New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center”

By Anton Chuvakin, Head of Solutions Strategy at Google Cloud

It is with much excitement that we release a new paper about transforming your security operations, published under the Office of the CISO at Google Cloud.

This work is focused on our vision and lessons learned in building effective security operations for the future. We spent a lot of time thinking about what to call the new model. We decided on “Autonomic Security Operations” for the vision (the previous contender was “10X SOC”).

Now, when we say “autonomic” here, we do not mean “without people” or “fully automated.” All of us here agree that it is quite impossible. When we think of autonomic security operations, we think of an approach that leverages automation, but also focuses on being agile, adaptive to rapidly changing environments, and the one that utilizes people with dramatically increased effectiveness.

While I want you to read our paper, let’s now think about two interesting and useful ideas from it.

One question that I’ve been trying to explore, such as in this podcast, is: we do know that DevOps and SRE approaches revolutionized how IT is managed and practiced. I’ve been thinking about what can possibly be a similar revolution in security and, more specifically, in security operations.

The answers, of course, are obvious. What is the “O” in SOC? Operations. What happens to operations in the DevOps model? It becomes fused with development, thus toil decreases, while automation increases. Less toil, but more code.

Naturally, we see the same start to slowly happen in good SOCs or detection teams (if you insist on being “SOCless”). In the SOC context, this is about detection engineering, detection as code and related concepts.

Just as naturally, and just as it happened in IT first, many people don’t like these changes. For example, the comments on this blog post indicate security teams don’t want anything “as code” because this means they have to code. But, it’s likely that Windows NT system administrators of the 1990s also did not want to become part of DevOps…

Next, what about the other part of the SOC, namely the “C”? Will SOC remain at the center of anything? Will it always be a crowded room with fancy monitors?

As we watched current events affect security operations, we learned that SOC as a big room, full of people, may in fact disappear. However, I’ve long argued that SOC is first a team that focuses on detecting threats and helping respond to them and so it will not vanish anytime soon. What if the future SOC would be a center in the same sense as “a center of excellence”, but not a central physical location anymore?

So, what happens if a SOC both becomes infused with DevOps approaches and stops being a centralized silo?

As you learn in our new paper on autonomic security operations, we are presenting this very vision of future security operations. Using the lessons from DevOps and SRE approaches, we propose that a security operations center would become less about operations and less of a center.

These changes are critical, if not to say truly necessary, to deal with the business, IT landscape and threats of the future. Below — and of course in the paper — you will see many examples of how we describe such transformed SOC and how you can take steps towards making your security operation center work that way.

So, please see a tiny subset of my favorite quotes from our paper:

  • Autonomic Security Operations is a combination of philosophies, practices, and tools that improve an organization’s ability to withstand security attacks through an adaptive, agile, and highly automated approach to threat management. “

But really, check out the paper here. You can also read about the related solution launch involving Chronicle, and watch a demo of Autonomic Security Operations here.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store