Gartner: Five features of Intelligent Soc

"Foreword" This year is a busy year, busy to the last few months have not written something. But these months are very substantial, I also constantly seize the time to absorb all kinds of knowledge, finally take time to share the harvest.

November 2, 2015, Oliver and Neil of Garnter released a report titled "Five Characteristics of the Intelligent Soc" (the Five characteristics of an intelligence-driven Security Operations Center).

The report says that intelligence must be incorporated into the SOC architecture to embrace an adaptive security architecture that becomes situational-aware and intelligent-driven. Security leaders should be aware of how smart socs use tools, processes, and strategies to protect against new threats.

The characteristics of the five smart SoCs are:

• Operational threat intelligence on strategic and tactical

• Bring security intelligence to the ground with advanced analytics

• Automation to the best of our ability

• Hunting and investigation (detection and hunting)

• Deploy an adaptive security architecture

Unknown sensation? If you've been following Gartner's research and understand Neil, then many questions have been solved.

First of all, it must be noted that the Intelligence-driven in this report refers to the intelligent driver, not the intelligence driver, the difference between the two, security intelligence, Secuirty Intelligence, or intelligent Security is a security strategy presented by Gartner (Gartner fellow Joseph Feynman's 2010 report, "The Rise of readiness for enterprise Security Intelligence"), is clearly defined. This time, Neil has made five refinements to the intelligence in the intelligent Soc. In these five aspects, it is situational awareness and adaptive security architecture. "Future information security will be situational-aware and adaptive," Neil said in a report written for Gartner in the year. Or he, at the beginning of 2014, proposed the concept of adaptive security architecture.

Situational awareness, security intelligence has been said a lot, here no longer repeat, a brief introduction to the Adaptive Security Architecture (Adaptive Architecture), some people think it should be translated into an adaptive security architecture, because feel "from", "automatic" a bit too. Still, Neil has a lot of automation in it.

What is an adaptive security architecture? See:

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/76/DB/wKiom1ZdpQaRB5fbAAiW0Lomd9k229.jpg "title=" 1.jpg " alt= "Wkiom1zdpqarb5fbaaiw0lomd9k229.jpg"/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/76/DB/wKiom1ZdpxuhhLRKAAEA2oJcByw294.jpg "title=" 2.jpg " alt= "Wkiom1zdpxuhhlrkaaea2ojcbyw294.jpg"/>

This architecture emphasizes monitoring and testing, which means that safety analysis (monitoring/detection/prediction) and the response based on the analysis results are taken out of the protection to form a closed loop. At the same time, in response to the importance of automation.

Here's a look at five more features:

1) Threat Intelligence: The industry has talked a lot, both strategically and tactically, as well as the landing Threat Intelligence platform (TIP).

For threat intelligence, a more comprehensive division is three levels: strategic, operational, tactical.

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/76/DB/wKioL1ZdqfvxmKhMAANehWsw_44195.jpg "title=" 3.jpg " alt= "Wkiol1zdqfvxmkhmaanehwsw_44195.jpg"/>

2) advanced analysis, in fact, Security analytics, Sans's research report has been devoted to this, including the latest 2015-year report. Security analysis is closely linked to security intelligence. Because modern security analysis is not the traditional sense of IDs and Siem, but more emphasis on intelligence, such as behavioral contour analysis, complex statistical analysis, machine learning, predictive algorithms and so on.

3) automation. This could be a lot of controversy, and this is the core of the report. The report shows that only automation can improve the efficiency of the response in order to catch up with the speed of the breach. Recall Verizon's Dbir report that time-consuming attacks are always ahead of time. Automation is really hard, so the report uses the words "as far as possible" (automatewhatever and whenever It is feasible). The report says:"rather than to seek full automation of all SOC activities, enterprises should seek ' automatability '

A) Detect attacks automatically (or rarely manually) during the testing process using intelligent analysis methods such as machine learning, user and entity behavior Analysis portraits;

B) in the interactive analysis process, the tool can assist the analyst to carry out the hunting and exploring as much as possible, such as giving the analyst the situational information of the attack automatically, effectively presenting him/her in front of him, giving him as much inspiration and clues as possible. This is actually a analysis-driven or human-augmented security decision support System. in this, a human are still involved in the process and the process itself is highly automated to make Effectiv E Use Ofscarce SOC resources.

C) In response processing, you can use the Workflow system, automated policy distribution system, user provisioning system to improve the level of response automation. The Gartner report is called Security Incident Response platforms (Sirps) and security Operations Automation platforms (soaps). With a closer look at the U.S. market, many of these companies have focused on IR automation.

4) Hunting and investigation, these two words, especially hunting, have recently been very hot and offensive, emphasizing the defense from the attackers ' point of view, detecting attacks, finding Ioc/ioa, and emphasizing the role of analysts in particular. There must be a big difference between a good hunter and a mediocre hunter. Here, in fact, the requirements of the SOC analysts, but also a new interpretation of the methodology of security analysis, of course, the security analysis tools for the SOC put forward the technical requirements. The tool in the hunter's hand is very important. Tools, there are advanced analysis (security analysis) tools mentioned above, as well as human-computer interaction support tools and processes. Btw,sans will hold a threat hunting and IR summit in 2016.

5) Deploy an adaptive security architecture that doesn't have to be a lot of words.

Finally, it is necessary to point out that the era of intelligent Soc has been opened and is now only more explicit. Smart SoCs will integrate into the next generation of security analytics technologies, including BDSA (Big Data security analytics), threat intelligence, and higher human requirements.

"Refer to" my Soc topic

Gartner: Five features of Intelligent Soc