The SOC Is Dead…Long Live the SOCThe SOC Is Dead…Long Live the SOC
The traditional security operations center can't deal with present reality. We must rethink the concept in a way that prepares for the future.
July 7, 2017
I recently moderated a CISO panel that featured security leaders from a diverse set of industries. A group of hardworking, knowledgeable, professional experts in the field of cybersecurity (most with decades of experience) discussed how difficult their jobs have become and how vulnerable they felt their organizations were despite their best efforts.
Listening to the discussion, I was struck by how much of their efforts depended on hiring and retaining extremely scarce expert personnel. It got me thinking about how we may be in one of those difficult moments when our own history impedes our ability to adapt for the future. Here's a rundown on some of the key takeaways from our chat.
We need to redefine the perimeter. Our collective security efforts in the past mainly focused on keeping bad actors out — that is, drawing a logical box around what needs to be protected and making efforts to build fortified walls. Unfortunately, drawing that box has become much more complicated in a world of cloud, software-as-a-service (SaaS), bring-your-own-device policies, and mobility. Much of what needs to be protected is no longer under our direct control; indeed, much of it may be living in systems and managed by teams we aren't even aware of. We need to reframe our thinking and define the perimeter, given that enterprise networks now extend across these various systems and teams.
Understanding all of this, identity is now the ideal way to define your network perimeter. The contextual information and associated analytics about who is doing what and whether each individual's actions are appropriate given his or her job function represents the future of our security efforts. However, this data must be collected across all priority assets — which means a large amount of data to collect and analyze by a workforce that is already spread too thin.
Rules-based protection isn't sufficient anymore. Traditional security operations center (SOC) approaches were largely designed for a world in which we had a reasonably clear picture of what might happen and could build rules-based defenses against it. This approach is still necessary, but it's no longer sufficient on its own because of the rise of advanced persistent threats that operate across long time spans using multi-stage attack vectors. Instead, it's important to admit that we cannot foresee all the rules necessary and that we aren't necessarily equipped to derive them.
The rise of the "threat hunting" approach is one way SOC practices have evolved to address this problem, but it too lays the burden largely on workers who are already overtaxed. This reliance on a hero's level of effort is not sustainable over the long term. Instead, we must embrace analytic solutions that can remove effort from the system instead of just shifting the effort around from analysts to threat hunters.
Nothing is going to get any slower. In the boardroom, innovation is top dog, and so the SOC's traditional role of gating deployments is under pressure. Even in the face of increasing threats, the business expects the SOC will be part of the team that expedites time-to-market, not impedes it. Evolutions in software development methodologies (such as DevOps) and technology (such as continuous integration/continuous delivery) further promotes this trend toward speed.
The SOC can't expect to gain buy-in for a traditional time-intensive approach, and there won't be tolerance for laissez-faire security approaches either. Instead, the SOC needs to find ways to move faster. Once again, the solution many enterprises rely on is to tell their SOC personnel to "work harder," exacerbating the burnout of key resources.
The architectural solution requires a complete platform upgrade. Visit many SOCs and you'll find that human effort is at the center of everything. Companies deploy security information and event management systems but rely on humans to wade through the alerts. Some use predictive analytics but often have humans double-check every conclusion. There is a vast number of data repositories, but people are expected to integrate the silos.
There is an alternative. One can collect the requisite information across a sprawling hybrid cloud setup, unify the data from all the existing silos, use purpose-built machine learning and data science for extracting signal from noise, and link it all directly to automated remediation — only escalating to human actors in exceptional cases that can't be covered by these platform-level approaches. This model also eliminates much of the burden on personnel, already buried by day-to-day tasks, to focus their energy where high-skill analysis and remediation is required.
But this model requires massive amounts of compute power and storage, as well as well-tuned data science that has experience with lots of similar data — which is why the architectural upgrade is most efficiently delivered in a SaaS model rather than as an on-premises bespoke IT project. Here again, we run into the weight of history and the inertia of our current approach: "We can't put security info into the cloud!" [Editor's note: Oracle and other companies offer the SaaS model.]
As I think about these issues, my observation is that we are both our worst enemy and our only salvation. My fellow panelists in that CISO panel voiced a similar concern precisely because the SOC has become so good at using a heavyweight, rules-based, labor-intensive approach to protect a known perimeter, we are actually self-limiting our adoption of necessary improvements.
In some monarchies, the death of a king is announced with the phrase, "The king is dead…long live the king" (with the former addressing the deceased king and the latter addressing the successor). As we are faced with an environment that has overwhelmed our current SOC efforts, stare down a severe shortage of expert personnel who are rapidly burning out, and find that in some cases our own inertia is preventing us from adapting, perhaps it's time for us to embrace the successor of our current SOC.
That's why I say: The SOC is dead…long live the SOC.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023