New Paper: “Future of the SOC: Forces shaping modern security operations”

  • We do start by saying that even back in the 1990s security analysts complained about alert volumes and false positives (such as from IDS) and that “Today these same problems are trying to be solved — fatigue from high rates of false positives, too much data, too many alerts — without noticing that the landscape has shifted in profound ways.”
  • In fact, “Solutions envisioned in the 1980s, 1990s, and 2000s would have turned out productive had the problems remained static.” However, 100 rule-based alerts per IDS analyst in 1995 are just not the same 100 ML-based UEBA alerts per analyst today.
  • “This paper defines “forces” as key salient factors that are shaping the modern challenges a SOC must overcome to continuously mature:
  • a) Expanding attack surface
  • b) Security talent shortage [A.C. — while there are well-reasoned arguments against the concept of talent shortage in security, my impression that for SOC the shortage is real]
  • c) Too many alerts from too many tools”
  • “In essence, many traditional organizations have to secure the past (e.g., mainframes), the present (e.g., servers, PCs, phones) and the future (e.g., containers, serverless, IoT)” and this makes the mission of ‘doing SOC well’ very hard.
  • “Humans cannot scale to cover all alerts, but machines (such as ML algorithms) on their own just don’t cut it. As the SOC increases in maturity, the solution to the problem of too much of everything may come from many sources.” So, this sounds a bit bla, but this is the reality: IMHO for the foreseeable future in security, we will need both humans and machines.
  • “While many will say automation is the answer, SOC automation today is predominantly focused on automating the routine tasks (enriching logs with context and threat intel), as well as automating some remediating actions (with the decisions to do so largely remaining in human hands).” This is something to keep in mind when hearing others ramble “automation is the answer” to every security question …
  • ”The 21st century must conquer the next frontier for automation — automating the decisions and some of the related cognitive processes. While some vendors already promise that today, the operational reality of today’s SOC does not support this claim.” This hidden gem is actually THE big new thought in the paper. Have you almost missed it? :-)
  • “A good SOC implements a well-organized process that works, but also does not suppress the creativity of its analysts. ” OK, so your reaction to this is “ha, easier said than done!” but the reality is that done it must be (this is discussed a bit here, BTW) …
  • “Almost every SOC of the future is a hybrid model that works together with service providers — be it your MDR (Managed Detection and Response), co-managed SIEM, managed EDR, or a full-on MSSP. “ Expressed back here (and also here), this idea remains at the forefront of many security operations leaders.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Equifax Attack Underscores Dangers in Post-Breach World

Announcement that LBank Listed LUNA /MIR/ANC and Airdrops 10000 USDT to Reward Users

Evening attack image walk.

Apexit#03 Adding SSL will make your site more visible

Starquest Packs: MAY 3rd!

Shift Left Security DevOps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

How Managed Security Service Providers can accelerate their business with Google Cloud Security’s…

One week of Gartner Security & Risk Summit 2022 in 10 minutes

How to SLO Your SOC Right? More SRE Wisdom for Your SOC!

When Scale Outpaces Human Intervention, It’s Not a People Problem

Sprinters lined up on the starting blocks, ready to race!