It’s a question older than the internet—do we optimize our existing tech stack or invest in new technology? The debate is as fresh today as ever, especially with the saturation of solutions promising to simplify security stacks. NetSPI Partners bring a fresh perspective to the lofty goal of simplifying detection and response outcomes by weighing in on the long-term effects of complexity, discussing when to optimize versus invest in technology, and explaining how automation can ease workflows and enhance efficiency in detecting, investigating, and responding to threats.
1. In your experience, what are the top challenges SOC teams face with detection and response controls?
“The top challenges I have seen SOC teams face with detection and response controls are defining strategy and increased complexity in their tech stacks. Without a clear strategy for detection and response controls, SOC teams will often suffer a negative feedback loop that leads to increased complexity in their tech stacks. This frequently leads to deploying numerous point solutions and patching them together to cover control gaps, only to eventually look at yet another tool that claims it will simplify your SOC operations.
A sound SOC detection and response control strategy should consider their organization’s business aims and their organization’s threat landscape. Using a threat intelligence informed approach tailored to your organization can help in selecting controls and solutions that will provide measurable improvements on mean times to detection and remediation (MTTD and MTTR).”
“I think one of the biggest challenges that SOC teams face is knowing what detections are missing and how they can increase the number of real alerts while not creating too many false positives. Every network and setup is unique and it takes real time investment to really make sure that the security stack you build is finely tuned for your stack and security policy.”
Thomas Adams, Product Manager, Breach and Attack Simulation, NetSPI
“We see a need for unification and visibility for detection controls as the main challenges SOC teams must overcome. These teams have multiple point solutions (SIEM, EDR, NDR, IDS/IPS, etc.), all reporting various detections that need to be processed and worked on by a SOC team. They could have multiple detections in one platform that all relate to one event, or they may have one alert in numerous tools that all relate to one event, but the SOC team has no easy way of stitching or unifying these detections together without resorting to manual processes and subjective logic.
The same applies to response controls. Once confirmed, most cyber events will have multiple response and remediation steps spanning many tools or systems. SOC teams must manually interact with each disparate platform to take these response actions, slowing down containment and eradication times while increasing dwell/active threat times. To combat this, SOC teams should invest in a Security Operations platform that can integrate into their security control ecosystem and act as the detection and event unification system while offering robust, “single click” response plays across their technologies. This unified view will drastically speed up event identification, containment, eradication and reduce dwell/active threat times.”
Jeff Music, ReliaQuest CISO
“Our customers’ SOC teams are seeing a high volume of alerts, coupled with false positives, which can put them at risk of decreased effectiveness in identifying and responding to real threats.
Every new technology, every new platform has its own set of logs and data formats. To add to the challenge, many of our customers operate in a hybrid infrastructure, and they are required to adapt their detection and response capabilities to an increasingly complex environment.
In the face of skills shortage our customers must ‘do more with less’ and run a gauntlet of evolving challenges including sophisticated attacks, advanced persistent threats (APTs), integration challenges, ineffective automation, compliance requirements, evolving data protection regulations, and insider threats.”
Harsh Thanki, SecureLink Security Consultant
2. What are some indicators that a client can enhance their existing tech stack versus invest in new technology?
“I believe that before you invest in expanding your tech stack you should have an audit of your current capabilities and carefully evaluate whether they are being used to their fullest potential and if it is possible to better configure and tune them to cover whatever gap has been identified.”
Thomas Adams, Product Manager, Breach and Attack Simulation, NetSPI
“When assessing whether to enhance an existing tech stack or invest in new technology, it’s important to consider your current capabilities, before considering a new technology. Review your stack’s performance metrics and adaptability, and how you are trending on key performance indicators in your SOC.
If the current stack exhibits inefficiencies in handling evolving threats, lacks adaptability, or hinders integration, enhancement is likely warranted. Enhancements could be exploring potential features you have yet to leverage in a solution, or automating a repetitive manual task in the stack. Conversely, if technological gaps persist in addressing specific threat vectors or compliance requirements, strategic investments in new technologies are warranted.”
“Ultimately, the decision should be based on a thorough analysis of the organisation’s specific situation, considering factors such as functionality, integration, cost, scalability, and the long-term business strategy.
Our customers in a rapid-growth phase often come to us with challenges as they feel they have outgrown their tech stack. Solutions that once were effective might appear to have failed to scale with them, but in some cases optimization, performance tuning, and additional configurations are all they need to continue without being forced into additional tech stack purchases.
We also see a lack of employee training and enablement where the customers’ current tech stack is under-utilised. Employee training must be part of the plan from day one to ensure they are getting the most out of their existing tech stack. We also advise our customers to gather feedback from key stakeholders, including end-users and IT staff, to understand pain points and areas where improvements are needed. This input can guide decisions on whether enhancements or new technology are more appropriate.”
