Even though Security Operation Centers (SOCs) are increasingly common, 48 percent of organizations don’t have one.

According to EY's 20th Global Information Security Survey, 2017–18, "This does not mean the SOC has to build capability for every possible aspect of cybersecurity strategy and leading practice," the survey said. "Many organizations choose to outsource some activities,rather than leaving them with the in-house SOC; 41% of survey respondents outsource penetration testing, for example, while 37% outsource real-time network monitoring. However, the SOC must have the means to ensure it is able to stay on top of the latest threats: open-source and paid-for resources may provide valuable intelligence and 36% of survey respondents point out their SOC collaborates and shares data with industry peers."

Moreover, says the survey, SOCs are increasingly moving beyond passive cybersecurity practices into active defense — a deliberately planned and continuously executed campaign that aims to identify and remove hidden attackers and defeat likely threat scenarios targeting the organization’s most critical assets. Active defense represents a crucial step forward as organizations seek to counter advanced attackers, and can be thought of as a strategy encompassing at least four stages:
 
Prioritizing the crown jewels
In any organization, certain assets, including people, are particularly valuable and must be identified and then protected especially well; these assets may be related to critical business functions or particularly sensitive data repositories.
 
Defining normal
Since active defense depends on tools such as anomaly analysis, it is important for organizations to understand how their networks normally operate. Cybersecurity analytics tools use machine learning to define the “normal” and artificial intelligence to recognize potential malicious activity more quickly and accurately.
 
Advanced threat intelligence
By working closely with threat intelligence providers and developing in-house analyst capability, it is possible for organizations to build a much clearer picture of the threat landscape — including the identities of C-level executives. Currently, however, 57% have very little threat intelligence, the report says.
 
Active defense missions
These are exercises planned and executed in order to proactively defeat specific threat scenarios and uncover hidden intruders in the network. It requires tailored training and testing — spear phishing tests, for example, that identify how vulnerable employees are to email scams, penetration tests that pinpoint network vulnerabilities, and even full-blown red team testing.