A security operations center (SOC) helps organizations detect, monitor, and respond to cyber-threats. SOCs provide services, ranging from log monitoring and analysis to vulnerability management, incident response, and, increasingly, proactive threat hunting. But SOCs also face challenges.
The requirements for SOCs have evolved in recent years as attack volumes have surged and threats have grown more sophisticated. Many are struggling with a deepening skills crisis even as they have had to manage new risks from cloud adoption and digital transformation initiatives.
Security experts predict that the trends will drive a high percentage of SOCs to automate key functions and deploy AI-enabled tools over the next few years. While people will remain key to managing enterprise cyber risk, so will technology.
Here's what your SecOps team needs to know.
The times they are a-changing
Cybersecurity analytics and operations are more difficult today than they were two years ago. That's because of the rapidly evolving threat landscape, the increasing volume of cybersecurity telemetry data, and the increasing volume of alerts, said Chris Triolo, vice president of customer success at Respond Software.
Security operations teams have typically tried to address these problems manually, by throwing people at them, but this has put many security organizations behind the eight ball, he said. He predicted that next-gen SOCs will tap automation in large measure to address the issue.
"Using automation to address the analysis and triage of security data [will provide] a level of depth and consistency that can’t be matched by human analysts."
—Chris Triolo
By adopting technologies such as decision automation and similar tools, SecOps teams will be able to accomplish more, he said.
"They can move their Tier 1 analysts up into Tier 2 roles, increasing the security team’s capabilities without increasing the budget. Especially in current times, budget can be a restraining factor for any new spend, so automating an activity with software and re-purposing human resources can be a powerful money-saving step."
—Chris Triolo
There's a good deal of variation in how modern SOCs are structured and what they do, said Daniel Kennedy, an analyst with 451 Research. Some are an extension of an enterprise network operations center (NOC), while others tend to be the monitoring arm of the security organization. SOCs that evolve from the NOC typically tend to focus on network stability. Those that emerge from the security organization focus on tools such as IDS/IPS, SIEM, and other alerting tool sets, Kennedy said.
"They are occasionally multi-tier, and more experienced personnel get into things like investigation and threat hunting, which also engages other tool sets, including EDR, NVDR, other endpoint security tools, and the like."
—Daniel Kennedy
The more advanced SOCs typically have implemented some level of automation via commercial or homegrown tools, he said.
A big-company construct
SOCs always were and continue to be a big-company construct, Kennedy noted. A study that 451 Research conducted suggests that 77% of enterprises with more than 10,000 employees have an SOC, compared to just 22% of companies with fewer than 250 employees. The study showed that 70% of SOCs are in-house; nearly three-quarters (74%) operate on a round-the-clock basis.
"On that last one, it’s why we hear a good deal about the difficulty in keeping the SOC staffed, with junior roles being difficult to retain over time as SOC personnel gain experience, and the nature of the work becomes repetitive."
—Daniel Kennedy
At a high level, the SOC's function hasn't changed a whole lot. Its core mission remains to help the enterprise manage cyber risk, but what has changed is the mechanics of the operation. Cloud adoption and enterprise mobility trends have significantly broadened the enterprise footprint in recent years. Data and applications that resided in on-premises servers are now scattered in cloud systems and data centers—sometimes in different parts of the world.
To securely protect against and respond to threats in the new environment, SOCs need visibility that extends far beyond the traditional enterprise perimeter, said John Pescatore, director of emerging security trends at the SANS Institute.
Peering into the cloud
According to Pescatore, in two surveys that SANS conducted earlier this year, security leaders described the ability to monitor cloud applications and endpoints as a key SOC requirement. The surveys showed that, increasingly, SOC personnel need the same kind of visibility in the cloud that they have over on-premises applications and systems.
Cloud disruption has affected SOCs in another major way. The SANS survey showed that personnel with cloud security skills were another major requirement for the modern SOC. Many major cloud service providers, including Amazon AWS and Microsoft Azure, provide a range of security services and audit trails that can help organizations secure their cloud environments. Modern SOCs require personnel that know how to use those tools and data in conjunction with their internal resources and telemetry, Pescatore said.
"Things are different in the cloud. When you think of things like configuration management, now all of a sudden you have an administrator who spins up thousands of copies of [virtual] servers and leave them all running later."
—John Pescatore
The increased threat activity tied to the COVID-19 pandemic has exacerbated the pressures on SOCs and further accelerated the need for change, said Gil Shulman, vice president of products at Illusive Networks. He said the status quo has become untenable for many SOCs. A significant number of threats are going unaddressed and unmitigated because analysts are already overwhelmed with alert overload.
"Analysts are burning out. There aren’t enough of them, and they are struggling to find the legitimate threats among thousands upon thousands of alerts. With this bottleneck of too many alerts coming in, modern SOCs are beginning to recognize the need for more automation, response, and coordination."
—Gil Shulman
He predicts that over the short term, many SOCs will focus on automating the collection, correlation, and filtering of security event and alert data.
"As confidence in the analysis grows, SOCs will likely consider selectively automating controls like interdiction, isolation, and quarantine."
—Gil Shulman
Another area that Shulman said is ripe for automation is capabilities for detecting new threats, including those from errant credentials and pathways to critical systems and from data that is unnecessary or unused.
Managing risk: Get better at it
SOCs continue to play a vital role in enterprise risk management. But many are under growing pressure from cloud adoption, enterprise mobility, and digital transformation initiatives.
To succeed, modern SOCs will need to find a way to automate key but repetitive tasks while freeing up analysts to focus on more valuable functions such as threat hunting and vulnerability management.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.