2021: The Year SOCs Embrace Cybersecurity Convergence

by Christian Wiens on February 4, 2021

Staying on top of cybersecurity risk can feel like a losing battle in today’s modern, hyperconnected reality. The influx of IoT devices and increased reliance of BYOD devices has created a diverse, complex threatscape rife with overlapping vulnerabilities across physical and cyber assets.

To remain cyber resilient today, organizations must invest in tools their SOCs can target toward protecting hybrid networks made up of a mix of connected physical and virtual architecture.

Patchwork SOC Approaches

The “one-stop-shop” approaches that worked in years past — simple firewalls or antivirus protection, for example — have long become outdated. Ad hoc approaches that combine solutions like SIEM and direct hardware surveillance are insufficient protection against today’s bad actors, who are well-versed in how to work around these common security approaches.

As the cybersecurity world has witnessed, many of these patchwork systems failed in the face of unexpected user behavior and increased vulnerabilities posed by a rapidly shifting workforce during the COVID-19 pandemic business world response.

The Failed Vendor Promises of SIEM

Vendors make bold promises when marketing SIEM to SOCs. Unfortunately, the fundamental way SIEM is meant to function is all but impossible for these platforms to manage.

Sponsorships Available

For example, SIEM vendors often promote “real-time threat protection,” but their systems rely on historic data logs that become outdated as soon as they are fed into the system. Comprehensive “real-time” detection in these situations can not extend past the last update — in other words, threats are not being examined in real-time at all.

In addition to the significant financial investment, organizations must consider the workload burdens created by SIEM platforms. A continually growing stack of false positive alerts and the overarching worries associated with not being able to fully trust the SIEM to detect evolving threats contribute to a great deal of stress.

What About SOAR?

“Not to worry,” SIEM vendors assure buyers. “You just need our add-on solution.” As far too many enterprises soon discover, one SIEM add-on tends to lead to another, and another. Ultimately, this additive approach to cybersecurity, where the system needs constant tuning, updating and supervision, is a costly investment for such a limited result, on several fronts.

One popular supplemental platform vendors are pushing lately is Security Orchestration Automation and Response (SOAR). These platforms are one of many tools designed to overcome network vulnerabilities, one meant to overcome the inadequacies of legacy SIEM, network traffic analysis (NTA) and user behavioral analytics (UBA) platforms. As Mike Yellend, Senior Sales Engineer at MixMode puts it, “SOAR is just another band-aid for the shortcomings of all of these other products.”

SOAR platforms are aimed at enhancing interoperability between multiple, disparate security platforms — in other words, SOAR promises to help organizations achieve the kind of cybersecurity convergence that will be required to protect modern hybrid networks. However, it is not a standalone platform, and it doesn’t improve on the significant flaw of SIEM (the lack of real-time threat monitoring capabilities).

Even after making significant investments in SOAR platforms, SOCs are left with gaps in security across sprawling networks. Many SOAR functions are redundant in that they analyze the same data as other SOC systems monitoring the same network. Worse, the promised “automation” upgrades of SOAR platforms frequently require huge commitments of time SOC pros could put to better use.

Legacy Platforms Contribute to Cybersecurity Staff Shortages

Considering the inherent issues with legacy security platforms, it’s no wonder so many organizations have had problems keeping SOCs staffed. At a time when staffing shortages are growing along with the cybersecurity skills gap, SOCs must remain competitive to stay fully staffed.

Initially, SOCs were primarily focused on cybersecurity in a more traditional sense, but today’s SOC model has expanded beyond fighting against an increasingly complex threatscape. Modern SOCs handle real-time threat monitoring and incident management, infrastructure evaluations, employee training, process development, digital strategy and even reputation management.

Having Fewer Overall Platforms Protects More Network Assets

“The idea that one can solve critical cyber threat and intelligence issues with yet another add-on platform may benefit the vendor and analyst community, but our customers regularly tell us that they remain exposed, continue to struggle with operational and budgetary constraints, and have had enough with an ineffective and cost-prohibitive 4+ vendor model that frankly doesn’t solve our problems or improve our threat posture,” says Geoff Coulehan, Head of Strategic Alliances for MixMode.

Ultimately, Coulehan continues, a central question remains. “Is this the best one can expect for a modern SOC, and if so, how much time, money, and personnel are actually required to even theoretically make all of this work? The short answer is, ‘It won’t meet all your requirements and is too expensive.’”

SOCs cannot perform to the best of their abilities with tools that aren’t up to the task. These vital enterprise departments are not asking for too much when they seek out uniform cybersecurity platforms that can increase network oversight efficiency and reduce the risk of missing potential vulnerabilities.

Consolidating comprehensive, convergent cybersecurity protection into fewer platforms provides another key benefit — more efficient scaling.

Predictive AI Enables True Convergence

MixMode relies on the latest, third-wave AI approach to achieve true cybersecurity convergence. SOCs benefit from a single, purpose-built platform that addresses the functional requirements of NTA, NDR, SIEM and UBA.

One real-world example where MixMode replaced an ad hoc cybersecurity band-aid approach is the large government entity that upgraded its SOC with the platform. In this case, the government entity had undertaken a three-year SIEM deployment and a two-year UBA deployment but was still coming up short when it came to real-time threat detection and management.

A key roadblock here was incompatible SIEM and UBA technology. These systems did not communicate with one another, so SOC staff had to pull down data and aggregate it to derive any real meaning from it. The processes involved were inefficient and provided an inadequate level of risk protection.

MixMode was a gamechanger for the government entity. The platform’s robust context-aware, predictive AI capabilities meant security staff no longer had to create and maintain rules-based alerts and queries or manage data across disparate systems. MixMode empowered the SOC team by granting it visibility into real-time threats and anomalies, including active attacks and probes that had previously gone undetected by the SIEM and UBA systems. The team also gained valuable insight into insider behaviors that posed serious threats to data security.

Within a week, MixMode was able to create a baseline of expected behavior across the entity’s entire network. And, because MixMode is not an additive platform at a fundamental level (unlike the SIEM and UBA functions it replaced), the SOC team can create better financial forecasts and allocate human resources in a much more efficient way.

Learn More About MixMode

Set up a demo to see how the MixMode platform can empower your SOC team with a scalable, centralized real-time threat detection and monitoring solution capable of mitigating modern networking vulnerabilities. MixMode can protect your system no matter how it is configured: cloud-based architecture, on-prem and legacy devices, industrial IoT and BYOD or any other mix.