An Active Defense Mindset Draws Better Financial Returns from Your SOC
Sid Trivedi is a Partner at Foundation Capital and one of Respond Software’s key investors. As someone who is interested in technology and how it helps a business run better, he brings his perspective to what the challenges are for the SOC, and how security leaders are changing how they do things to get better financial returns from both technology platforms and investments in people. I recently had a chat with Sid to talk about how he sees the SOC evolving and the need for a change in mindset.
How would you sum up the evolution of the SOC and its challenges?
The security market has evolved dramatically. In the early 2000s, the perimeter was all that mattered. You would block attacks with firewalls from a variety of vendors and combine that security with anti-virus. By 2005, the belief that firewalls were no longer enough gained traction because threat actors were coming onto your network and you had to detect those attacks. It wasn’t until the last decade people started to believe in this concept of active defense. As more detection technologies popped up, the focus of the SOC shifted toward response.
What has that meant for the workflow in a typical SOC?
The volume of alerts has gone up exponentially. When prevention through perimeter blocking was the focus, an automatic decision was made by software as to what to block and what not to block. Someone would adjust the rules when something bad happened, but there wasn’t a huge staffing requirement for the SOC. With detection technologies generating massive amounts of alerts, the SOC needed an entire team to make decisions based on those alerts, so in the past five years, there's been a significant change in how security terms work.
How has cloud computing adoption affected the daily operations of the SOC?
Five years ago, it was assumed everyone would become cloud-first organizations, but before COVID-19, only a quarter of all infrastructure of the global 2000 had moved to the cloud. We'd expected it to be as high as 70 percent. The main reason was security and potential loss of control over sensitive data. What COVID has shown is those organizations that do have a large cloud infrastructure have benefited significantly because it helps with flexibility and allows them to pull back on spending based on lower customer demand, or in other cases, respond to a massive spike because of e-commerce and digital payments.
What are the benefits of being in the cloud in the present climate from a security perspective despite all the concerns?
Just as it's difficult to switch applications and scale up quickly with your on-premise infrastructure, the same applies to security. If you want to physically plug in a new security gadget in a data center, it's tough to install boxes right now. With a cloud infrastructure, it's easy to spin up new containers. No matter how long this remote work trend lasts, we're going to see an accelerating transition to the cloud. Even security professionals don’t want to deal with infrastructure. The focus is going to be on the controls applied to the application and data services delivered via the cloud.
Respond Software’s research with Ponemon shows organizations are not getting the optimum financial return from their SOCs, and that throwing more money or technology platforms at the problem isn’t the answer. How do you see this playing out in the SOC?
A Fortune 100 today could have a hundred different vendors they’re working with, so they have a hundred different sources of alerts to manage. All those alerts go into a SOC with multiple tiers of analysts who must figure out what should be blocked immediately and what must get escalated, making analyst decisions more complex and more difficult. It’s harder to discern between a potential attack and a trusted application. If you generate more alerts, there’s going to be more false positives.
What has the growth of technology platforms and alerts meant for security leadership?
When we still had the perimeter and a binary approach to security—block or not block—the role of the security leader wasn’t a big one. There were several degrees of separation between them and the CIO or CTO at a Fortune 500 company. Over the past two decades as the number of technologies has increased as well as the number of bad actors exploiting the digital world as a means to attack a company, the senior security role has expanded too. The CISOs who have taken over at major companies after they’ve had a high-profile breach, such as Equifax, Home Depot, and Capital One, are for lack of a better word, superstars. They’re also “fixers,” who are brought in as members of the executive team. The CISO now reports directly to the CEO.
Given that today’s CISO is a fixer, are they also thinking about the financial returns from their SOC?
Most security leaders are aware you can’t just throw money at a problem. Their focus is on improving processes so they’re more efficient. They need to reduce the number of false positives so second and third-tier analysts are preventing potential incidents based on credible alerts through collaboration and easy information sharing. Part of getting financial returns from all the investment in the SOC is making sure you're getting the most value from your people and sharing what they learn across the broader organization. If they do get poached by a competitor, you don’t lose all the intelligence and institutional knowledge they’ve accumulated.
How does changing the mindset in the SOC contribute to getting better financial returns?
People are thinking about active defense. This stems from cyberwarfare and how large-size intelligence communities manage their strategies and their own SOCs. Enterprises are trying to learn from that and think like hackers to anticipate what they might do next. Those hackers are employing breach automation tools so they can constantly attack an organization in the most optimal manner, which means the SOC must be constantly thinking about their points of weakness. You can no longer assume you can’t be breached; you should be actively trying to find your gaps and be ready to accept you’ll make mistakes. Active defense means a shift in mindset that has people not only responding to alerts but thinking about ways to improve and looking at mistakes so they can learn from them.
Read the Ponemon Institute Report: The Economics of Security Operations Centers