Advancing analyst productivity with SOC.OS

  • June 3, 2021
  • Team SOC.OS
Shows the Joint European Torus Tokamak at UK Atomic Energy Authority

Fusion energy has long been hailed as a potential answer to the world’s low carbon energy needs. In the United Kingdom, the UK Atomic Energy Authority (UKAEA) is leading research efforts from its Culham Science Centre HQ; home to the world’s most powerful fusion experiment – the Joint European Torus or JET.

Oliver Hemming is head of the Central Computing Group, which looks after IT infrastructure and services, including security, for UKAEA. His team manages around 2,300 users – and thousands of devices, which are centred mainly around Culham, but also at a new UKAEA facility near Rotherham.

Starting out

The relationship between UKAEA and SOC.OS goes back to when SOC.OS was still in the early stages of development. UKAEA agreed to a 12-month subscription of the beta product, partially due to the opportunity to shape and influence how the platform would be developed.

Two years on, and with two full-time SOC analysts, SOC.OS has shown its value by helping the team to prioritise the thousands of daily alerts generated by the firewalls on its office networks and from Office 365.

How SOC.OS works

SOC.OS is a SaaS-based tool that collects the alerts generated by a customer’s security set up; both cloud-based, and on-premise. It then enriches these with third-party threat intelligence to add valuable context to external indicators of compromise. An example would be SOC.OS flagging that an external IP address which is scanning for vulnerabilities is a known malicious entity, alongside providing detailed information about that entity. More importantly, it also enriches the alerts with business context. For example, SOC.OS could highlight that a critical business asset has been identified within the metadata of an alert, thereby prioritising this alert – alongside the cluster containing it – as being, ‘higher risk’.  These enriched alerts are then correlated into, ’clusters‘ and then ranked in order of priority. Users can investigate clusters through the intuitive User Interface (UI), with real-time dashboards and automated reports supporting improved remediation.

The outcome is like having a new member of the SOC team working 24/7/365 to prioritise alerts for enhanced threat detection and response.

Working together

For UKAEA, the improvements to their SecOps function since adopting SOC.OS has been dramatic. Shreyas Joshi, one of the security analysts at UKAEA stated that they couldn’t imagine working without the SOC.OS tool anymore; primarily due to its ability to cut through the alert noise.

By displaying threat scores, timelines and detailed explanations, SOC.OS tells the story behind the alerts, which helps to maximise analyst productivity. Since alerts are constantly being analysed and correlated into prioritised clusters, the initial triage grunt work is taken care of. This means that the security team can focus on higher value tasks, such as critical remediation actions, and more general security improvement projects.

Going forward, should the team at UKAEA make more investments in additional tools, they will have the option to plug-in more sources of security alerts. They have already worked closely with SOC.OS on the new Search functionality, which will further mature their threat detection and response capabilities. This feature (an outcome of co-developing with customers) will greatly enhance investigation and forensic capability, enabling the analysts to search for anything contained within the entire security alert dataset.

“I don’t think there’s any way we could work without a tool like SOC.OS. We get millions of logs each day here, and there’s no way you can process that volume without having some tool to help”, concludes Oliver. “What’s also nice about SOC.OS is that the team there listens to what we have to say and takes action on it. That’s good to see.”

About the author

Team SOC.OS