Security Operations Centers (SOCs) face numerous obstacles when protecting their constituencies and fulfilling their day-to-day operations. We performed a study of the factors that play a role in the impediments they face, which we summarized in the diagram shown in Figure 4.1. Most of the sources we con- sulted were either whitepapers, gray literature, analyst reports or the results from surveys, because these are more timely and closer to the practice of SOCs than scientific literature on these
subjects. We categorized the diverse set of causes of difficulties into four main categories. The following subsections describe the four categories listed below:
(A) An increasingly complex IT environment, (B) Limited business alignment,
(C) Inadequate resources with respect to people and techno- logy, and finally,
(D) Ever-evolving adversaries and corresponding attacks.
Complex IT Environment
The first main type of difficulty for the SOC is related to the scale and complexity of the IT environment. During the past couple of years the IT environment within organizations has
Figure 4.1: Ishikawa diagram showing the causes of difficulties the
SOCfaces while trying to protect their constituency.
changed tremendously in diverse areas. Due to increased mo- bility, larger scale IT usage, usage of cloud infrastructure and employees having the ability to bring their own devices to work,
SOCshave less visibility into and control over what happens on the network and who has access to which business assets at what time [120, 124, 129, 136, 137, 138]. Employees are also in- creasingly making use of software not being provided by their employer for various reasons, such as for improving work per- formance, faster collaboration and better communication. This phenomenon is called Shadow IT. The main risks of Shadow IT
have been identified by Silic and Back [84] and include the de- crease or loss of data integrity and information leakage.
The human aspect plays a role in many of the aforemen- tioned factors and is a factor in itself too. The first reason is that making mistakes due to the lack of knowledge, several differ- ent kinds of biases and other psychological influences is part of our nature [76]. Secondly, insider threats have grown to become one of the biggest threats to consider within businesses [19, 27, 45]. The insider threat is not only about rogue employees, but also denotes the fact that adversaries are increasingly able to become insiders by infecting employees or obtaining legitimate credentials.
4.1 problem analysis 37 Another development that has attracted interest and will likely cause theSOChard times is the increase of industrial and ambient networks getting connected to the business network. These so-called cyber-physical systems, which control physical systems using computers, range from the Internet-of-Things to Industrial Control System (ICS), and can include anything from controlling devices to Supervisory Control and Data Acquisi- tion (SCADA). These systems use all kinds of lesser known, sometimes proprietary, protocols and hardware, requiring spe- cific technologies and specialist knowledge to protect [12, 46, 82], which theSOC often does not have available.
Adversaries are also increasingly making use of the intri- cacies of IT environments and legitimate applications to gain access, move laterally and persist within an organization. Keep- ing an IT environment up to date and configured appropriately is absolutely necessary to prevent it from falling prey to older or newly exploited CVEs. Usage of the Windows operating sys- tem, the Microsoft Office suite and its macro functionality is commonplace and necessary in enterprises of all sizes, but the latter is also frequently abused for infecting victims [113], for example through phishing. Using other built-in scripting lan- guages, including VBScript, JScript and PowerShell, which are available natively in Windows, adversaries can execute virtu- ally any type of action.
Limited Business Alignment
Another main obstacle is the lack of alignment between the business and the SOC. The first reason for this is the fact that the SOC often resides in an enclave, which is good in terms of security [106], but can result in limited visibility into changes in the IT environment or its users [7]. Another factor is the fact that the SOCoften does not have visibility into the primary business processes performed by an organization, resulting in a lack of contextual information [7, 124,125, 131]. On the other end of the spectrum are the SOCs that do have visibility into their constituency, but have no idea about what’s going on out- side of it, missing critical information about developments in the threat landscape [128, 136].
Inadequate Resources
The lack of resources, both in terms of technology as well as in human resources, summarizes the next big category of dif- ficulties we observed. The first technological aspect is the fact that it was not economically feasible to store and retain a large amount of security data in the past [7,13]. Related to this is the fact that it was nearly impossible to process the amounts of data already being stored [7, 13,136] and the fact that new, unstruc- tured, data sources were also increasingly being added to con- ventional databases [13,132]. As a consequence, many Security Information and Event Management (SIEM) deployments were crippled from the start by not feeding them with the right data to increase visibility [131]. Integrating SIEMtechnology is hard because they are relatively inflexible [124, 132], many point so- lutions have to be integrated and they require a lot of knowl- edge to implement properly. Furthermore, deploying a SOC
and its infrastructure is no sinecure: it takes continuous tun- ing of many knobs in order to make it run effectively [111] and out-of-the-box detection functionality is often insufficient [112]. Analysts are often flooded with alerts that are the result from in- adequate default detection method configuration(s) [7], which often also contain numerous false positives [129], resulting in even poorer performance. Security of the SOC infrastructure is another aspect to get right. Reliability and availability of SIEM
deployments has been a problem in the past [7, 13].
