The SOC's Future Is a Security Platform

By Rob Lefferts, Corporate Vice President of The Threat Protection organization at Microsoft

In the relentless world of cybersecurity, where new threats emerge daily and adversaries grow ever more capable, it's crucial for security analysts to have the right tools available. The conventional approach involves juggling a plethora of separate tools: security information and event management (SIEM), email security, identity protection, cloud security, threat intelligence feeds, and (if you're lucky) extended detection and response (XDR). But separately, are these tools really serving security teams well enough to help the security operations center (SOC) achieve its goals? In our experience, no.

It's important to consider the goals of security investments. First, it's to proactively protect the entire digital estate, thwarting threats that can penetrate and put the organization at risk. Second, it's driving the productivity of analysts, so it's easy to identify and respond to threats. As companies make procurement decisions, these goals should be top of mind.

To maximize security and efficiency, security tools must evolve to deliver a delightful analyst experience with more tailored guidance and comprehensive, proactive protection. This is why many leaders are shifting to a platform approach. In a unified platform, individual tools are built-in capabilities, individual alerts form a unified set of incidents and entities, and automation playbooks can be generated without deep expertise. This enables security teams to focus on the work that matters: strengthening posture and remediating threats.

Choose Tools That Deliver an Optimal Analyst Experience

A security analyst's job is constantly evolving and demands quick actions to minimize the impact of attacks, which requires products such as SIEM, XDR, posture management, and threat intelligence. When organizations invest in feature-specific solutions, rather than prioritizing how they work together, analysts are left to manually fill the gaps while attackers take advantage of the complexity and extended mean-time-to-acknowledge (MTTA) and mean-time-to-respond (MTTR).

Without a unified solution there are many pain points. It's extremely difficult to normalize data across many different security tools and logs to get meaningful insights in a timely manner. It's also almost impossible to view how an attacker moves across vectors, and we've seen attackers moving laterally in as little as five minutes. This leaves no margin for a timely response.

Organizations can benefit greatly by bringing threat protection products together into a single, unified security operations platform. Unifying capabilities, such as hunting, incidents, and data models across SIEM and XDR to get one view of all threats, will help analysts stay more focused, spend less time correlating alerts, and ultimately reduce their MTTR. With a holistic view of threats enriched with threat intelligence and guided by posture management, analysts will have an easier time staying ahead of attacks.

Drive the SOC's Productivity with Generative AI and Tailored Recommendations

Bringing tools together will help streamline work, but there are many other ways to improve productivity with more personalized support from the product.

Generative AI (Gen AI) is leading a shift in SOC tools, assisting analysts with code and incident analysis, improved visibility, threat intelligence enrichment, and faster overall threat response. One example is presenting relevant documentation to speed up learning. Gen AI will also allow analysts to use natural language to hunt, explore, and investigate incidents, lessening the need to create queries and reducing the risk of missing any important task. Further, Gen AI can help create new automations, guiding analysts through responding to a multistage incident and improving posture to optimize SOC productivity. It's critical for security leaders to evaluate tools against their Gen AI capabilities and how they can help their teams' efficiency.

Proactively Protect the Entire Digital Estate

End-to-end security is the ultimate goal of any SOC. To achieve this, tools should deliver more proactive protection and block threats across identities, endpoints, cloud workloads, and more. This starts with posture: making sure your organization is well protected against different types of attacks. Next, it's important to have a solution that provides a level of immunity for the organization by dynamically disrupting in-progress attacks. The best attack disruption capabilities will use security research to quickly identify anonymous behavior and disable entities automatically to keep threats from making lateral movements.

Looking for tools that offer research-backed disruption will reduce risks significantly. When breaches do occur, automatic responses should trigger to limit the impact, giving busy security teams more time to triage, investigate, and respond. AI can help SOCs identify the best possible playbooks to deploy — or create new ones — to reduce the amount of work it takes to set up automation.

Modern threats call for modern solutions. Security procurement should stay grounded in the need for improved protection and efficiency while considering how the latest technology can help level up work. Learn more about Microsoft's approach to comprehensive threat protection.

About the Author

Rob Lefferts is corporate vice president of The Threat Protection organization at Microsoft. He leads the team responsible for Microsoft Defender XDR and Microsoft Sentinel products which ensures end-to end comprehensive and cohesive Microsoft security experiences and technology for all of our customers. Lefferts holds a BS and MS from Carnegie Mellon in Pittsburgh, PA.