Benjamin David investigates the different ways security experts can future-proof their security operation center
‘How do we future-proof our security operation center (SOC)?’ is a common question circulating within the cybersecurity industry, but these conversations have taken a radical turn in recent years. The degree to which SOCs are fatigued by alerts, false positives, burnout and a changing threat landscape is well-known, and progress towards security maturity, while weathering operational obstacles, is a gargantuan task even for the most skilled SOCs. Add the advanced tactics deployed by cyber-attackers and current geopolitical tensions into the mix, and the exigencies of transforming the modern SOC become obvious.
Of course, this only tells part of the story since the modern SOC is gathering and analyzing more data and intelligence to detect, understand and respond to more attacks than ever before. Additionally, the current cyber battlefield is convoluted and organizations’ perimeters are porous. Low-cost compute and attack launch facilities are increasingly available, making the work of threat actors worryingly smooth.
“The barrier to entry for cyber-criminals is the lowest it has ever been,” Brad LaPorte, Gartner veteran and cybersecurity expert, tells Infosecurity. “Anyone with access to a keyboard and the internet can launch cyber-attacks at will, including teenagers living in their parents’ basement,” he warns.
An additional but usually overlooked feature of the modern SOC is the struggle to retain staff. This feature has caused many security experts to increase their focus and escalate their concern around the ‘human element’ within security teams. Given recent research, this shouldn’t come as a surprise. For example, Irish startup Tines released its Voice of the SOC Analyst report this year that found that 64% of SOC analysts are likely to change jobs next year.
While all of this points to a weighty need to rethink the SOC, any attempt to remodel the groundwork, so to speak, introduces a series of ineludible questions: What role will emerging technology play? What about remote and hybrid-working? What about cutting costs? What about the infamous cyber skills gap?
Artificial Intelligence and Automation
Discussing any changes to the SOC without factoring in technology like artificial intelligence (AI) is a missed opportunity, claims Milad Aslaner, senior director at SentinelOne, who argues that AI and automation have an indispensable role to play in unburdening the SOC. “Most organizations cannot respond to new alerts within the first 24 hours, and with increased alert volume, many SOC analysts are experiencing burnout on the job,” Aslaner tells Infosecurity.
Indeed, the aforementioned report by Tines revealed that 71% of SOC analysts are experiencing some level of burnout. For Aslaner, this is where AI and automation play an indispensable role: “By leveraging AI and security automation, security teams are able to drastically reduce the volume of alerts, which helps organizations respond to cyber-threats in real-time.” From this, an “AI-powered autonomous platform” image emerges, representing the SOC of the future, Aslaner remarks; a platform that can assist a SOC team as an alternative to adding dozens of new colleagues.
The benefits of using AI within cybersecurity are well-known. However, despite many in the industry seeing AI as the cybersecurity shibboleth of modern-day marketing, Aslaner contends that the benefits cannot be understated: “An AI-powered autonomous platform shows its value in attack mitigation and forensic investigation, since a primary function of a SOC is to be on the lookout for any potentially suspicious activity.”
A future SOC will be different from the modern SOC because SOC teams can focus on proactive threat hunting exercises, argues Aslaner. “Today, many SOC teams don’t have the time required for in-depth investigations, retrospective analysis of previous incidents and proactive threat hunting.” They are too busy combating the sheer volume of alerts they are encountering, Aslaner says. However, by leveraging an AI-powered autonomous platform, security teams benefit from machine-speed detection and response capabilities. “This can free up time for the long-overdue in-depth work required of them,” remarks Aslaner.
There are many questions regarding what an AI-powered autonomous platform might look like, one of which concerns the increasing preference that SOC analysts have for remote work. This is particularly pertinent when many cyber experts are pushing for a ‘decentralization’ of the SOC. However, Aslaner is certain that preventing alert fatigue and occasioning effective threat hunting exercises remain central priorities in the task of future-proofing SOCs.
A Decentralized SOC
It’s no secret that shifts in working habits brought about by the COVID-19 pandemic have had an almost paradigm-shift-like effect within IT. This is arguably most evident within SOCs, argues Casey Allen, chief information officer at Concentric. Centralized security functions have become increasingly decentralized, brought about by how security teams have become dispersed. This is a trend that shows no sign of slowing.
As the name suggests, a decentralized SOC has dispersed security teams managing risks typically at the local and/or regional levels. Additionally, operations are self-contained, with decision-making conducted by specific business units, typically based on their geography. There are significant security benefits from this, Allen tells Infosecurity: “You don’t have everyone centralized in one place. Usually, if there’s a disaster, there can be a single point of failure (SPOF).”
"Most organizations cannot respond to new alerts within the first 24 hours, and with increased alert volume, many SOC analysts are experiencing burnout on the job"
SPOF is a term that has long been used in technology, referring to a node or hub that processes all incoming and outgoing data. If the central command center is compromised, the entire business may be jeopardized. According to Allen, this explains the imperative to factor in multiple centralized risk functions in visionary SOCs. “The way to go past the SPOF problem is to have analysts working remotely, since every analyst is a unique node to ensure continuity if problems ever arise.”
There’s also the related concept of ‘net freedom’ that has become important during the COVID-19 pandemic, remarks Allen: "The mass exodus of cybersecurity roles recently inspired recruiters to reach out to other companies to fill security gaps; from a recurring and retention perspective, it’s necessary to have a decentralized SOC,” he states. At Concentric, Allen explains, the SOC was remodeled to enable remote work since security teams simply don’t want to return to being in-person. This preference, he says, is widespread in other SOCs: “What people are now chasing isn’t money per se; it’s allowing them to continue being flexible. The more options organizations present to employees, the larger the talent pool will essentially be.” The benefit thus extends to the well-known cyber skills gap, which, according to Cybersecurity Ventures, will see 3.5 million cybersecurity jobs open globally by 2025, representing a 350% increase over an eight-year period.
A Democratized SOC
While flexible work preferences are changing how SOCs are run, the increasing complexity of technologies and the plethora of failures and attacks followed by a burgeoning dependency on business goals are also transforming them. One such change in future-proof SOC plans, argues Allen, is that they include a “democratized” model, meaning that organizations should adopt cultures in which SOC secrets are no longer kept close to the vest. The SOC-as-a-service (SOCaaS) is a good example of a democratized SOC, states Allen. “SOCaaS – as exemplified by Verizon and AT&T – aggregates data from various organizations, thereby providing invaluable information to those using it.”
While it’s common for small and medium-sized businesses (SMBs) to use a managed service provider (MSP) to oversee their security operations, because of the democratization of SOCs, MSPs could thus readily use a SOCaaS for the businesses with which they work. One of the benefits here is that the costs of having a SOC are significantly reduced for SMBs. “A democratized SOC is financially accessible to everyone rather than being limited to a Fortune 500 company,” remarks Allen. Allen, however, stresses that this requires a culture shift: “An SMB [historically] would never consider a SOC since they didn’t consider it necessary. Yet, because of ransomware news stories, for example, SMBs are investing heavily in cybersecurity.” This is an operational expense they must budget for, Allen tells Infosecurity.
There is also an essential role for consumers here. “The SOCaaS for consumers is a wide-open market. No one is offering this service, and providers do not realize that consumers need this,” Allen explains. “My last company offered consumers a virtual private network (VPN) application that consumers installed on their computers. All network traffic would route through the private network. We also had teams of analysts doing alert triaging and threat hunting; all of this provided a consumer-SOCaaS.” When the digital native generation matures in 10 years, comments Allen, particularly when consumers have more disposable income and know cyber-risks and digital privacy more, “SOCaaS for consumers will become more of a thing.”
"The SOCaaS for consumers is a wide-open market. No one is offering this service, and providers do not realize that consumers need this"
In addition to the kind of data changes exemplified by SOCaaS models, a SOC of the future will also see more public-private information-sharing partnerships. The Cybersecurity and Infrastructure Security Agency (CISA) reflects this, Allen tells Infosecurity.
CISA director Jen Easterly recently announced that CISA is teaming up with major cloud providers, cyber companies and other private sector partners under a new initiative to combine efforts on planning, threat analysis and defensive operations. The agencies and companies involved will share insights to create “a common operating picture, a shared situational awareness of the threat environment, so that we understand it better to develop whole-of-nation comprehensive cyber defense plans to deal with the most significant threats to the nation to include significant threats to our critical infrastructure,” Easterly said.
“Even if we put aside some of the ostensible challenges around such partnerships, this will be invaluable for the SOC of the future,” remarks Allen, given the evident benefits such a shared situational awareness offers, including threat analysis and defensive operations.
Saving the SOC
As already mentioned, concerns around future-proofing the SOC abounds in the industry. This is particularly underscored by the degree to which SOCs are fatigued by alerts, false positives and burnout, in addition to a changing threat landscape and worryingly low staff retention. As the industry knows all-too-well, the SOC has historically played an essential role as the ‘command and control’ hub for an organization’s cybersecurity efforts. Yet, many argue that the SOC of yesteryear just cannot keep up with today’s advanced cyber-attackers and is failing to secure organizations from unknown cyber-threats.
Any changes to bring forth a SOC of the future will have to radically change how it operates, including decentralizing it to forestall any SPOF and even offering itself as a SOCaaS model. This latter point will radically reduce costs and change information gathering, especially paired with the type of “common operating picture” that CISA is rolling out. Moreover, by dint of future technologies like AI and automation, it’s possible to extricate analysts from alert fatigue by ensuring SOCs leverage machine-speed detection and response capabilities, allowing analysts to focus on proactive threat hunting exercises.
A SOC of the future will also have to retread an otherwise fragile place of employment, ushering in considerable changes in attracting and retaining SOC employees. The Voice of the SOC Analyst report laid bear the problem, showing the vast degree of burnout in security operation teams, likely driven by the fact that 69% are understaffed and 60% have seen their workload increase over the past year. The SOC, the technology it implements and data sources must evolve together to tackle threats today, but none will work effectively in isolation. Additionally, the SOC of the future will need to ensure that it’s an engaging and flexible work environment for employees, improving the employee experience and increasing retention rates – shielding staff from burnout or quitting altogether. To conclude, as SOCs look to the next phase, a concerted focus on people, data and technology enabling them to work effectively together is critical.