The Five Essential Capabilities of an Analytics-Driven SOC: Adopt an Adaptive Security Architecture

A security operations center (SOC) traditionally has been a centralized location for organizations to improve security and compliance by consolidating security personnel, key technologies and required data in one location. A successful SOC can improve an organization’s incident detection and response while accelerating and enhancing its security posture.

But a successful SOC needs to be driven by an intelligent architecture that embraces an adaptive response framework. So what are the characteristics of an analytics-driven SOC?

Gartner defines five essential characteristics needed for a successful analytics-driven SOC:

  • Threat intelligence
  • Advanced analytics
  • Automation
  • Proactively hunt and investigate
  • Adopt an adaptive security architecture

Over the coming weeks, we will break down each capability and show how Splunk customers are successfully using Splunk Enterprise Security (ES) to develop an analytics-driven SOC.

We start with adaptive security architecture. Gartner defines an adaptive security architecture as:

“The core of the framework is based on continuous monitoring and analytics, and provides an organizing principle to bring together the people, processes and technologies required for an intelligence-driven SOC approach.”

Splunk Response

Splunk Enterprise Security (ES) is a security information event management (SIEM) solution that helps SOC teams gain insights to quickly detect and respond to internal and external attacks, simplify threat management to minimize risk, gain organization-wide visibility and security intelligence for continuous monitoring, incident response and SOC operations. Splunk ES also helps SOC operations teams map to the five essential capabilities defined by Gartner.

Security architectures typically involve many layers of tools and products that are not designed to work together, leaving gaps in how security teams bridge multiple domains. To successfully implement an adaptive security architecture, with the ability to prevent, detect, respond and predict, organizations need:

  • Correlation across all security-relevant data
  • Insights from existing security architectures
  • Advanced analytics techniques such as machine learning
  • Automation, wherever possible
  • Integration with the security ecosystem with bi-directional context enrichment

The Splunk platform addresses these gaps by extending its Adaptive Response framework to Splunk Enterprise Security, adding a common interface for automating retrieval, sharing and response in multi-vendor environments. Adaptive Response initiative participants are collaborating to address the challenges of complex cyberthreats by:

  • Enabling a multi-vendor adaptive security architecture
  • Extracting new insights from existing security architectures
  • Improving investigations with more context from key security and IT domains

Adaptive Response is needed to help IT security teams improve how information from a layered defense is analyzed, how additional information and security context is retrieved from different security technologies, and how a range of actions are applied in any given security domain.

The initiative aims to help security analysts—from hunters to less skilled security staff—better handle threats by reducing the time it takes to make decisions and take action when responding and adapting to threats.

Unlike traditional approaches, an adaptive response model combines alert and threat information from multiple security domains and technologies. This collective insight enables security teams to make better-informed decisions across the entire kill chain, especially when validating threats and applying analytics-driven response directives to their security environments.

The initiative requires a commitment to support a multi-layered security architecture to better connect intelligence across security technologies. Additionally, analytics-driven security can help organizations adapt and respond to threats faster.

Fairfax County Protects Citizen Data Using Splunk Enterprise Security in the Cloud

Fairfax County, Virginia, employs 12,000 people across more than 50 agencies and serves more than 1.1 million citizens. Its government is regarded as a leader in many areas when it comes to cybersecurity and IT, enabling it to serve the needs and protect the data of its IT-savvy and high-profile citizens. Since deploying Splunk ES with Splunk Cloud as its SIEM platform, Fairfax County has seen benefits including:

  • Proactively supporting more than 50 county agencies and protecting citizens’ data
  • Reducing security reporting from two weeks to real time
  • Increasing focus on strategic initiatives by leveraging cloud services

Before it adopted the Splunk platform, one of the major challenges Fairfax County faced centered around the numerous disparate systems from which it had to pull event logs. What’s more, the county’s previous SIEM tool could not keep up with the more than 3.9 petabytes of data the county must control, access and secure.

After comparing the Splunk data analytics platform to several other products, the county partnered with Splunk’s professional services team to conduct a successful proof of concept, and then moved forward with an implementation that was easy on his staff.

Fairfax County is now benefiting from its cloud service for Operational Intelligence in several ways including elasticity, security and scalability, without the operational effort. The county is also enjoying cost savings from a hardware perspective because there is a smaller data center footprint. What’s more, only one individual is required to manage the Splunk implementation, which enables the county to maximize its resources.

Today, Fairfax County relies on the Splunk platform and Splunk ES as its SIEM to monitor employee emails for phishing attempts and millions of daily threats on its endpoint systems. In addition to known threats, the county monitors and protects against dangerous malware while also defending its critical infrastructure including supervisory control and data acquisition (SCADA) systems. Moving forward, the county intends to use the Splunk platform to ingest PCI-relevant data to ensure compliance. Want to know more? Read the full case study.

Check out our "Data Secrets Revealed: A Collection of Security Customer Stories" customer e-book to learn more about how organizations are using Splunk ES to drive analytics-driven SOCs. Want to see how Splunk ES maps to the capabilities of an analytics-driven SOC? Check out our free white paper on the Five Essential Capabilities of an Analytics-Driven SOC.

Girish Bhat

Posted by