Harsh Thanki, SecureLink Security Consultant
3. What kind of problems start to present themselves when security stacks become too complex?
“When security stacks become too complex, SOC teams become overwhelmed with basic management and maintenance of these platforms, rarely realize the full value of the different platform capabilities, and often experience a false sense of “security” based on the technology’s promises versus real-world application and outcomes.
SOC teams should continuously measure their cyber tools and program effectiveness to identify gaps in visibility, prevention, and detection. SOC leaders can use this data to gain insights into where controls may be missing and identify where systems or tools may be too complex for the outcomes they are driving toward achieving.”
Jeff Music, ReliaQuest CISO
“The more complex your security tech stack gets, the more likely you are to have redundant or overlapping (even at times incompatible) features, a lack of visibility, muted agility, compliance challenges, and increased overhead. Complex security stacks can often require highly specialized skills for configuration, management, and optimization. If there is a shortage of skilled personnel or inadequate training programs, it can impede the effective operation of the security infrastructure.
To address these issues, organizations should periodically review their security stack, streamline redundant tools, and seek solutions that provide a balance between effectiveness and simplicity. Regular assessments and adjustments are crucial to maintaining a robust, agile, and manageable cybersecurity posture.”
Harsh Thanki, SecureLink Security Consultant
“When security stacks become too complex, many of the other problems we see endemic to SOC job roles emerge, such as knowledge silos, resource constraints, burnout, and increased time and effort to onboard and train resources. As complexity increases, resources become constrained to owning different solutions or products in the stack. This often leads to knowledge silos across the SOC, as other day to day responsibilities and on-call reduce the ability to cross train resources on the sprawl of solutions.
Additionally, this complexity makes it hard to onboard and train new resources, especially junior ones. Over time, these problems lead to burnout on the SOC team, which in turn will amplify these problems.”
“When the security stack becomes too complex you start facing the problems in multiple areas, training new analyst becomes tedious and lengthy, you have to start making decisions about what data is the most important or accurate, analyst start facing burnout, documentation and policy writing become challenging, and this can lead to a false sense of security for non-technical leadership.”
Thomas Adams, Product Manager, Breach and Attack Simulation, NetSPI
4. In your experience, how has automation played a role in simplifying security stacks?
“Our customers who have successfully implemented automation within their security tech stacks are minimizing manual effort within several areas including incident response, threat intelligence, patch management, log correlation, user behaviour analytics (UBA), suspicious email quarantine, and policy enforcement. By incorporating automation into these aspects of cybersecurity, organizations can achieve faster response times, reduce the likelihood of human errors, and improve the overall effectiveness of their security stacks. This, in turn, contributes to simplifying security operations and adapting to the dynamic and evolving threat landscape.”
Harsh Thanki, SecureLink Security Consultant
“Automation plays a significant role in simplifying security stack outcomes. SOC teams are focused on detecting threat actors in their environment, conducting complete investigations of these events, and responding to them appropriately to ensure complete threat eradication.
Automation allows SOC teams to leverage the full capability of their security stack at machine speed when detecting, investigating, and responding. Automation can remove manual tasks and processes from some, if not most, of the SOC lifecycle, dramatically reducing the time it takes to detect, investigate, and respond to a threat. When automation is successfully leveraged, SOC teams can experience efficiencies in Mean Time To Respond (MTTR) from days down to minutes.”
Jeff Music, ReliaQuest CISO
“I believe that the future security stack will be heavily invested in Artificial Intelligence and Machine Learning while maintaining a human in the loop. This model will allow analysis of multiple data sources at machine speed and output that information to a human analyst for decision making and validation.”
Thomas Adams, Product Manager, Breach and Attack Simulation, NetSPI
“Automation has played a key role in simplifying security stacks and SOC operations by alleviating resources from time-consuming manual tasks, unblocking resources from repetitive stack operations to focus on other key initiatives and tasks, and increases consistency and confidence in SOC processes.
Through the strategic deployment of automated workflows, routine processes such as incident detection, analysis, and response can be expedited with precision. The efficiencies gained from automation allow for more time to train your resources, reduce complexity in the tech stack, and help to reduce burnout by enabling your SOC team to operate more efficiently.”
The balance between optimizing and investing will always be at play in the security industry. Automation can play a role in simplifying the detection, investigation, and response to threats, but really, it comes down to considering your current capabilities in light of your business goals and threat landscape before investing in new technology.
This post was written in collaboration with NetSPI’s Partners. Learn more about becoming a NetSPI partner here.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.