Written by Ammar Enaya, Regional Director – METNA, Vectra AI
The Arab Gulf region has a well-deserved reputation for being a frontrunner in technology adoption — a reputation that its governments have retained throughout the Fourth Industrial Revolution. In the digital transformation era, managed services wormed their way onto the agenda of most, if not every, regional organisations, but until recently — cybersecurity remained an afterthought.
However, governments in this region have a way of inspiring others by example. By adopting economic visions with technology pillars that put cybersecurity front and center, GCC leaders pushed digital risk management to a top-priority position in the private sector. And those efforts have paid dividends. Saudi Arabia is second and the UAE fifth, on the International Telecommunication Union’s Global Cybersecurity Index for 2020.
But there’s still work to be done. Security professionals are overworked and under-resourced. This starts in the security operations center (SOC), which all too often is holding on to a legacy that has had its day. Modern complexities of rogue devices, remote employees, and multi-cloud environments have brought previously unseen levels of unpredictability to the SOC. These transformative changes coupled with advanced attack methods used in today’s ransomware and supply chain attacks equal a disaster waiting to happen for any organisation that isn’t thinking about modernizing the traditional approach.
The Old Way Opens Doors for New Attacks
Traditionally, the legacy SOC is centered around prevention (think SIEM and IDS), which for the most part is obsolete against modern threats and attack methods. The tools typically deployed in this scenario equal a high cost of ownership and fail when it comes to the detection and response of in-progress attacks. This is because the technologies used today have grown past the SOC as we’ve come to know it. The perimeter no longer exists, and cloud deployments are outpacing security. Analysts are having to work harder to trawl manually through limited data sources only to arrive at inaccurate conclusions. Ultimately what you’re left with is a lack of visibility and a security team scrambling through inefficient workflows at a high price.
The time for change is now. We’ve seen again and again how prevention techniques fail to detect ransomware attacks. These are human driven attacks — where malware isn’t deployed until the final step — meaning the only chance to stop it, is by detecting and stopping attacker motions inside an environment. Nowadays, attackers are finding all types of clever ways to bypass MFA. And while endpoint detection is important, it’s no match for a crafty attacker with stolen credentials.
But the good news is that defending against today’s attacks doesn’t have to be as impossible as the headlines might lead you to believe.
Moving Towards a Modernized SOC
Before we look at the alternative, it is also worth considering the life of today’s security professionals. Who without, the SOC would be the equivalent of falling trees in an empty forest. While the customer experience was all the rage before the pandemic, organisations must now prioritize the employee experience. The now-established efficacy of remote work means the region’s cyber-talent can work anywhere they want. So, as the region builds SOCs, it needs to design ecosystems that relieve burdens on technologists, or it risks losing the most qualified candidates to foreign employers.
This is all the more reason to modernize and take a futureproof approach that prioritizes visibility and workflow, acting as a kind of digital Labrador retriever — capable of sniffing out and fetching the most evasive targets and dropping them at the feet of threat hunters. It still uses event logs and SIEM tactics but supplements them with richer endpoint and network data. It mixes the disciplines of endpoint detection and response (EDR), AI-driven network detection and response (NDR) and user and entity behavior analytics (UEBA). The new SOC drapes a net across on-prem, cloud and cloud-native apps, allowing it to detect previously unknown suspect processes and lateral-movement attacks.
And if you’re looking for a place to start, meaningful AI can lend an immediate hand in the SOC. Everything from improving alert accuracy, optimizing investigations, threat hunting and adding extra horsepower so analysts know which threats to prioritize, can be achieved with the right AI platform. AI can also help SOCs play to the strengths of its players. For example, AI is incredibly proficient at dealing with large sets of data efficiency and at speeds unmatched by humans. On the other hand, humans are exceptional at dealing with ambiguity and contextualizing information — things they’ll be able to do with AI on their team. An analyst can’t see an attack evolving in the middle of the night, but the right AI can catch and stop it so they can get some rest once in a while.
A Breath of Fresh Air in the SOC
Modernization is the future for any organisation intent on delivering an efficient, sustainable SOC. And while this is becoming an increasingly urgent matter for many organisations in order to defend against today’s attacks, it can also be approached in phases by setting achievable goals. For example, if you lack the visibility necessary to accurately detect and respond to an adversary, you may want to prioritize implementing a solution that can help spot early attack signals like recon, privilege escalation, and lateral movement. Or if your organisation has traditionally been focused on prevention, it could be time to evaluate where security investments need to be made in order to gain coverage throughout the entire environment.
In a region where regulatory compliance keeps a lot of stakeholders up at night, a modernized SOC can greatly enhance governance and instill confidence in regulators, investors, and customers. The ability to detect, score and prioritize threats in real-time ensures swift and effective resolution of issues and prevents costly and embarrassing breaches.
Fewer manhours, better outcomes, lower costs, faster resolution, tighter compliance, and the ability to go up against unknown and stealthy attacks? Now that’s a Labrador that deserves a treat.