Splunk : How to Modernize Your Security Operations Center (SOC)

Share:

By Amy Heng July 14, 2020

In an evolving world, the modernization of the security operations center (SOC) is pivotal to the success of digital transformation initiatives. Security teams, however, are facing a shortage of cybersecurity professionals and struggling to detect and prioritize high-priority threats.

Analysts in data-driven organizations can combat these issues by bringing people, process and technology together. This winning combination allows analysts to gain more meaningful insights and take purposeful action, modernizing their SOC and maximizing efficiency and productivity. Here are some highlights from a recent webinar series of real customers' insights on their SOC transformation journey.

Architect a Common Worksurface for all SOC Team Members

Modern security operations require all members of the SOC team to have a common worksurface. Customers, like Intel, have created a common worksurface within the Splunk platform by combining people, technology and data. This single-source of truth reduced the number of consoles to perform analysis, allowing for faster detection, response and remediation. From threat hunting to vulnerability management, all SOC team members benefit from search capabilities, visualizations, and more advanced capabilities like automation.

By centralizing data collection for analysis, customers gain critical business insights beyond security. These insights can be operationalized for different teams, allowing analysts to effectively monitor, analyze and investigate for security, uptime, performance and access. To increase the effectiveness of detections, Splunk customers can take advantage of the Common Information Model (CIM), which provides a predictable field schema regardless of data source and helps standardize fields when onboarding data.

Automate the Mundane to Focus on Critical Issues

Successful SOC teams focus on automating event volumes and eliminating time-consuming, mundane tasks, freeing up analysts to target more mission-critical tasks. Splunk Phantom improves the speed of detection, event triaging and response times, while also strengthening defenses by integrating existing security infrastructure. Starbucks uses Phantom to automate and block 92 million emails per month from over 200,000 endpoints, reducing their event volume by 91%. Tickets are created for investigations that require action and sent to analysts to resolve before the risks spread.

Automation in security operations allows organizations to scale operations and increase efficiency. For example, Phantom's ability to programmatically triage and contextualize events means analysts are not digging for information to respond to security threats. And with a shortage of skilled cybersecurity professionals, automating the processing of low-fidelity alerts reduces analyst burnout and allows for better work-life balance.

Catch More Security Operations Insights

This was only a glimpse of two customers' from our recent SOC Modernization webinar series and their journey to modernizing their security operations. Organizations can accelerate their digital transformation initiatives throughout their business with Splunk through the ability to detect, respond and adapt at machine speeds. Intel and Starbucks' stories, and many others, were gathered from Splunk's .conf19.

To keep learning and applying security insights to your own organization, don't forget to join us for .conf20 this October to advance your security knowledge.