Automate Your SOC Through Intelligent Metadata Analysis

Most people think of a security operations center (SOC) as a cavernous room with rows of analysts intensely gazing up at enormous backlit wallboard screens. This image includes experienced SOC staff members barking real-time intelligence to each other over headsets, presumably to drive proper organizational decisions about cyber security prevention and response to critical assets.

Despite the attractiveness of this Hollywood backdrop imagery, the reality is that the modern SOC has become increasingly automated. Just like those defunct human traders with order pads scurrying around a stock exchange, the modern unit of work in a SOC is likely to be replaced with software that performs most of the heavy lifting. This is good news, because with attacks becoming more automated, defenses must adjust accordingly.

An important language used in SOC automation is called metadata. It involves descriptive information about computing and communications activity that can be processed to derive intelligence. By augmenting human SOC experts, increasingly referred to as hunters, with automation based on extensive metadata ingest, organizations give themselves the best chances of a properly functioning center.

I recently had the opportunity to chat with two experienced experts in SOC-based metadata analysis, Hitesh Sheth and Kevin Moore, both of Vectra Networks. During our discussion, we focused on the question of how best to automate a SOC, and both men made it clear that three fundamental design issues must be addressed: Scale, accuracy, and richness. Attending to these issues, which they claim directly influenced the design of the Vectra Networks platform, is easier said than done. Let’s examine each point:

Scale, according to Sheth and Moore, involves the ability of a platform to keep up with the exploding amount of data available on ever-growing infrastructure. This is particularly relevant for networks, the primary focus area of the Vectra Networks tool. As network media grows north of 10GB into the 50/60GB range, the need to keep up is obvious. If you are going to automate the network metadata analysis portion of your SOC, then you must do the math to ensure that you can keep up.

Accuracy, from the perspective of Vectra Networks, is best achieved through estimates of so-called certainty. Threat certainty indices can be computed to help make real-time analytic determinations from metadata about what is occurring. Doing this in terms of a confidence hierarchy allows for more fine-grained assessment, although for non-experts this can be disconcerting. Many non-technical observers with weak understanding of metadata analysis can be uncomfortable with the varying shades of derived intelligence.

Finally, richness is achieved by digging down into the protocols associated with the domain of interest. Protocol parsing techniques based on machine learning and artificial intelligence are used in the Vectra Networks platform to make sense of the reams of metadata that offer embedded hints about whether a target network is under attack. This approach is complicated by the many protocols associated with Internet of Things (IoT) devices and systems, so expect to see continued evolution in protocol parsing for SOC automation.

The idea that a SOC must keep up with real-time attacks by using automated collection, analysis, and response should not come as a great shock to more experienced readers, especially as we’ve all seen similar automation in environments such as stock exchanges (as we alluded to above). Doing so in a rich, scalable platform, however, with the ability to accurately manage high volumes of metadata is non-trivial, which is why the Vectra Networks platform seems valuable to me.

An amusing point, by the way, is that there may be one unexpected loser in this shift to SOC automation: The Hollywood movie director. Replacing cool SOC backdrops with a bunch of software in cyber movie thrillers (#WarGames) doesn’t seem like great cinematography. If, on the other hand, your day job is enterprise security, then my guess is that you will come to a much different conclusion.

Bottom line: SOC automation is a good idea, and the Vectra Networks approach is worth investigating. Let me know what you think.