Jorge Merchán Lima – CEDIA Information Security Manager
A look at the evolution and future of cybersecurity from a SOC-CSIRT perspective
In the constant battle against cyber threats, Latin America and the Caribbean have witnessed a significant evolution in the way cybersecurity is addressed. Security Operations Centers (SOC) and Computer Security Incident Response Teams (CSIRT) have been fundamental pillars in this transformation, adapting and evolving to become proactive and, eventually, predictive entities. This article explores the trajectory of these centers, their technological advances, the challenges they face and the projections towards a safer future in cyberspace, with a special focus on the situation in Ecuador; highlighting the benefits of CEDIA's SOC-CSIRT.
History
The concept of a computer security incident response team first materialized with the creation of the Computer Emergency Response Team (CERT) in the United States in 1988, following the Morris worm incident. This team, now known as the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University, was established with the focus of studying and countering security vulnerabilities in computer networks.
In Latin America, Brazil was the first to establish a security incident response team with the creation of CERT. br, in 1997, managing incidents and promoting computer security awareness. In Ecuador, ECU-CERT was officially established in 2015 to protect national critical infrastructure and improve cybersecurity in the country.
The modern SOC concept began to develop in the United States in the 1990s, focusing on monitoring and protecting IT infrastructures against cyber threats, managing security incidents in real time, and ensuring continuity of operations.
From reaction to prediction: The evolution of SOC and CSIRT
SOCs and CSIRTs have evolved from reactive roles to adopt proactive and predictive strategies. They use cyber threat intelligence (CTI) to anticipate attacks by understanding adversary behavior and the techniques used. This allows for more accurate detection and a more effective response.
Unlike CSIRTs, which respond to incidents, SOCs are dedicated to continuous surveillance and real-time information security management. They play a crucial role in protecting organizational assets by identifying, analyzing and timely responding to cyber threats. They provide additional services such as vulnerability identification, inventory management, threat intelligence, and potential risk mitigation.
Technological Innovation and the Path to Automation
The integration of advanced technologies such as artificial intelligence (AI) and machine learning has marked a new era for SOCs and CSIRTs in Latin America and the Caribbean. According to MarketsandMarkets, AI in cybersecurity is expected to grow 23.3% annually through 2026. These tools have revolutionized real-time data analysis capabilities, enabling the detection of anomalous patterns and early identification of emerging threats. Interagency collaboration and threat intelligence sharing are essential for effective cyber defense.
Persistent challenges and the current reality
Latin America faces significant challenges in cybersecurity, especially the shortage of specialized talent. It is projected that by 2024, the region will need around 10 million cybersecurity experts. Currently, there is a considerable deficit of professionals trained to manage and respond to security incidents, exacerbated by the rapid evolution and sophistication of cyber threats. In 2023, Latin America and the Caribbean experienced a significant increase in cybercriminal activity, with notable increases in phishing attacks, ransomware, and banking Trojans. According to Kaspersky, phishing attacks increased by 617%, while banking Trojans saw a 50% increase, equivalent to five attacks per minute in the region.
Spending on cybersecurity services in Latin America reached $3.6 billion in 2023, an increase of 11.1% compared to 2022, according to IDC. Brazil leads in phishing attempts with 134 million recorded attempts, followed by Mexico, Ecuador, Peru and Colombia. The use of malware in attacks has been considerably high, with 78% of attacks involving some type of malware, such as spyware and banking Trojans.
Ecuador: A case study in the region
Ecuador has shown a firm commitment to strengthening its SOC and CSIRT, seeking not only to respond to current threats but also to anticipate future challenges. However, it faces the challenge of training and retaining qualified cybersecurity professionals. In 2023, Ecuador recorded more than 12 million cyberattacks, with adware, banking trojans and spyware being the main types of attacks.
According to an ISACA report, 48% of organizations reported an increase in cyberattacks in 2023. Although worrying, this figure represents the smallest increase in the last six years, indicating a slight stabilization in the growth of cyber incidents.
Towards a safer future
According to a report from the Organization of American States (OAS) and the Inter-American Development Bank (IDB), the number of SOCs and CSIRTs in the region has increased significantly. By 2022, more than 60% of countries in Latin America and the Caribbean had at least one operational CSIRT, an increase of 40% compared to five years ago.
An IBM report indicated that the use of advanced technologies has reduced incident detection and response time by 50% in some organizations in the region. In addition, the automation of processes in SOC has allowed for more efficient handling of incidents, reducing the manual workload and improving response accuracy.
Developing cybersecurity talent is an ongoing challenge. A study by (ISC)² in 2023 revealed that Latin America needs approximately 600,000 additional cybersecurity professionals to meet current demand. In Ecuador, collaboration between the public and private sectors has been crucial to strengthen cybersecurity. CEDIA's (Ecuadorian Corporation for the Development of Research and Academia) SOC-CSIRT is a leading example of this collaboration, providing support and resources to improve the security of educational and research institutions in the country.
Benefits of CEDIA's SOC-CSIRT
Specialized Support: Offers specialized and collaborative support in the response and management of security incidents, ensuring rapid recovery and minimization of damage, committed to integrity, confidentiality and availability through inter-institutional cooperation.
Awareness and Training: CEDIA focuses on empowering individuals and organizations with the knowledge and skills necessary to defend against cyber threats, recognizing that technology alone is not sufficient to ensure cybersecurity.
Proactive/Predictive Risk Management: CEDIA's SOC-CSIRT specializes in continuous monitoring of cyber threats and verification of security updates and patches, allowing for comprehensive and early IT risk management. Regulatory Compliance: Commits to strengthening compliance with national and international laws and regulations in cybersecurity, which reinforces the trust and legal security of associated entities, with the aim of mitigating the impact on reputation, financial, regulatory and infrastructure.
Conclusion
The evolution of SOCs and CSIRTs in Latin America and the Caribbean has been fundamental to confront cyber threats. These centers have moved from reactive roles to adopting proactive and predictive strategies, leveraging artificial intelligence and machine learning to improve incident detection and response. Despite technological advances, the region faces a significant shortage of specialized talent, needing around 10 million experts by 2024. In 2023, phishing and banking Trojan attacks increased sharply, in part due to the use of AI. Collaboration between the public and private sectors and Academia has been essential to strengthen cybersecurity, which provides essential support and resources. Finally, it is crucial that technological innovation is accompanied by talent development and a robust safety culture to face future challenges.
