Hello and welcome to this webinar on Innovation Never Rests: a new SOC blueprint for tomorrow's threats. I'm Warwick Ashford, a senior Analyst at KuppingerCole. I'll be joined later by Aris Koios, who is the technology strategist for the DACH region at CrowdStrike. Before we get going, just a couple of w housekeeping rules. You are all centrally muted. We are controlling these features so you don't need to mute or unmute yourself. We will run a few polls during the webinar and discuss the results at the end. We'd like this to be as interactive as possible, so please participate in the polls. It'll be very interesting to see what this audience has to think on some of the questions, and we'll get commentary from Aris. There'll be a Q&A session at the end of the webinar, and you can enter the questions at any time using the Cvent control panel.
So please put questions in. We'll get to as many of these as we can at the end, and again, we'd like to make it as interactive as possible. Obviously I've got my presentation and Aris has got his, but we want to address your specific questions, so please make sure that you participate there to get the most value out of this. We are also recording the webinar, and so the recording of the presentation slide decks will be available to you for download in the next few days. So don't worry about that. You'll get all of that. Now, just a quick look at the agenda. I'll be looking at the SOC challenges and solutions. And then after that, Aris Kois will look at how to measure success in a SOC. And after that we'll have a discussion Q&A.
But first, here's our first poll, and I'd like to know what, what do you consider to be the biggest challenges facing Modern Socks? First, Lack of cybersecurity skills professionals. Second choice is rapidly evolving cyber threats or the legacy technology infrastructure or third regulatory compliance requirements. So just take a couple of seconds just to go through the options and decide what you consider to be the biggest challenge facing modern SOCs. Okay.
Hopefully we've got your answers to that and it'll be interesting to see what you say.
So, as I said, I'm gonna be looking at security operation centers in general, and good place to start is what it is, and why do you need it? So what is a SOC? Here's a definition that I came up with. I hope that you agree. It's usually a dedicated team that monitors assesses and proactively takes action on information security issues on an organizational and technical level. And I think the most important word in there is proactive. I think that's one of the trends that we're definitely seeing in cybersecurity these days is the need to be proactive. I mean, in the good bad old days, everybody just waited for stuff to happen generally, and then reacted like crazy. But now we are adopting a much more proactive approach. And the other thing, although the graphic that I've used is of a physical location, a lot of the times that I'm talking to organizations, I'm realizing that their SOCs are not no longer just in buildings or in a physical place.
A lot of organizations are now going for Global SOCs where they've got the best talent that they can get all over the world. So that's a trend that we are also seeing where, SOCs are not located in a single place or in a single building necessarily. So SOC teams use logs and other monitoring information from the information systems to defend against threats, both external and internal. And that's another point, that is important to take note of is that not all threats are external. Some of the threats are internal and a lot of the teams that I'm talking to now, I'm seeing a greater focus on internal threats. So a SOC will typically provide a central location to collect information and respond to external threats, as I've just mentioned, but also the internal threats.
I think that's becoming much more important and look at what the user activity is. So now we're moving to an age where users need to be much more accountable for their actions along with this idea that cybersecurity is everybody's responsibility. It's not something just that the security teams take care of, but of everyone in the organization. And then they're also looking at responding to loss of systems and sensitive data. Data loss is a huge consideration now. So in addition to providing a location to collect information, they also need to sort and prioritize alerts.
This is a very important function for helping in investigations and also to keep the organization running. Resilience is another area that we see a growing focus. Defense is not just about keeping the bad guys out, or responding to something when it happens, but it's about keeping the business running. Recently I wrote a paper on the Digital Operational Resilience Act that the European Union has introduced, and that will come into force from 2025. And there the emphasis is very much on operational resilience, is on can you keep the lights on, can you keep the business running? And although it's focused mainly on the financial sector, all organizations can have a look at this legislation and look at the framework that it provides. And I think it's really interesting reading because it forces organizations to look at the risk management.
So risk management is also another area that that is growing in importance and of course continuous monitoring of networks and systems. I think gone are the days where you can periodically see what's going on, have a retrospective look at logs. You need to know what's going on at the minute because once these tanks do take place and unfold, things can go horribly wrong very quickly. So I think now a lot of the emphasis is on continuous monitoring of networks and systems and then obviously you've gotta be able to, to respond to incidents quickly and proactively as I mentioned earlier. So why do you need a SOC? Well, I've hinted at this already, if businesses are being constantly attacked and you might think this is an exaggeration, but I think all organizations, if they're honest and or if they have the systems to know that they're being poked, we'll say yes, we're being poked on a regular basis.
