Modern Security Operations Center Framework

This post was previously published on The New Stack

The Origins of Modern Cloud/IT Environments

With agile development, the software development life cycle has evolved, with a focus on customer satisfaction to enhance product features based on user feedback. This helps shorten the time to market, since teams can release a minimally viable product, then continuously improve its features. The agile technique encourages team cooperation through sprints, daily standups, retrospectives, testing, quality assurance and deployment. Through continuous integration and continuous development (CI/CD), along with the integration of security into operations, teams can deliver software faster. 

Yet, as more and more businesses adopt cloud computing, cybersecurity threats grow due to bad actors who target the security vulnerabilities of their complex hybrid infrastructures, which include public cloud services. Consequently, SecOps plays a crucial role in ensuring that DevOps teams prioritize security.  Modern security tools and frameworks aid SecOps teams, providing zero-downtime deployment, automated deployment and reduced attack surfaces.

Security Operation Center (SOC) and SecOps Evolution

Traditionally, security was an afterthought in most IT environments. It was structured as a siloed department and only came to the forefront when an incident had been discovered. Key organizations, such as government agencies, had network operations centers (NOCs), which focused on detecting incidents in their network devices. 

While traditional security operations centers (SOCs) were reactive to security threats and attacks, the next generation of SOCs takes a more proactive approach using automation and real-time security information and event management (SIEM). Modern SOCs are more sophisticated. They emphasize collaboration between people, technologies and processes to thoroughly monitor and investigate security events in real time, which enables them to prevent, detect, and respond to cyberattacks. They go above and beyond standard security compliance by establishing cyber defense and incident response centers that collaborate to manage threat intelligence and system security.

Cyber warfare has never been more complex, and the bad news is that it is only becoming more advanced and more pervasive. Security operations and SOCs are under increasing pressure to identify and respond to threats quickly, as well as to harden defenses against a growing range of threats. As a result, the  IT frameworks D3FEND and MITRE ATT&CK have been developed to solve many problems. These tools are used to detect, debug and protect against security breaches and attacks in today’s cloud systems.

To be successful, modern SecOps teams must be given more authority to use security solutions that replace “black box” security teams with automation, threat hunting, vulnerability management and real-time monitoring. 

What Is the MITRE ATT&CK Framework?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge source that assists SecOps intelligence decision-makers. It’s a behavioral threat modelused to develop, test and improve behavior-based detection capabilities over time. Penetration testers use the MITRE ATT&CK methodology to orchestrate their attacks and locate vulnerabilities in your infrastructure, then exploit them and report their findings. It helps enterprises understand malicious behaviors and mitigate the risks and threats they face.

The MITRE ATT&CK framework employs a set of methodologies and tactics to identify compromise indicators , including defense evasion techniques to evade detection, lateral movement techniques to spread throughout your infrastructure and exfiltration to steal data. Employing these adversarial tactics helps enterprises create a comprehensive list of known prospective attack techniques, which SOC teams can use to find potential weaknesses, then focus on developing defensive measures.  

What Is the MITRE D3FEND Framework?

MITRE D3FEND is a companion of MITRE ATT&CK. It uses a knowledge graph to provide SOC teams with defensive countermeasures to harden and protect their infrastructures based on the identified attack tactics and techniques. D3FEND complements the threat-based ATT&CK model by providing ways to counter common offensive techniques, thereby reducing a system’s potential attack surface.

How Can Modern SOCs Benefit from MITRE ATT&CK and D3FEND Frameworks?

Security breaches, which can result in serious consequences such as lost customers, lost income and damaged reputations, remain a constant threat. SOC teams can use the ATT&CK framework to measure their effectiveness in detecting, analyzing and responding to cyber intrusions. They can also use ATT&CK to better understand and document adversarial group profiles so that they can simulate possible adversarial attack scenarios and come up with cybersecurity controls. Modern SOC teams can use MITRE D3FEND to implement security solutions with the detailed countermeasures that it provides. Using the ATT&CK and D3FEND frameworks together will help teams not only identify defensive gaps, but also make more strategic security tooling decisions.

One key concept behind the MITRE ATT&CK and D3FEND frameworks is threat hunting. Threat hunting tools search  for cyber threats lurking undetected in network and security defense endpoints. Here at Torq, we provide a threat-hunting tool that will quickly automate your SOC workflows in extended detection and response; security information and event management; and endpoint detection and response.  Start automating today!