New Paper: “Future of the SOC: Forces shaping modern security operations”
By Anton Chuvakin
(Originally posted at Anton on Security)
For some reason, I just cannot leave the topic of Security Operation Center (SOC) alone. In fact, I now am participating in a very fun effort to write a series of papers on the future of SOC by Google Cloud and Deloitte (for the impatient: download it here).
My favorite quotes are below:
- We do start by saying that even back in the 1990s security analysts complained about alert volumes and false positives (such as from IDS) and that “Today these same problems are trying to be solved — fatigue from high rates of false positives, too much data, too many alerts — without noticing that the landscape has shifted in profound ways.”
- In fact, “Solutions envisioned in the 1980s, 1990s, and 2000s would have turned out productive had the problems remained static.” However, 100 rule-based alerts per IDS analyst in 1995 are just not the same 100 ML-based UEBA alerts per analyst today.
- “This paper defines “forces” as key salient factors that are shaping the modern challenges a SOC must overcome to continuously mature:
- a) Expanding attack surface
- b) Security talent shortage [A.C. — while there are well-reasoned arguments against the concept of talent shortage in security, my impression that for SOC the shortage is real]
- c) Too many alerts from too many tools”
- “In essence, many traditional organizations have to secure the past (e.g., mainframes), the present (e.g., servers, PCs, phones) and the future (e.g., containers, serverless, IoT)” and this makes the mission of ‘doing SOC well’ very hard.
- “Humans cannot scale to cover all alerts, but machines (such as ML algorithms) on their own just don’t cut it. As the SOC increases in maturity, the solution to the problem of too much of everything may come from many sources.” So, this sounds a bit bla, but this is the reality: IMHO for the foreseeable future in security, we will need both humans and machines.
- “While many will say automation is the answer, SOC automation today is predominantly focused on automating the routine tasks (enriching logs with context and threat intel), as well as automating some remediating actions (with the decisions to do so largely remaining in human hands).” This is something to keep in mind when hearing others ramble “automation is the answer” to every security question …
- ”The 21st century must conquer the next frontier for automation — automating the decisions and some of the related cognitive processes. While some vendors already promise that today, the operational reality of today’s SOC does not support this claim.” This hidden gem is actually THE big new thought in the paper. Have you almost missed it? :-)
- “A good SOC implements a well-organized process that works, but also does not suppress the creativity of its analysts. ” OK, so your reaction to this is “ha, easier said than done!” but the reality is that done it must be (this is discussed a bit here, BTW) …
- “Almost every SOC of the future is a hybrid model that works together with service providers — be it your MDR (Managed Detection and Response), co-managed SIEM, managed EDR, or a full-on MSSP. “ Expressed back here (and also here), this idea remains at the forefront of many security operations leaders.
No, go and read the full paper “Future of the SOC: Forces shaping modern security operations.” More SOC papers coming on people, process and technology inside and around the modern SOC.