So now obviously not everything is a targeted attack, but I mean there are lots of opportunistic attacks out there and you wanna just keep those kind of attacks out. Also, a recent study found that organizations are taking around 212 days to detect a breach and 75 days to contain it. So that's why you need a security operations center (SOC) to keep on top of these things so that the bad guys aren't in your networks and snooping around and just being able to find out what's worth taking and then quietly exfiltrating it. And the reason that most organizations do not detect a breach is that they're not proactively looking. So there's that word again, you've gotta be looking for the stuff. The whole point of many cyber attacks is to be unobtrusive, to be undetected. So they could be in your networks for 212 days and you're not, you're not aware of it.
So it's really important to look for these guys and be aware of what the IOCs are and to be able to do that. So reasons for implementing a SOC we would like to suggest are for: organizations that are running an online or public facing service, if something's public facing, it's probably going to be open to some kind of of attack. Also, if you host a number of sensitive databases, then that information is going to be targeted, whether it's personal information or sensitive commercial information then it's likely to be in the realm of espionage. We've seen in recent years a growing number of attacks that are specifically targeted at getting intellectual property that are targeted at i
IP. So if you have something that that could be of use to foreign power or just a competitor, then the odds are you're gonna be targeted by a cyber attack of some kind.
Again, if you say share large quantities of data with other firms, that means that stuff is being exchanged between you, it's going over the over networks and those networks can be infiltrated and information stolen. And again, if you're a large global organization, that means that you've got operations in several different geolocations. And so there's gonna be information moving and information in this day and age, as we all are going to recognize, is money. And above all, if you acquire a single point of visibility for all your threats, I think that's one of the biggest challenges facing organizations is that they have no single place for being able to see all their threats and being able to join the dots. So that's another reason why a SOC can be really useful. Although we've now established the need for a security operations center, there are several challenges to that are several challenges to that and fortunately there are a couple of solutions and I'm sure Aris will be filling us in, in more detail but I will cover it briefly here. So what are the challenges facing SOC teams? Apologies for the gratuitously cliched image of a hacker, but hey, I thought it was rather fun. So there are an increasing number of cyber attacks, and this is for a number of reasons because it's just getting easier for people to carry out cyber attacks because there are lots of, as-a-service services out there, the barrier to entry is, is being lowered every day. There are just so many tools for would-be attackers so that you don't really need to know much about anything anymore to be able to carry out a fairly devastating kind of attack. So another reason that, that we're seeing this though is that we have a rapidly expanding attack surface.
And this is due to digital transformation. So especially due to the pandemic, a lot of organizations moved to the cloud, they were forced to move to the cloud really quickly, again to keep the businesses running, to be able to enable people to work from home and that sort of thing. But that, that rapidly expanded their attack service and then needing to take care of that. Also, the industrialization of the cybercriminal industry. These organizations are now criminal organizations that work in an industrial way. They work set shifts, researchers are able to track the hours that they work. It's not just a couple of hobbyists trying to see what, where they can get in. It's organized and it's methodical. So you can't ignore that. Again, there's the increasing speed scale and scope of attacks. Things are getting faster, they're also getting bigger.
And this is partly due to machine learning. We are seeing more and more in organizations turning to machine learning to increase their efficiency and their speed and improve their business processes. But as I said earlier, the industry of cybercrime is organized and they're also turning to machine learning and other ways of increasing their productivity, their effectiveness, AI supported analytics. They can analyze their attacks, they can see what worked, what didn't work, how can we improve that? And then of course we've got generative AI, which is a whole new area that we are going into because not only is it creating a lot of buzz in the general business world, but it's been really useful to the cyber criminals because it means that they can develop new malware and variants quite quickly because the AI can just analyze it and say quickly here is a new version and it doesn't involve people.
So it's increased efficiency there. I think the biggest threat though that I'm hearing is that generative AI is really useful in creating credible phishing and smishing attacks. In the past people would be able to fairly easily recognize a phishing attack by maybe the language wasn't that convincing, maybe the grammar wasn't that good, it wasn't kind of coming from a plausible source, it didn't have plausible content. Whereas that's now changing with generative AI. It can produce very credible stuff. They're [attackers] also able to move into more languages. We are seeing a greater number of languages being used in phishing and smishing attacks, whereas before it was a fairly confined number of languages. And there's a huge volume of security alerts. And so in the context of the SOC, this is one of the most important points is that SOC analysts are now finding it difficult to deal with with just the number of attack alerts they're getting because their organizations have invested in all these security tools that are all generating alerts.
And so that is one of the biggest challenges I think. And then of course there's the global shortage of cybersecurity professionals and I'm sure we're gonna talk more about that later and I'm sure Aris will talk to that in particular. But I think this is one of the things that most organizations are grappling with on a number of levels and especially in the context of the SOC, is finding the right people with the right skills and to be able to keep them. And then of course there is the need for SOC integration with incidente response, GRC, operations, and so on. So as you can see, there are quite a few challenges facing SOC teams today and then of course there is the final piece of the puzzle is, not only have you gotta have the right people, but you've gotta have the right technology to support SOC teams.
And that's kind of what we're gonna be talking about a lot today is finding the right technology to be able to make your SOC teams more efficient and so that they're not responding to thousands of alerts, that they're only having to respond to a handful of alerts, but that is more manageable. So obviously the old approach is not working. The world has moved on. We've got generative AI moving in on the side of the attackers. So a new approach is needed. Attackers are moving at machine speed as I've been discussing. Threat analysis, identification and mitigation on the defender's side is still largely manual. And the problem with that of course is that it's incredibly time consuming. So many SOCs teams do not have the time or the capacity to deal with all the alerts as I mentioned earlier.
So we need to shift to human-machine collaboration, and I think there's been a lot of discussion around how much AI is gonna help in cyber defense. The consensus at the moment really is that there is still definitely a need for the human component. We've just gotta make sure that that human component is as supported as possible. And so that's where we come up with this concept of human-machine collaboration, where we're being able to work together so that there can be real-time detection of threats and application of threat intelligence and we can deal with events in real time as well as historical events with retrospective searches and that kind of thing.
And so I'm just gonna skip ahead and say the automatic mitigation of common threats is important. So you know that with the run of mill threats and all these automated threats, they're all kind of predictable. So automation of mitigation for these threats is important so that that whole component is removed from the analyst so they're only having to deal with the things that are really special or different. And then of course there is is is the effort to reduce the number of of alerts and above all we are looking for decision-making support and that's what I was alluding to with the human machine collaboration. This is one of the most important areas that AI can help with correct decision making. So a couple of things to think about when choosing SOC tools.
Try and focus on what makes the organization safer. Ensure that alerts have the context necessary to make the right decisions, aim to reduce the number of alerts to a minimum, choose the solutions that centralize data feeds, consider solutions that integrate threat intelligence and all these things that they're all brought into a single environment. So the hallmarks of a future-proof SOC, it has to be flexible, you've gotta be able to work with what you have, the investments that you've made you, it's gotta work with all the systems that you have, you've gotta be able to tap into the GRC teams and the IR teams and all that kind of thing. So flexibility is really important, it's gotta be scalable. So it's gotta be able to scale with the growth of the business as the business evolves and also it's gotta be able to scale with with threats and and attacks and so on because every day is not the same and some days could be a higher load than others. I think it's also gotta be automated because we've gotta take care of a lot of things automatically without having too much time being taken up doing things that that could be automatically dealt with and batted away. And a unified tech stack is important and I'm sure Aris will talk more about that, but that's gonna help things be more integrated and work much better together. So I galloped through that at the bit at the end you will have be getting the slides so you can have a look at that. And I'm just gonna pause here just for the next poll questsion.
Which benefit of a flexible, scalable, and automated SOC appeals to you most? So is it improved threat detection and response times? Is it cost reduction through automation? Is it enhanced visibility into the IT environment or is it easier compliance and management? We'll just take a few seconds to consider which one of those things appeals to you the most and log that in so that we can have a look and, and when we get to the q and a section of the presentation. And so as promised and as advertised, next up is Aris Koios, who's going to talk to us a lot about a next generation SOC and specifically about how to measure success in a SOC. So over to you Aris.
Aris Koios: Alright, so let's kick things off first and let's talk a little bit about how to measure success in a SOC. And when we talk about the challenges, I've been talking with a lot of large organizations here in the region that I support primarily in Germany. And the feedback that I'm getting from the CSOs and also from the SOC team is there's typically a lack of business alignment. And I'll unpack this later and we talk about the measurement. It's often activity driven. What I mean by this is that people measure the amount of alerts that are coming in. Other organizations focus a lot on me time to detection and meantime to response, which makes a lot of sense. But we also need to think a little bit about the adversary side of things, which I'm going to discuss later on in more detail. But one thing that we figured out and when we introduced the so-called breakout time, which measures the time from the initial access of an adversary all the way till they break out of that single host, which means they have now two implants that went down from eight hours in 2018 when we released our first global threat report to 79 minutes on average.
As Warwick mentioned, talent gap skill shortage is a huge theme here. So when we speak with SOC Analysts and and SOC teams, they typically bring up that that skill shortage has effected the operations a lot and the number of of of alerts is high, which means the SOC teams need to find ways to do more with less. And ultimately if you look into the day-to-day of an Analyst, right, they have the triage pastor, they have to defend new attack vectors, which I'm going to unpack, and with the goal to stop the breach if we look into the digital transformation and understand why that attack surface is actually increasing. Obviously there's apps everywhere after Covid, people are working from anywhere and there's also a lot of cloud adoption, which means customers as of today, they're using the on-premise environments, the data centers, but they're also shifting workloads into the cloud, which also extends to the identities, which means during that transition, which will last for a couple of years, their tech service actually bigger than before.
And the other trend that I'm seeing from a cross-site perspective since we are also providing a lot of threat intelligence is the number of vulnerabilities has increased quite a lot. And also the time between releasing a vulnerability or releasing a patch and then exploiting that patch has also decreased, which means patch Tuesday then becomes exploit Wednesday. And if we look into the threat landscape, which is also accelerating at a, the the same speed, and Warwick mentioned one of a few of the reasons, what does it mean for the SOC team? I think in the two thousands when I started my career from a vulnerability perspective, we're measuring four digits, now we're at five digits and we had hours or days in order to basically understand an incident and understand the root cause and react to this. And now if we think about automation, the same level of automation that we see in an organization also applies for the adversary landscape.
And we break down adversaries, into nation state eCommerce syndicates that obviously are after money and hacktivist groups. You can see basically that the modern attack comprises a few different elements. So we see attack against cloud infrastructures and also PII environments. What started off as a ransomware attack, which was more opportunistic, is now pretty much become hunting where adversaries are using hacking techniques to get access into the organization and then either deploy a payload to encrypt the environment or exfiltrate data or do both and demand extortion money twice. So threat has become a service. And the other key trend we are seeing is access brokers. So there's groups that basically only focus on stealing access data into an organization and then they sell it off in the dark and deep web. So that is one of the challenges and what it means for defenders, for the SOC teams is that they used to have weeks or months to respond.
And now this is basically one thing to consider that it went down to minutes. And that is one thing we need to consider always when we talk about metrics in the SOC is what does the adversary do? How do they basically attack an organization? And there's a few misconceptions here when we read threat intelligence reports or when we basically look into the MITRE ATT&CK framework or basically other reports that cover breaches, people believe that these attacks are linear, right? You are looking at the MITRE ATT&ck framework, the tactics, but in reality the adversaries typically take the path of least resistance, which means they will try to compromise whatever they can to get access and then move laterally until basically they establish a command and control infrastructure starting exfiltrating data and impacting the, the environment by depending on the motivation for deploying ransomware or doing espionage.
And this is where again, every second counts. It means that one of the metrics to consider is a theme which we introduced already in 2019 is the rule of 1 10 60, which means ideally you need to have, outside of the automatic prevention, you need to have detections which pretty much kick in immediately. So within a minute you should have all the alerts in place within 10 minutes should be in a position to make an informed decision what it is, which requires to have the right telemetry and the right analytics in place and then within 60 minutes need to be able to respond and remediate. And that is a quite aggressive timeline. I'm aware of this, but again, if you think about the speed of the adversaries, it's something definitely to strive for and to consider. And the other element which is important is if you think about the activities of a SOC, the question comes up when companies are moving into the cloud, adopting new technologies, how does the response playbook look like?
Can the SOC basically efficiently respond to these kind of threats and stop that breakout time and evict that adversary? So in order to get to this place where you can actually respond, right, there's a few elements and on a very high level of course you need technology that provides detections and alerts. You need people and processes right in place, but more importantly, you also need to have the right data because after all, security is a data or big data problem. And without the right data, it's very hard to understand what happened, what is the root cause, which systems are impacted and how to remediate and respond accurately and efficiently. So when I speak with organizations today, there is always this idea that a SOC necessarily is a SIEM. But the reality is as of today, when when, when we talk to building a SOC, most people actually focus on a SIEM.
