As cyberattacks grow in sophistication with evolving tactics, techniques, and procedures (TTP) and targets, Security Operations Center (SOC) teams play a crucial role in safeguarding organizations by protecting employee identities and access to corporate data.
Today, the evolved role of SOC teams is to combat threats specifically designed to evade detection. As criminals invest in new malware-as-a-service infostealer technology, siphoning data from all kinds of devices and finding ways to bypass or sidestep authentication, the responsibility falls on the SOC to create preventive and response plans.
At the center of these SOC challenges are growing identity threats that fall outside normal team boundaries and that are pushing existing security tools to the edge.
So, security teams, you’re not crazy for feeling like your job is tough. It’s relentless (and sometimes thankless) work to safeguard employee digital identities and protect corporate data. In this blog, we take a deeper look at what you’re up against so we can more clearly understand how to tackle modern SOC challenges.
Challenge #1: The human element
A digital-first world for employees to work is convenient – however, we all know it comes at a cost to security. Human behavior is a significant hurdle for SOC teams with more than 82% of breaches initiated by a human error.
As the first line of defense to the enterprise network, employees play a pivotal role in preventing cyber threats. But everything from lack of awareness about phishing, to social engineering tactics, to poor password hygiene, makes workers inadvertent targets for cyberattacks.
Unintentional human behavior can invite unauthorized access, opening the door for malware infections, data breaches, stolen credentials and session cookies, which can then lead to targeted attacks like ATO, ransomware, and other unpleasant outcomes.
Human behavior tendencies often forces SOC teams to divert attention from preventing sophisticated identity threats and other strategic security measures.
- Using common or guessable passwords
- Using the same password for multiple accounts
- Reusing passwords that have been previously exposed
Lack of security awareness and training:
- Not recognizing social engineering attempts or phishing scams
- Clicking on links on malicious websites
- Opening files and clicking on ads that inadvertently install malware
Prioritizing convenience over security:
- Syncing passwords (including work) across browsers on various devices
- Use of shadow IT and shadow data practices
Challenge #2: Perimeters expanding beyond the managed device
Widespread adoption of bring your own device (BYOD) policies and relying on third-party hosted apps and services to conduct business have introduced significant vulnerabilities into the current security environment, in addition to whatever shadow IT and shadow data employees are using. These create additional challenges for SOC teams to track and manage the increased risk of unauthorized access. As organizations balance the convenience of accommodating work into daily life, security teams need to evolve and think beyond the managed device.
Widespread adoption of bring your own device (BYOD) policies and relying on third-party hosted apps and services to conduct business have introduced significant vulnerabilities into the current security environment, in addition to whatever shadow IT and shadow data employees are using. These create additional challenges for teams to track and manage the increased risk of unauthorized access. As organizations balance the convenience of accommodating work into daily life, security teams need to evolve and think beyond the managed device.
Employees dissatisfied with IT solutions may add to your business risk by:
- Using a personal cloud storage service to store work files
- Installing an unapproved software application on their work computer
- Connecting a personal device to the corporate network
And for the sake of convenience, they can further your risk by:
- Checking email or editing a shared document from personal device
- Using a friend’s or public device to access work files
- Allowing contractors to use a personal device to access company network
With changes in how and where employees work, credentials give access to their entire digital identity. As credentials are stolen and used more frequently by criminals to compromise accounts, this puts employees’ digital identities, corporate data, and critical IP at risk. Credentials are more than just a username and password. Each authentication layer is a credential. This access is the new currency for criminals.
Challenge #3: A growing attack surface
SOC teams have limited visibility into how, where, and on what device employees are working. According to HackerOne, 52% of organizations don’t know how much of their attack surface is secured. This may result in several paths for cybercriminals attempting to steal confidential data. SOC teams often lack the necessary insights from malware logs and stolen session cookies from infected devices to see beyond the most obvious device remediation plans. This doesn’t take into account hidden exposures of compromised corporate access on personal devices. Our 2023 Malware Readiness report found that every malware infection exposes access to an average of 26 business applications!
Challenge #4: Too much of the wrong type of information
A recent survey of SOC teams conducted by Tines revealed 37% of teams highlighted “too much data, not enough information” as their top challenge. SOC teams are drowning in commoditized threat-intel and security data and struggling to turn it into actionable insights. SOC teams want to scale their analysis with automated workflows, but the human effort often required to interpret clunky and sometimes unreliable or low-quality threat-intel data makes it difficult. Automating critical workflows with data you can’t completely trust brings potential downstream problems, with false positives or broken processes.
Challenge #5: Misaligned tools, with gaps
SOC teams aren’t alone in their mission to protect employee digital identities; every adjacent team, from ITOps to CTI, wants the same business outcomes. But SOC teams are uniquely siloed in their maximal support to prevent cyberattacks because of the portfolio of tools available. You’re dealing with security tools purchased to help multiple teams and their workflows, each one’s output being highly dependent on the data quality. The Tines survey also highlighted that 49% of respondents have too many different consoles and tools to investigate incidents, which results in gaps and delays to respond to incidents and identify risk. These gaps are where cybercriminals thrive.
How to start solving some of these common SOC challenges today
Does seeing this laundry list of challenges might confirm why your team feels up against a wall sometimes? While it’s a bit daunting, start tackling what you can change in the short-term – which starts with the data you ingest to detect and remediate employee identity exposures. This is the part of the puzzle where SpyCloud can have an impact for your team.
Here are a few questions to ask about your current threat intel provider:
- Can I take action on my data immediately, without cracking passwords and looking for context?
- You should be able to. Get a leg up on humans being prone to accidental behavior, and quickly verify against your employee directory to get a sense of risk. SpyCloud does the hard work for you, de-hashing recaptured passwords and providing relevant context.
- Am I getting timely alerts that point to the full extent of breaches or malware infections?
- Criminals don’t care where the data came from, and they’ll look for entry points from data that’s stolen regardless of the employee device or location. Our Cybercrime Analytics draws correlations across billions of records that have been stolen and distributed by criminals, revealing a comprehensive view of your employees’ exposures so you can make decisions about revoking access, resetting passwords, and invalidating sessions.
- Does the data extend beyond passwords to give me visibility into my employees’ entire digital identities?
- Criminals can gain unauthorized access to your network and applications with other credentials and assets, not just passwords. As organizations move towards passwordless authentication, criminals are finding ways to poke holes in even the most sophisticated authentication systems. With this shift, you’ll want to have a plan for defending against authentication bypass and session hijacking.
- Does the data include exposures beyond employees’ managed devices OR hosted applications that we use?
- This breadth of knowledge is required to prevent follow on attacks and remediate the entire infection, not just a device. SpyCloud Compass gives your team visibility of threats outside of corporate control, including unmanaged (and under-managed) malware-infected devices that are used by employees, contractors, and vendors, as well as all exposed 3rd-party applications accessed from these devices.
- Do I trust the data enough to power hands-free workflows?
- You’re smart for wanting to automate more of your tasks with data you can trust. Spend time building out your custom remediation steps in playbooks and assigning tasks, not analyzing every new record your feed publishes for accuracy. SpyCloud offers out-of-the-box API integrations with top vendors across SIEM, SOAR, XDR, TIPs and more.
Keep focusing on what matters to protect your business. And keep checking in as we evolve our Enterprise Protection to safeguard your employees’ digital identities and protect your corporate data – especially from the most recent forms of cyber threats.
Ready to get started? Take a look at how SpyCloud supports rapid response of exposures across devices and applications.