Email-based and web-based attacks have unnecessarily overloaded SOCs with incidents to investigate and taken attention away from truly critical risks.

The security operations center (SOC) has a wide range of responsibilities to monitor and analyze an organization’s security posture; but today’s threat landscape, technology sprawl and business demands have created a recipe for an overloaded SOC.

Incidents begin and end in the SOC, so it’s important this team and its resources can scale to keep an organization safe. In the past, SOCs have tried to overcome challenges of resource constraints as well as high turnover from a high-stress job by investing in technology solutions. But according to former CIA cybersecurity officer and national security CISO at the White House Matt Ashburn, this hasn’t paid off:

“Despite all the security investment that people have spent over the past 15 years, somehow SOCs still spend 90 percent or more of their time on these email­-based attacks or web-­based attacks … regardless of the security spend that they’ve invested in over the past 15 years, and it's super frustrating.”

— Matt Ashburn

Watch Matt’s full interview with Security Weekly, Scale your SOC: protecting against browser-based threats >

Part of the issue is that these technology investments have been around the issue of web-based attacks without going to the root of the problem — web access itself.

Ubiquitous web access has created an overloaded SOC

Web browsing architecture hasn’t changed much since its inception 30 years ago. And while lots of sensors have been added to flag the risks web access introduces to an organization, things still slip through the cracks, especially as web access becomes more indoctrinated in day-to-day work. This scenario has produced alert fatigue and overloaded SOCs with more incidents than they’re able to investigate in a timely manner.

By going to the root problem of web access, SOCs can eliminate the majority of incidents coming across their desk to investigate.

Rethinking web browsing architecture

If the web browser were designed today, what would it look like?

  • Zero trust: No web code is executed in the corporate/organizational infrastructure. Untrusted content is executed off-device/off-network, but users maintain full access to view and interact with any content they need via a benign video stream.
  • Built-in security and compliance: The browser itself contains security measures and provides IT with complete audit and compliance oversight of all web activity, with policies that follow the user — not the device or network

Not only does this new architecture of web browsing prevent things like drive-by downloads, ransomware, malicious links and attachments from calling back out to the internet — thereby reducing the burden on the SOC — it gives the SOC itself a secure way to research incidents online.

“Once you have a malicious piece of content and you want to go investigate it further, why do that on your corporate network? Most SOCs have a stand­alone dirty network that requires an intense amount of overhead and operations and maintenance costs. It's also another security risk because now you're transferring data back and forth from this untrusted network to your organization's constituent network, and that can bring its own risks into play.

And I've seen a couple of cases in my time where a SOC analyst that is very well-intentioned somehow infects his own workstation on the corporate network, and that's always a bad day and a bit of an embarrassment if you're a SOC analyst.”

— Matt Ashburn

Solving the problem of an overloaded SOC at the source

By isolating web access to occur off-network, SOCs can reduce the noise of incidents requiring investigation and focus attention where it’s really needed. Empowering SOC analysts to devote their time to truly critical, complex incidents will also help to reduce SOC turnover as they’re working on more meaningful and, essentially, less boring tasks than investigating yet another piece of web-based malware.

Watch the Security Weekly webcast to learn more about Authentic8’s Silo Web Isolation Platform. This video includes a demo of what end users experience in the Silo browser, what SOC teams see via audit logs and how Silo can be integrated with other SOC tools.

Tags
Secure web access SOC