Like a skilled sailor, Rohan Singla, ChargePoint’s CISO, expertly navigates the challenges of securing a complex global network for millions of electric vehicle owners. Here are his top five insights on SIEM and security operations.

1. Security Data Lakes are a Game Changer

Before deploying Hunters, Rohan searched for a solution that would run on top of ChargePoint’s data lake. With their previous SIEM, ChargePoint found that they had little control over the storage and retention of their data. When their security data was stored by the SIEM vendor, reclaiming ownership often involved high costs and red tape.

In Rohan’s words:

“Some organizations have a good data retention or data disposal policy, but most don't and they end up retaining data forever, including customer data. This is a big pain point from both a cost perspective and a management perspective.”

 

Rohan calls out another advantage of his approach: the ease of ingesting data sources into Hunters Next-Gen SIEM.

“Historically, if you’ve worked with SIEM tools, you've had to write a custom connector, but the industry has evolved so much and we're a cloud-first company... If you can find tools to ingest the data, that makes life easy for us. And we don't have to write custom connectors, or wait for the vendor to write a custom connector.”

 

When the integration with a data lake is built into the product, the burden of data ingestion, which is often needlessly complicated, is offloaded from the security team. Instead, analysts and engineers are free to focus on investigating the threats that are unique to your organization.

2. Taking a 'Proactive' Approach to Security Delivers Better Outcomes

If you’re in the security industry, you’ve probably heard some version of the phrase, “it’s not a question of if, it’s a question of when,” referred to being breached. The intended implication is that every organization can expect to be breached at one point or another, so building an effective cybersecurity program is a worthwhile investment. But over time, some security teams have taken this concept to mean something very different - that there’s no use in trying to detect and prevent attacks, and all efforts should go towards response.

Rohan illustrates the proactive mindset shared by ChargePoint's SOC team:

“The SOC is more of a detection monitoring tool for most organizations, but we are trying to use our SOC team more as a preventative control.”

 

At ChargePoint, they’ve adopted a proactive, rather than a reactive, approach to security operations. By using a Next-Gen SIEM to proactively 'hunt' for threats, the team has the ability to actively search for traces of past or present attacks in the environment. The SOC team is able to ingest security telemetry across the entire attack surface, and easily investigate it over a single pane of glass. This way, they can focus on preventing a breach from happening, rather than resorting immediately to forensic and remediation activities.

3. AI & Automation are Crucial in Today’s Employment Landscape

SOC teams struggle with high turnover rates as analysts move to higher paying roles in large companies or more senior positions, with no one to replace them. Summer is an especially difficult time, with many employees on vacation at once often resulting in teams being understaffed and overworked. Rohan shares the impact that staffing shortages can have on a small SOC team:

“Say I have a three person SOC team, and two of them go on leave. Now I just have one person and so many alerts coming in… That is where automation needs to come in.”

 

In the security industry, automation is often discussed in terms of SOAR or incident response. But limiting the discussion to these topics prevents security teams from experiencing the full power of security automation. Introducing AI & automation earlier on in the SOC workflow, whether in data ingestion and processing, threat detection, or alert triage, can ease the burden on human resources. For example, a platform that includes detection content out-of-the-box, which is continuously updated in response to new threats and vulnerabilities, will ease the strain on existing detection engineers, and prevent the need for any external detection services. Of course, every SOC needs humans to run. But AI & automation can allow the ‘show to go on’ when your organization is understaffed, or having trouble hiring and retaining personnel.

4. Working with a Rapid Response Team Adds Significant Value

In a constantly evolving threat landscape, an effective Next-Gen SIEM relies on the people developing it to constantly adapt to new vulnerabilities. Whether it’s writing new threat detection rules or developing new machine learning models for more accurate alert prioritization, people are the engine behind automation.

“We can't automate everything, which brings us back to our team: how good is the team to understand these alerts? And then look to our partners to help us reduce false positives, fine tune the platform and reduce the noise.”

 

But beyond the product itself, a rapid response team like Team Axon, can provide significant added value. By rapidly investigating your environment when a vulnerability is discovered, or by doing on-demand investigations in the event that an incident occurs. Rohan states that in the most critical and uncertain moments, it’s a huge relief to use a Next-Gen SIEM paired with a team of cybersecurity experts proactively searching your environment for threats.

5. When evaluating security tools, look beyond the technology

Rohan cautions that no two environments are exactly the same, and this is especially true for ChargePoint. Running thousands of physical charging stations, ChargePoint must consider OT (operational technology) security as a critical part of their overall strategy. ChargePoint’s unique requirement is one of the reasons why, for Singla, it’s important to work with a vendor that gives customers a voice, and works with them to mature the product in the right direction.

“It's about finding the right partner… One key thing for me when I choose a product is what their roadmap is, and I want to talk to their product team. How passionate are they? It's not all about just buying what you're buying today. If you look at the Gartner magic quadrant, the top right over there - some of those tools haven't evolved. They were big back then, but they haven't evolved.”

 

Thanks to Rohan Singla, ChargePoint’s Director of Cybersecurity and Privacy, for these insights on how to navigate the security challenges that come from running a SOC. Interested in reading more customer stories? Learn about how Xactly re-architected its security program.