The goal of any Security Operations Center (SOC) team is to optimize the tools they have, reduce the noise from their tools to manageable levels, and automate as much of the process as possible. Their hope is that they can focus on the projects that will continue to enhance the security of the organization. Gigamon recently made a major step towards this goal by integrating the capabilities of its own Gigamon GigaSECURE Security Delivery Platform with the advanced security detection and analysis provided by BluVector, as well as by automating the collection of all security events through Splunk Enterprise.
The first step in automating the Gigamon SOC involved implementing a system that, when a malicious or suspicious event is detected, would alert the analyst team and initiate the recording of all traffic related to the host or hosts involved in the event. The SOC team wanted to have access to the network traffic so that they could quickly and effectively investigate incidents. However, recording all network traffic requires a significant investment in storage. Targeted recording tied to AI-based detection, on the other hand, provided the team with the information to investigate an event without the accompanying storage costs.
One of the considerations when building out this system was “why record and investigate when you could just automate blocking?” The Gigamon SOC team recognized that blocking, especially in the case of East-West traffic, isn’t just a security decision, it’s a business decision. Automatically blocking events can have the potential for significant negative impact on the business and its operations. Instead, by alerting on events and accelerating investigation and response, the security team is able to support the business today, while beginning to understand how best to enable a degree of automated blocking in the future.
The Solution Stack
Gigamon GigaSECURE® Security Delivery Platform