But when you flip this on the head and ask people, which I normally do when I give a talk, ask people, so how effective is your SOC in in terms of signal-to-notice ratio in terms of the promises to having a single pane of glass? Most organizations still flip between 30 to 40 different consults, then they use a SIEM primarily in order to aggregate the data. But they have a lot of challenges when it comes to things like normalizing the data, which I'm going to discuss in a bit more depth in a few seconds. And the idea that there SOC necessarily requires a SIEM, it really depends. If you are a large organization and have data science in place or data scientists in place and have detection engineers in place and have a fully staffed SOC or CDC, that makes a lot of sense because it gives you the best flexibility.
But on the other hand, if you're a larger organization, maybe not as global or as, as as large as as the top of the town companies or the DAX companies in Germany, it does mean that there's alternatives. One alternative could be an XDR, which is extended detection response or looking into managed services, managed security services or managed detection response services to augment this. Now the feedback we are getting from a lot of people that went down the sea route is it is very costly to deploy at the end of the day. And this includes hardware costs or if you're looking into a more modern SIEM approach where you basically used a cloud-based service or hosted in the cloud, it still is difficult to maintain. And the productivity in terms of the number of alerts and the accuracy of alerts there is a huge challenge, which means the overall security effectiveness is not considered very high.
And just to come back to where we want to head as an organization, and that's the consistent feedback that I'm getting is in order to basically tackle that problem and be faster than the adversaries and win that race against the clock, the time required from the initial alert and then the threat analysis, which then basically requires typical orchestration. So you can basically layer on threat intelligence if it is malware, you automatically send off a a sandbox, find related attacks, understand basically what it is, and then come up with an action plan, review it and act upon this. In most organizations, we're talking about still days here, right? And the underlying challenges,as mentioned by Warwick, is there's not so many people that are seasoned incident responders. And then again, if you are in a mid-sized organization, yeah it's not very attractive for a seasoned incident responder to work in an environment where they see incidents maybe only or large scale incidents, nation state incidents, maybe only once per year or never, right?
So time-consuming analysis. I think the key thing is definitely APIs and automation here, but also advanced analytics and AI time consumer analysis. When you can shave off a couple of minutes for each step and and define playbooks that are repeatable, that will help junior Analysts to follow the footsteps of more senior Analysts, but it can also basically help with the speed. And the other big challenge feedback we are getting is it's hard to basically navigate between multiple analysts and analysis tools, especially when there is an incident and people need to basically access and communicate and collaborate at the same time. And every manual step, of course is error prone. Now if we look into the panacea that that we've been hearing for the past two decades, it is give us more data. And I think as an industry we became data hoarders. So we are trying to keep data because we are afraid that when there is an incident or, or a breach that we do not have sufficient information to go back.
The challenge with that approach though is it's very hard unless you basically normalize that data to translate this to a common schema to apply analytics or even AI, which means the promised outcomes or the the outcomes that people are hoping for, namely to have a very good signal to noise ratio are not always achievable unless you put in a lot of effort into that. And when we talk about the effort, definitely it takes a lot of effort to collect the right data and not all sources are made equal. I think since all the traffic on the network side has been encrypted and it's very costly to decrypt, you're getting a lot of good insights from the actual endpoints where you can see process execution data and all the communication in the clear. And then of course you need to also basically ingest data from application stacks, from networking stacks, typical the firewalls which can be flow data, and of course now cloud information both from a cloud security posture management, but also the robots that are running and infuse it also with threat intelligence.
Now there's several vendors here and that is not the important part, is the important part is we have a lot of flavors of everything, which means there's like always different Windows versions, there's different macros versions and all the information we are collecting right results into a lot of different fields and a lot of different ways how these data needs to be represented. And when you adjust the data, I think as a common common challenge, if you're looking the the analytic problems first, it means that if you take five different vendors and ingest an IPV four address, you will have different names, different fields, which means all the idea of correlating that information. Applying analytics doesn't really pan out unless you do the heavy lifting, parse the data, normalize the data, and then translate into a schema. Otherwise you cannot correlate an IPV four field, which an IP field, which is then called by a different vendor, net address or network event IP.
And most organizations that went down that route ended up having basically not a data lake, but more a data dump or just data which they cannot leverage. And again, in here, when you think about what needs to be done for all these sources, it means that you need to have the right data at the right time with the right context ingested in your real time. That also extends to cloud environments, but also to laptops which are connected from home. And take those strings, those events string clean up the data, normalize the data, and then translate it to a schema and then decide if you want to store the data for long term or if you basically wanna use the data for detection engineering. So if we think about the mistakes now, right? There's a cost associated with all this data engineering. And the question that I always raise is, are you actually as an organization equipped to not only stand these costs, but to hire the the right people that can execute against a a SOC vision?
And we break down the skill shortage and what you need. I mentioned that keeping the data feeds updated and implementing them, tuning the systems that take some resources. But I think the most challenging part, and this is where a lot of organizations don't even reach that point, is the detection, engineering and learnings. Basically, when you have a detection, take this as another loop into a feedback loop with the threat intelligence. And then, and as Warwick mentioned, remediating and responding to incidents requires all its response capabilities. Now there is approaches and we as CrowdStrike have been investing heavily also into generative ai, which has a lot of promises. I wanna unpack this because there's as always limitations with technology and to Warwick's point, it's important to see this as an augmentation to the human expertise, not a replacement. So large language model ML, we've been using machine learning since our inception in 2011 and released the first ML models to identify malware at scale in 2014, which we also published in, in in virus total.
And now with the large language model, there's a huge benefit here, especially since we're a threat intelligence company as well. We produce only for the first nine month in this year, we released over 17,000 pages of finished intelligence. And of course using an LLM can help you to mine through the data, summarize that information, make it actionable. The other key element is of course the data retrieval analysis of large event information and the process automation and much more. But the element of a crown truth is important here, which means on the one hand side there is data scientists that we employ and other companies employ that basically prepare these model tests, these models. And there's two loops on the left hand side, you have the human expertise and the right hand side you have a much faster loop, which is like the artificial intelligence.
And while we're using machine learnings across our entire platform and LLM, the speed and scale is fantastic, which means you can respond and analyze things pretty much at machine speed and automate things. So we are basically producing with all our data automated behaviors to detect new attacks as well. But all this basically follows the concept of a ground truth, which means at the same time there's a slower circle where we have security analysts in our managed technical response team to take false positives to label new detections. We have threat hunters that basically provide new hunting leads and feed this all back into threat intelligence. So where we are heading with all this, and this is basically one of the application where we as an industry can start tackling the skill shortage is, is is the, the vision for generative AI in a SOC is pretty much to augment the analyst, starting with a tier one analyst where you can basically save a lot of time by providing a simple prompt and you can ask questions as simple as, hey, how would this adversary attack my environment?
Do I have vulnerabilities which are exposed that are be being exploited by an adversary like scattered spider? And, and, and that is the vision as of today. So the tier one analyst, that should be straightforward. The goal is here, primarily accuracy. So the idea that we have GWAS in place and also making sure that everything is, is falling that crown tooth concept. So there's no hallucination here that you can see with other LLM models. And the other part is of course the tier three analyst where in the next phase or over the course of the next month, there's going to be suggestion on how to contain something. So for example, you've seen a tech, you can then create a partial script or a batch script that you can then deploy in a playbook and also to, to make remediation suggestions. And ultimately the goal should be to then help also with the orchestration of the entire SOAR and, and workflow generation, playbook generation, also providing hunting leads and automating also the, the, the containment.
So it is a key element definitely in the soc and it's also a journey as always. And I wanna close this discussion off by talking a little bit about the future blueprint. If you think about the future blueprint on the right hand side, you can see basically the data and how long you wanna store that data, which means there's data which is primarily useful for detection capabilities. So you can store it either as streaming data for, for a week, for example, or it can be two weeks. And that allows quick searches against small timescales, which also then allows more complex queries. You can do data stacking, you can do long tail analysis, you can do multiple joints of these different data sources. It can help with hunting, but also with custom detection and correlation. The other element is of course, metering data. So we are talking here about, yeah, two weeks until two, one or two months, maybe three months, where you still basically have longer timescales, but the complex queries need to be verified and be effective.
So they, the number of queries are low frequency queries and the data is typically used for investigations of incidents to understand basically, okay, have we seen this attacker in the past? And then when it comes to long-term data, while you're building threat intelligence or ingesting threat intelligence, you wanna run simple IoC queries against domain IP addresses against a longer term storage, which of course are slower search, but this is also used useful for hunting and compliance. We have audit data here as well. On the left hand side, again, in a modern soc, one of the key elements is of course getting the right detections in place using threat intelligence here, AI ML that can generate new detection rules and also using the data to proactively hunt against the data based on hypothesis. And that hunting can be augmented with threat intelligence.
But the idea is here that you're using both human analysis and automating automation, which means whatever step you're doing in the SOC should be automated. And one of the key elements is of course an API-first strategy, which means all these systems you are using can be used for, for programmatic automation. Then once you close an incident, the other key elements, the lessons learned where we capture the right intelligence and feed this back into the system. So with that approach, the idea is then, and this is where we are heading as a company, this is what we are providing from an XDR perspective is pretty much a plug and play approach where you can ingest data from different sources, aggregate them, apply the AI analytics on top of this in the automation, and then either use managed hunting or hunt yourself or do both ideally. And the amount of effort required for the human analysis is actually minimal. And the data points the analyst needs both from a threat intelligence, from enrichment perspective is always available so they can execute against the 1 10 60 vision. Wanna pause here and thank you first and hand it back over to Warwick.
Warwick: Yeah, so thank you very much. I found the conclusion very interesting. Certainly it seems that the industry is moving in that direction. I'm currently working on a new report, a new leadership compass on intelligent SIEM platforms. And that, that seems to be where the industry is going. It's very much in terms of reducing the cost, specifically all the classical areas where there were problems with SIEM storage costs and so on. But very much this idea of supporting the SOC analyst and doing as much automatically in the background and supporting that, that decision making where, which is great.
Okay. Before we go onto the Q&A section, we just going to have a look at our final poll.
Okay. Right. So we asked what do you consider to be the biggest challenge of facing modern socks? And overwhelmingly seems to be the answer is rapidly evolving cyber threats. Aris, are you, are you surprised by that result?
Aris: I'm a bit surprised because yes, it is a huge challenge, but the same token, I think the lack of skilled cybersecurity professionals is also something because in order to combat these rapidly evolving cyber threats, we need skilled experts.
Warwick: Yeah, I must agree with you. I would've thought that at least the lack of security professionals would've have featured there and probably a little bit more heavily than it did because certainly, you know, speaking to organizations, that is one of the biggest challenges and from the research that I'm doing now, a lot of the vendors are seeking to or are trying to help organizations address that. And that's great news because, you know, we are, we are not, we are not able to get skills into the pipeline really quickly. So the more that the technology can step in and and help is, is great.
Okay. Well maybe let's have a look at the second poll question now if we can, and see what, what the answer was to which benefit of a flexible, scalable, and automated SOC appeals to you most. Okay. Again, it seems to be pretty decisive answer. And and this is through improved threat detection and response times. I'm surprised cost didn't play a, a higher, a higher high effect of there Aris.
Aris: It's, it's true. I think it, it really comes down to, I mean, if, if I have a wishlist, yes, definitely that would be my answer as well. But then if you speak with the finance people and the business people, you also need to basically align it to the business. So cost will play a role eventually. But I think if you look at the question, it doesn't make sense,
But I I, you know, again, there was a fairly small vote for enhanced availability and easier compliance management.
Warwick: Again, I was quite surprised because in my impression is a lot of organizations are compliance driven. And so to me this kind of result is also a bit surprising In your experience, do you agree with me compliance is is one of the big, big drivers really.
Aris: It, it, it really comes down to the industry, I think, in which countries you are based in. But yeah, it is a, it is a driver and yeah, and the SOC definitely plays an important role to feed the right information to the GRC team.
Warwick: Okay. And then let's have a look at our third poll question. What, what was the response there to, why do you think traditional SOCs are no longer fit for purpose? Okay, again, pretty convincing results, an ability to adapt to changing threats. Aris again, what what is your view on this? What would you have expected to see a a more even split between the couple of options?
Aris: Actually, I think it's a fair point. The inability to adapt to changing threats. And as I unpacked earlier, I think if you're looking into what digital transformation means and the exposure and the threat landscape that is changing, that is definitely a challenge that people are shifting their SOCS or at least their SIEM technologies that they're using or using other approaches these days and shifting this more into a cloud-based approach where they can ingest data and are not basically charged by events per second and all this. So scalability in getting the right data in and making sense out of this definitely makes a lot of sense. So I think it's a good outcome from a poor perspective.
Warwick: Okay, so this is the discussion in the QA section of, of this webinar. This is your opportunity to, to take part now hopefully we should be able to, to have some questions from the audience and find out what you guys are particularly wanting to know about. I'm just hoping to see if there are, let me see if there are any questions here.