In addition to the various technological shortcomings, it is also generally well-known that SOCs are having a hard time employing enough people with the right skills. Staff deficien- cies have been reported about numerous times by Enterprise Strategy Group (ESG) [130, 131], Enterprise Management As- sociates (EMA) [124] and the SysAdmin, Audit, Network, and Security (SANS) Institute [137, 138].
Augmented Attacks
The fourth category of difficulties we observe in modern SOCs
is related to the number and impact of attacks occurring. The first contributing factor is that adversaries can get access to ma- licious code relatively easy on (underground) black markets. One example of what can be bought is the so-called exploit kit, which offer adversaries various capabilities to easily infect their targets [62] with ransomware, for example. Poly- and meta-
4.1 problem analysis 39 morphic malware are also commonplace, and packers offer ad- versaries the capability to avoid detection [3, 66]. Distributed Denial of Service (DDoS) attacks can easily be bought on the same underground marketplaces [108] or even via so-called booters [80], which can be described as commercial services of- fering "stress-testing" capabilities. Other offerings include bot- net rentals, bulletproof hosting and consulting services offering help in setting up various attacks [66]. No reliable statistics are available regarding the size and growth of cybercrime [25], but what is certainly true, is that it has evolved considerably over the years [24, 66].
Adversaries are also increasingly making use of automated attacks targeting low-hanging fruit. Scanning and analyzing the entire Internet IP space has become easily feasible with the emergence of software like ZMap [37] and platforms such as Shodan4
and Censys [38]. Crawling the web for websites run- ning on outdated software or making use of insecure exten- sions is performed constantly. Platforms such as WordPress and Magento are under constant scrutiny by attackers employ- ing scanning tools such as WPScan5
, Nikto6
and Arachni7
to find exploitable websites and applications. The successful com- promise of a website can have various consequences, such as leakage of confidential data, becoming part of a botnet or other attacker infrastructure and serving exploit kits. Sometimes the compromise can lead to the attacker gaining full control over a machine, which can then serve as a stepping stone in a more advanced attack.
Advanced Persistent Threats (APTs) are at the other end of the spectrum. They can be described as adversaries having access to significant resources and expertise [49]. APTs have specific targets and clear objectives, are well-organized, have access to many resources, operate over prolonged periods of time and use stealth and evasion techniques during their at- tacks [17]. These characteristics define what APTs and distin- guish them from more traditional threats. Attacks by APTs are
often called campaigns due to their long-term, multi-phase ap- proach, which can be mapped to a construct called thecyber kill chain [48]. Various tactics used by APTs along the stages of the kill chain include spear-phishing, social engineering, watering hole
4 https://www.shodan.io/
5 https://wpvulndb.com/
6 https://cirt.net/Nikto2
attacks, data hidingand the use of so-called un-patched and un- known zero-day vulnerabilities [17]. They may employ custom malware that is not detected by conventional detection meth- ods, such as anti-virus and Intrusion Detection System (IDS), but they will also make use of run-off-the-mill and/or modified malicious code in their attacks. The Energetic Bear campaign is an example of this: the APT used "generally available" exploit kits for infecting their targets, but deployed custom backdoors for persistence and remote access [134].
Summary of Challenges
As described in the previous sections, SOCs face numerous dif- ficulties when protecting their constituencies. As illustrated in Figure 4.1, the difficulties that arise are very diverse and can be categorized into four categories. These categories are the increasingly complex IT environment, limited business align- ment, inadequate resources with respect to people and techno- logy, and finally, ever-evolving adversaries and attacks. The complexity of the IT environment makes it hard to see and un- derstand what is currently going on within an organization’s IT infrastructure. SOCs also often don’t know what the most criti- cal systems are and suffer from a limited view of the business processes. Not having enough resources in terms of technology and people make it next to impossible to protect against ever- evolving threats. All of these aspects make it harder for a SOC
to adequately protect its constituency.
To address these challenges, vendors offer scalable and per- formant products that promise to solve many if not all of the difficulties. Many vendors also promise excessive results in pre- vention and detection rates when deploying their solutions and boast effortless deployment and maintenance. Although tech- nology is certainly a piece of the puzzle for solving the chal- lenges faced by SOCs, it is not as easy as buying a box and deploying it to a data center to operationalize it. We also think there is no single market for Security Analytics, but that it con- sists of several, related, types of solutions, which often have to inter-operate with each other and with older types of solutions. These new developments in the security industry also require more specialist knowledge, in fields like machine learning and threat intelligence for example, to be developed within theSOC.