Global security operations centers (GSOCs) — regardless of their mission statements — don’t always live up to the “global” part of their billing.
Many GSOCs focus on time-worn methods and practices that emphasize physical security, protecting the home base with surveillance cameras. Understandably, an enterprise wants to protect executives, employees and other assets such as buildings and factories. But this approach can neglect the wider world of digital assets. Today’s threat landscape includes cybersecurity attacks, theft of intellectual property (IP) stored or transmitted electronically and assaults on corporate reputation via social media.
GSOCs may also limit themselves regarding their operational scope. Corporate security groups are often designed to handle problems only after they have reached the crisis stage. A GSOC set up primarily to manage incident response does, in fact, address an important part of the corporate security narrative. But this restrictive view fails to grasp the broader plot. The whole point of establishing a GSOC is to stay on top of threats before they harm physical or digital assets.
The complexities of corporate security call for truly global visibility and situational awareness. To get there, GSOCs should consider adopting a program of threat intelligence and digital risk protection (DRP) to keep digital assets safe.
A wider scope: threat intelligence and digital risk protection
GSOCs, to provide a full range of protection, need to broaden their field of vision. Threat intelligence offers a strategic perspective, identifying the universe of threats an organization is likely to face. This process involves gathering and analyzing data — largely from web-based sources — to provide an understanding of the current threat environment as well as insight into future dangers.
This understanding can help GSOCs prioritize threats and develop incident response plans. The ability to think strategically about threats, however, only provides a partial remedy. A security operation must also deal proactively with imminent threats. That’s where DRP comes in. This tactical process focuses on detecting here-and-now attacks and defending digital assets. Threat intelligence and DRP supplement each other to provide comprehensive security.
Automation is critical to the successful functioning of both processes. A security analyst, or a roomful of security analysts for that matter, will never be able to manually scour the web, day in and day out, and uncover every pressing threat that could harm an organization. Data gathering and analysis must be automated to make threat intelligence and DRP feasible. Automated web intelligence or WEBINT tools, coupled with artificial intelligence (AI) and machine learning, let GSOCs mine vast online resources and data sets for actionable information.
For example, security analysts can use AI-enabled tools to generate customized search parameters, which might include geospatial data, the names of company executives or brands, and hashtags associated with threat actors. Web intelligence tools used to probe the web should be able to span the surface web, as well as unindexed deep web and dark web sites. The latter is especially important to monitor, since dark web markets and dump sites can contain anything from compromised login credentials to leaked source code. The hunt for threats must also cover multiple social media platforms, and not just the popular ones. Threat actors frequently abandon mainstream platforms for alternative social media sites.
Automation and AI can also help a GSOC process the potentially staggering quantities of data uncovered during a web-wide search for threats. In this context, AI can rapidly comb the collected data to pinpoint the relevant pieces of information and find patterns that can help security analysts identify a threat. Automation saves time, which means threats can be mitigated and incidents quickly contained.