How SOCs Are Transitioning to Cyber Defense CentersThe New Centers Leverage AI and Machine Learning
With cyberattacks increasing, so is the risk to critical infrastructure. It's not surprising that CISOs are under increased pressure to identify emerging risks and prepare appropriate responses.
One of the key steps many CISOs are taking is to transform security operation centers or SOCs to cyber defense centers.
So what are cyber defense centers, and how are they different from SOCs? And what technologies play a key role in the transition?
These questions were addressed at the session, "SOCs Are Transitioning to Cyber Defense Centers" at the DSCI's Best Practices Meet 2017 held recently in Bangalore. The panelists included Sheetal Mehta, vice president and global head, cybersecurity and risk services, Wipro; Rohan Vaidya, regional director of sales, India, CyberArk; Sangamesh Shivaputrappa, lead manager, information security, Infosys; and B.S. Bindhuamadhava, associate director, CDAC.
"Though for most organizations, investment in cybersecurity has doubled, we still have cyber threats every now and then. So despite increased focus on securing our systems, there's something that hasn't worked," Mehta said.
Shivaputrappa added: "SOCs have to keep up with the ever-changing business model. Earlier it was more about log analysis and identifying threats. Now it's more about doing analytics and understanding threat intelligence."
Why Move to CDC?
While breaches and cyberattacks are unavoidable in this digital world, the challenge lies in taking appropriate steps to reduce the impact by proactively responding to threats with efficient detection techniques.
Traditionally, a SOC would do surveillance; if an unusual event was identified, a forensic analysis was conducted. "This approach is more reactive," Bindhuamadhava said.
Given the pace and intensity of attacks, however, companies no longer can afford to continue with this approach. Hence, it becomes imperative that these SOCs evolve to adjust to the changing nature of threats.
Changing SOCs to cyber defense centers enables them to take a more proactive approach. "Here a network surveillance is done every day along with predictive analysis, irrespective of whether there is an unusual event or not," Bindhuamadhava said.
While classifying threats into three parts - people, process and technology, Vaidya said: "If we want to have a strong cyber defense mechanism in the next five to 10 years, then we need to adapt to what's available in terms of technology. Right now, it's artificial intelligence, or AI, machine learning and behavior analytics. So when we tie all this up, in reference to the next generation SOC, then we start analyzing user behavior with all possible tools which are still under development and collate that with internal and external data. This is where SOC will have to transform itself into CDC."
Other strategic elements of a CDC are building functions to address the insider threat and using deception technologies, such as honey potting, to track intruders. CDCs are designed to achieve protection via these and other defense-in-depth methodologies.
Why AI and Behavior Analytics?
Because it can take 100 days or more to identify a breach and then remediate it, Mehta said, "it's evident that we need to do something on response and remediation process. Going forward, I don't know if we can afford to take such a long time to respond. It's like finding needle in a haystack. In reality, such situations are time-critical. Therefore, we have to use different mechanisms of artificial intelligence to do data mining."
This will help make the shift from a reactive to proactive approach, he said.
The focus of cyber defense centers is to converge analytics to deliver informed decision making for all stakeholders. It is also imperative that technologies such as cognitive computing, machine learning and AI are used to augment the security workforce.
Shivaputrappa said that because multiple logs that get generated every day are in different formats, there is a need to convert them to a common platform. "This is done by big data," he said, adding that to get a meaningful inference from these logs, machine learning and AI must be used.
To make CDCs more successful, experts stress the importance of collaboration. "Information sharing is vital. This is the only way the whole ecosystem will benefit," Vaidya said. "I know firms worry about their reputation; as a result we rarely share information. The hackers are collaborating; we need to work together against them."