Are you waiting for something bad, or going somewhere good? A CEO asked me that once. It is one of those deep questions that we should all ponder at times.
In the world of cybersecurity, the conventional thinking for a Security Operations Center (SOC) is to plant people at consoles and have them passively monitor alerts. When an alert is serious enough, they react to stop the attack. Whether this is done internally or through a managed security provider, the end result is the same: a passive approach to security.
Passive security is not effective. Every breach over the past 10 years is proof of this, including the latest breach from Wendy’s. All of the breached companies from the past five years had a SOCs and/or managed security providers. They still missed the attack.
People passively monitoring alerts is not an effective SOC strategy. We need a Future SOC.
SOC Fail
We can trace the failure of SOCs to four primary reasons:
- It is reactive
Once the alert has gone off, it is too late to stop it. Alerts are the hacker’s way of saying goodbye. A SOC must become proactive. - It incentivizes inaction
When people are in a passive role, a serious incident means additional work and intense scrutiny. This creates panic and therefore an incentive to dismiss alerts. A SOC must force-multiply analysts so they can avoid panic conditions. - It assumes you know everything
Passive security assumes your data provides a complete picture of the environment. Even under ideal conditions, there are ample blind spots in the data. SOC must provide quick access to data. - The 4:00 AM Fallacy
Waiting for an alert or a call from a managed security provider hinges your cybersecurity decision-making on panic. It is unrealistic to think an analyst, sitting at a console in the middle of the night, can react with the speed and decisiveness necessary to protect the business. People generally make short-sighted decisions in moments of panic. The SOC should not be put into a position of having to make such a decision, the technology should do this for them.
If the security of your business depends on a people passively watching data, you can almost count on a breach. We need a new approach.
The Game is On
To overcome these weaknesses, we must transform IT security teams from passive victims, to active hunters. The SOC of the future will look much different:
- Fully automated
Only technology can react at the speed of attack. The future SOC will automate security in every possible way, from deployment, to data mining, and response. Security technologies are now capable of detecting, tracking, categorizing, blocking, and eradicating malicious code with no human intervention necessary. - Extreme agility
The SOC of the future must adapt quickly to new threats and techniques. SOC teams will require more authority and autonomy to enact change throughout the organization, without resorting to inefficient approval hierarchies. - Hunting
Rather than waiting for an alerts, analysts are actively and aggressively searching attackers and malware. They are conducting routine data hunts, chasing leads, and eradicating potential exploit vectors. - Code in the cloud
The SOC of the future is entirely in the cloud and it is all code. Physical devices are too inflexible and prone to failure. Only the cloud can provide the automation, speed, scale, and flexibility to handle the mountains of data and react at the speed of attacks.
How do you build this next-generation SOC?
- Stick it in the cloud
You must get in the game, to win. That means owning the responsibility of security, completely. It also means your managed security partners must be inside your environment, rather than you being inside theirs. Sending events to some far-off data center is fine for storage and reporting, but it is not going to protect your business. The way to solve this, as well as a lot of other issues with security is to move your entire SOC into the cloud, like AWS or Azure. - Go hunting
Your SOC must become a “hunting platform.” The technologies, like SIEM, must be constantly searching for evidence of compromise. Likewise, your people must become agile security ninjas, able to move through the environment effortlessly with a nose for trouble. - Automate, automate, automate
Rather than obsessing over having the “best of breed” security technologies, obsesses over interoperability. Point solutions are a waste of time and money. You need an integrated platform that automates the searching and reacting. There are orchestration tools which can coordinate responses across disparate platforms. Seek out Security Analytics platforms that unite NGFW, endpoint, SIEM, sandboxing, and more into a cohesive ecosystem. Phantom, the Sandbox winner from RSA 2016 is a good example of these innovative orchestration platforms. Fortinet, Cisco, and ForcePoint are also leaders in this space as well. - Leadership Level-Up
If your organization cannot mature, change, and get better, then no amount of new technologies or trained staff will make a difference. You must become comfortable with the uncomfortable. This means security leadership that can persuade, coach, and inspire people.
Cybersecurity is not a passive effort. We cannot wait for an attack. We must go on offense and seek out the attackers before the breach.
What are you waiting for?
10 thoughts on “Future SOC”
If you can’t measure the risk, you can’t manage the risk. CRO’s are going to make a move on the Cyber Risk Management problem because up to this date and time there is no harmonization, integration, effective collaboration between the Security professionals and the Risk Management professionals. Security Risk Management and Cyber Risk Mangement are two entirely different intelligence aspects. The first Security/Risk Management team that learns how to communicate and create effective wins.
Very useful; we are doing the research on this very topic : https://blogs.gartner.com/anton-chuvakin/2016/05/11/new-research-starting-soon-threat-intel-soc-etc/
100% – We have summarized this in the phrase – “Be the hunter, not the hunted”
The future of SOC lies with security engineering. We need better platforms to induct and normalize events, capabilities to inject “what if” into correlations and support targeted responses with just sufficient privileges.
I agree with everything you listed, but tech alone won’t do the job. We need skilled people as well. Mostly, we need new kind of MSSP as well. The current MSSPs are all passive monitors.
Indeed… and this points out this only “problem” with the post: namely, WHERE do those orgs get enough ninjas and skilled hunters?!
They must build them. That’s why improved leadership is one of our key recommendations. It is also the focus of our business. We believe the only way to build great security, is to build great security leaders. The problem right now is we are teaching junior infosec people the wrong things. Too many security leaders believe technology mixed with fear is the only way to accomplish anything. This is being egged on by hard-selling VARs and vendors who push new technology over personal development (because nobody makes a dime when somebody improves.) This is ultimately breeding junior security people who are incapable of hunting for attacks, because all they want is to attend conferences, buy tech they never master, and froth about the latest esoteric hack. Gamification is one way to put problem solving and critical thinking back into infosec. Right now, there is scant little critical thinking, because vendors roll in and say “we can do all the hard work for you so you can go get drunk and proactively leverage your synergies.” Of course its a lie, but who gives a crap, once the purchase order is cashed.
Building great security leaders is the #1 issue this industry faces. Without great leaders, there will never be great ninjas.
I so love that rant of a response; please turn this into a separate blog post and I will spread it far and wide 🙂
Challenge Accepted! 🙂
I totally agree with you Andrew: companies tend to rely more on technologies than people. This is for me the biggest mistake.