How about this one? How does XDR differ from traditional SIEM solutions and what advantages does it bring to SOC teams? So I assume that what advantage does XDR bring? So I know that there's a kind of a whole debate around what do we mean exactly by XDR and I would argue though that intelligent SIEMs are of taking center stage rather than traditional SIEMs, I mean, are many organizations still even thinking about using traditional SIEMs? I mean, is that not kind of something that's passe Aris?
Aris: I think there is, especially for compliance reasons and when it comes to aggregating large amounts of locks, it does make sense to use a SIEM. But again, a SIEM as a standalone doesn't make a lot of sense unless you basically use also the orchestration elements. The threat intelligence elements. And so I think terms of the question I mentioned, one of the, the key challenges organizations are facing is ingesting the data, normalizing the data, and then translating this into a common schema and then applying analytics and building cross detection, sorry, cross domain detections. And this is where vendors that provide an XDR solution can help, but it's also incumbent on the customer to understand what that means. I mean the key element in here is that you have detections and response and you extend this, but the extension has to take place in, in terms of extending EDR capabilities. Because this is pretty much where every instant responder rolls out this kind of technology to understand what is happening. And again, if you are struggling with normalizing data, ingesting data, building detections and wanna focus more on the security outcomes or the G R C layer, this can definitely help. If you're a very large organization that have, that employs data scientists, detection engineers, reverse malware, Analysts, threat hunters, definitely you can have more flexibility with a next generation scene.
Warwick: Okay, great. That, that's very interesting because as I say, I'm researching in that area at the, at the moment and I think quite exciting things are happening in the realm of intelligent SIEM platforms because everyone has now learned from the previous iterations we're all moving into this kind of more resilience-based approach to security, and then also as we've been discussing the human-machine interface. Let me look, are there any more questions?
Okay, yes. Here's another one. What are the emerging threats and challenges that SOC professionals need to prepare for in coming years? That's quite an open question.
Aris: Yeah, I, I think it's also, I'm not the biggest fan of, of all these predictions, but I think you raised an interesting point earlier, the SIEM, I mean there is a new battleground, which is leveraging AI and ML technologies and I think the adversaries are going to adopt also large language models and AI driven chatbots. So that is going to be a concern because even professionals won't be able to distinguish a lure or a phish or a fake call from the real person. I think there's a lot of new vulnerabilities coming out. So making sure that the exposure management and the patch management really extends to all the environments. I mentioned access broker, this is a trend which is going to continue and when you speak to organizations and ask them, Hey, if somebody actually use legit credentials, can you detect them? And typically the answer is, yeah, we're going to struggle with that one. And of course legitimate tools are being used, remote management tools and so on. And I think that the last trend I wanna bring up, what we are seeing from a threat intel incident response perspective is a lot of cloud adoption as well. So we've seen the first adversaries, which are super proficient exploiting cloud environments and especially if it's a hybrid one moving from the cloud then to the internal environment. So that's something to consider.
Warwick: Yeah, you mentioned an important point there about the access brokers though again, and that's what I meant earlier when I said that the, the barriers to entry for cyber criminals are coming down. I mean, you don't need to be able to crack things anymore. You just subscribe to a service which will give you a nice little credential package and you're straight into the system. So I think that that'ss one of the reasons that we're seeing the [attack] volumes going up.
Yeah, absolutely.
Okay. We're coming rapidly up to the top of the hour, but I think we're about to squeeze in one more question, although this is kind of fairly generic. The question is how can organizations address the shortage of talent and the skills gap in the SOC? I think we've been discussing that in quite some detail. I mean, would you there is anything beyond the technology or what we've discussed today that in initiatives that organizations can undertake to, to kinda maybe grow talent from within their own ranks?
Aris: Absolutely. I think we're not doing enough. I used to teach at universities early in my career. I think we need to have these programs where we actually spend time with graduates to bring them up. That's important. Also, providing the right culture where people feel confident and, and can grow individually and, and professionally. But at the same time, this will still not fill that gap. So I think especially if you're trying to address the challenges we are facing as an industry, it's very important to find the right partners that can help you to fill these gaps that basically invested into these kind of automations and can help you basically by providing managed detect response services or incident response services.
Warwick: Okay, great. That brings us very nicely up to the top of the hour. Thanks very much to all of you for joining us today. I hope that you found that useful and beneficial. Thanks Aris so much for your presentation and for laying out your blueprint. I thought that was really interesting. I'm going to go away and have a another look at that. I think that will provide a very useful guideline for organizations when they're thinking in terms of their SOC and their future defenses. Okay, thanks everybody and hopefully we'll see you on the next webinar soon. Thank you.
