What's Beyond the SOC?
In the very near future, the tedious monitoring and analysis tasks, now performed by SOC analysts, will be managed and processed by AI-based expert systems. When it is no longer necessary to put human eyes on glass to monitor security alerts, the transformational possibilities for an operational security team are extraordinary! We at Respond Software have a certain point of view about how Security Operation Centers can modify their structure with the addition of these advanced technologies. We are calling this the Security Situation Center (SSC). This will be the first of several blog posts to come explaining what the Security Situation Center is and how it can benefit your security operations.
As for the backstory, I would love to tell you that there was a more formal origin behind the core tenets of the SSC, but the truth is, the concept originated from my watching too much Star Trek. I am a huge Star Trek fan, and while watching an episode of the “Next Generation” series, I started thinking about the parallels between navigating hostile cyberspace and the efficiency behind the bridge operations of the Starship Enterprise. While the series is 30 years old, it still captures our imagination and in this case, gives us some original, innovative ideas we can implement today.
The Starship Enterprise Model
On the bridge of the Enterprise, all personnel have a distinct role and ownership of duties, backed up by team members elsewhere on the ship. They also have many people trained for each role. When you consider the many different situations they expect to encounter, you can quickly see this team is well-prepared, well-trained and confident. They have navigation, engineering, communications, science, medical, tactical, command, and of course, counselor Troy for diplomacy and a little espionage. They are prepared for the unexpected, so they have all options covered. The organizational structure and preparation allow them to hightail it at warp 9 when running from hostile situations, hide, fight, discover, fix, or talk their way out of anything. This feels exactly like what I want my security defenses to be able to do!
The basic Security Operations Center template has many junior people doing the same job. There might be some level of rotation, but that job puts human “eyes on glass” watching alerts or events then deciding which require action and at what level of urgency. This model typically leaves security situation management to an ad-hoc team of incident responders, senior architects, and the management chain. This ad-hoc team occasionally convenes to respond to high profile incidents, which in reality is an additional duty.
The hostility level and risk that organizations expose themselves to by conducting business on the Internet now appear more like a low-level information war than just the occasional malware infection or credit card breach. We know the economics are too powerful not do business on the Internet. However, as the world becomes more digital, perhaps it is time we acknowledge this new reality, leave status quo behind and reorganize to actively defend our companies on the Internet.
Fortunately, there is also some organizational experience, beyond Star Trek to this idea. When I ran an MSSP in the early 2000's, on a quarterly basis we were able to practice with every new Internet worm. These War Rooms were fueled by sleep deprivation, caffeine, hundreds of millions of dollars in financial losses and lots of grumpy IT and IT security guys and gals. It was management by exception at its worst. When it worked, we managed to recover in reasonable time frames, but we never fixed the root of the problem.
With a Security Situation Center, you have a small team of experienced security personnel whose full-time job is to actively defend the business and then proactively prepare to defend the business. This includes immediate grasp of all of the controls deployed and their current status, the vulnerability status of the entire enterprise, and intelligence on the capability and intentions of bad actors. Just like on the bridge of the Starship Enterprise, these folks are at once leaders and coordinators with the IT and IT security teams that actually make the ship fly.
I plan to share more ideas in coming posts that address what a Security Situation Center looks like. More importantly, I am very interested in comments and feedback from our community about how our industry can push operational security up a couple of layers of abstraction to managing situations. As Captain Picard said so well, “Engage!”
by Chris Calvert, VP Product Strategy and Co-Founder, Respond Software
Image courtesy of http://tng.trekcore.com.