impact of a possible security breach in the network. There’s just too much data for the SOC team to sift through to identify threat patterns they can address and remediate in real-time.
Manual correlation limits
Manual collation and charting log data is a tedious process. However, there are limits to what can be done manually to determine whether the incoming alerts are real threats or not, take the appropriate action against those threats and repair exploited vulnerabilities.