Blog Do You Need a Data Scientist in Your SOC?

Do You Need a Data Scientist in Your SOC?

Data is the life-blood of any functional security team. Without data, you can’t make informed decisions, you can’t get to the root of the problem, and you can’t triage or respond appropriately to looming threats.

According to Gartner, by 2024, 80 percent of all modern SOCs will leverage tools using machine learning, up from less than 10 percent today. This leaves teams in a predicament about which tools to buy and skills to hire for. 

We can think about these challenges according to people, process, and technology. 

People. There is a growing need for analysts to be fluent in data science and data analysis, but the majority of SOC staff who take on these responsibilities do not have formal training in data science. With increasing data complexity in the SOC, we’re seeing the rise of the “Security Engineer” - professionals who orchestrate and custom-code security tools. With this surplus of tools and data, who is responsible for surfacing insights about trends and attack patterns?

Process. In new data-driven security environments, the need for data governance and cross-team collaboration becomes elevated. For example, what if SOC and Fraud teams could correlate endpoint data for faster investigation remediation? 

Technology. Mature security teams with large data streams are at a crossroads: Do they upgrade their SIEM, build a data lake, create their own ML capabilities, buy into all-in-one SOAR platforms? 

As security teams set out to tackle these people, process, and technology challenges, here are some data science frameworks to keep in mind:

  • Understanding Performance Assessment Models - A Performance Model is a data model created to define the significant aspects of the way in which a proposed or actual system operates. A common example of a Performance Assessment Model that can be valuable for security is the confusion matrix, used to assess the performance of some Machine Learning models in terms of True / False Positives / Negatives.  Having a dedicated member of a security team who understands the basic logic behind a product’s Performance Models is tantamount because performance dictates outcome. For security use cases, outcomes could be associated with cost, risk, etc. It is imperative to have a member on your SOC team who understands how to analyze and assess these metrics. Likewise, when selecting security vendors, you should feel empowered to have frank discussions about how their teams build Performance Models 
  • Assessing Risk - Data problems are inherent when it comes to cybersecurity. This could be anything from performance metrics to the sheer volume of incoming data, but all data problems come down to one thing: risk. Without being able to properly identify and triage data problems, you are leaving yourself or your organization vulnerable to attacks.
  • Scaling Data - Security teams are inundated with massive amounts of data, so they need systems that can ingest, normalize, and process data at scale. Not only does the data need to be scaled, but the systems that you use to do this should be scalable as well. This allows data collected to be utilized efficiently and effectively to solve problems and mitigate risk. 

In order to scale your security operations and team, you need to use the right tools and frameworks. Enterprises must not only select the best tools for their environment, but they also must think about how to manage the flow of data between said tools. Applying fundamental data science concepts to your security stack will help you create efficiencies among your team and optimize tool  performance. By automating and augmenting your cyber workforce, you are not only able to detect and respond to threats more quickly and efficiently, but you are also able to prevent team burnout, allowing your SOC to work with rested and fresh minds when striving for security.

The ability to scale data, make informed decisions from it, and create efficient solutions are skills imperative to any security team. Ensure your SOC is on the front lines of security by utilizing an intelligence management platform to defend better together.

Toward MTTD & MTTR as North Star Metrics Data-centric security leaders from across industries have embraced Mean-time-to-Detection (MTTD) and Mean-time-to-Resolution (MTTR) as key metrics ... Read More
How TruSTAR Uses MTTD and MTTR as North Star Metrics The north star metrics for Data-Centric Security Automation are the minimization of MTTD (Mean Time to Detection) and MTTR (Mean Time to Resolution). ... Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More