- Use Cases
The Security Operation Center (SOC) is the centerpiece of the modern security program, centralizing various functions across a medley of skilled people, workflows, and processes — and an integrated array of technologies.
The apparatus is intended to fulfill numerous functions, including the:
Time is one of the most important elements to all functions of the SOC, as seen in metrics like time to attribution, mean time to detection (MTTD), mean time to response (MTTR), and mean time to containment (MTTC). SOC staffing is typically planned and adjusted to meet the objectives along one or more of these elements.
On average, enterprises will typically manage a 24 x 7 x 365 SOC, with three different staffed shifts. The average staff size across all three shifts is typically six security analysts. The average security analyst will spend 75 percent of their time (six hours = 360 minutes) each shift triaging the alerts their SIEM has driven to their monitoring screen.
Security analysts will spend an average of ten minutes for each security incident they review, with half that time (five minutes) spent manually correlating disparate data sources to obtain complete context, asset prioritization and cross analysis.
This means as much as three hours per day per analyst is spent obtaining access to and gathering key information about the particular asset in question.
This is simply a poor use of time — and a crucial inefficiency hampering an organization’s ability to effectively manage risk over time. This inefficiency severely impairs MTTR and MTTC metrics.
Depending on the alert arriving, security analysts will need various data points to answer important questions, including:
To answer these questions, security analysts need access to contextual information like:
The big problem is this information does not exist in one place. Or two. Or even three, in most companies. The information exists in disparate sources, forcing the analyst to waste valuable time collecting and synthesizing the puzzle pieces before triaging an alert.
“We struggled to understand all of our assets. This was a way to pull together assets in a real way, without the traditional scanning and labeling. Axonius has helped us to get a handle on everything in the environment and start to label system owners. It shows control gaps quickly and has allowed us to gain much greater visibility into our environments.”
Axonius Customer Review, Gartner Peer Insights
By connecting to over 300 security and management solutions, Axonius collects and correlates information about assets to give customers a complete, contextual, and alway up-to-date asset inventory.
This approach enables organizations to get a comprehensive inventory within a day as opposed to the shortcomings and challenges of traditional asset management approaches (agent, scan, NAC, and CMDB). With as few as six data sources connected, Axonius produces a full, deduplicated inventory across the enterprise in just a few hours.
We’ve heard from customers that the inventory created by Axonius shortens triage time by 50 percent or more.
From a customer’s review:
“This is a tool you need, but may not fully realize you need. You also may not realize how useful it will be for day-to-day support/analyst/engineer use. Axonius has reduced the time it takes to find asset information from for us what used to sometimes be 30-60 minutes to under 30 seconds -- it's been a huge efficiency win. It also shines light on dark places in the environment where asset repositories may have gotten cluttered and where assets may be missing a bulk of the tooling you'd expect to see.”
By simply entering an IP address, hostname, or device name in Axonius, analysts get instant access to complete and up-to-date device information including vulnerabilities, patches, deployed or missing agents, agent version, security agent policies, local admins and users, network interfaces etc.
Moreover, Axonius aggregates user information from the data sources and provides the analyst with device-user associations, short cutting several steps for the analyst.
By automating the essential data gathering tasks, organizations dramatically increase productivity of their SOC personnel. Axonius allows the security operations team to analyze more alerts in a shorter period of time, thereby increasing visibility, reducing MTTR, ultimately reducing corporate risk (downtime, loss of IP, reputation loss) and costs.
Estimating the efficiency of SOC processes will vary from one company to the next, but here is a sample calculation for cost and time recovery. Estimate your costs by substituting your own figures.
The above example is just one area where an asset inventory can be leveraged to improve efficiency, reducing time and cost of a typical SOC activity. Many other examples exist, including: