CISO Says: It’s the End of the SOC (And I Feel Fine)

Dan Lamorena
by Dan Lamorena
category Perspective

What’s the #1 giveaway at RSAC this year? Hand sanitizer.

The RSA Conference of 2020 replaced handshakes with friendly fist bumps and forearm bashes. But the demos stands were still busy, and the conversations lively, as the masses debated how to address security incident detection and response. The ISE® VIP Signature Luncheon created a great forum to host security leaders driving transformation in security operations.    

Moderated by Chris TrioloRespond Software’s VP of Customer Success, the innovators on this year’s panel included: 

  • Tony Spurlin, VP and CSO of Windstream  
  • Ramachandra Hegde, SVP/CISO of Genpact  
  • Eric Adams, CISO of Kyriba 
  • Jim Routh, CISO of MassMutual 

What followed was an insightful and revealing conversation focused on the “demise” of the traditional Security Operations Center (SOC). If you work in a SOC, many of the themes may be familiar; check out this abbreviated recap and share your perspective with us in the comments section below 

The CISOs on the panel shared the idea that the SOC is a critical component of their security strategy, but also one of the larger components of their budget. “The SOC is our most intensive area of investment for our security program, including people and infrastructure. It is an area ripe for efficiency,” said Jim Routh.  

Tony Spurlin added, “The question is: what are we getting for the money? The board wants to know that funds are being put to good use. Our goal is to demonstrate ROI and show metrics without generating fear.”    

Organizations like Mass Mutual are working to change the way they do things, as Jim stated: “We are looking at data science to change how we are operating.” 

Emphasizing happy and productive team members, Eric Adams noted, “The security analysts make up a farm team where we bring in great people and promote. No one wants to sit in front of monitors all day. Analysts come on board – get training and then go to a better job. Most don’t want to stay in the role.   

Urging a focus on technology, Jim stated: We want to fill talent needs – make it less of a burn-out job – by giving them better tools. We are driving to improve the quality of work and work experience for the analyst and remove the MSSP providing frontline defense.”   

So, what is the future of the SOC?  Nearly all the panelists said the next major step is automation.   

Eric said, Automation is key for scalability across platforms and geographies. You need thoroughness, 24x7 coverage. 

Jim added, We are at a lower operating cost with fewer resources. We are moving to a Tier II model and robust Tier III model. In 70% of cases, we orchestrate through SOAR.  The human analyst does the other 30% - more analytical cases.   

Sharing his experienceJim continued, Data science is inevitable. The SIEM will become obsolete over time. Data lakes and analytics are the future. Mature models that analysts need to consume will replace data correlation. We use less of it and pay more for it. My first hire was a data scientist and we train all new hires in data science.  Models don’t take time off. People, not so much.    

Tony cited future for his teamWe are expanding in AI and advancing it forward. It is a big project to get entire the security infrastructure talking to each other. We use Respond as the nucleus and can remove Tier I and Tier II analyst structure. 

For Windstream, Tony detailed a long-term vision for the company’s security operationsAn intelligence-driven SOC that analyzes the environment and takes proactive countermeasures. It requires communication across devices. For example, if one leaf flows across the Aspen forest, all the trees know it. Our infrastructure – one incident, we all respond immediately. A self-healing/informing network that can sustain itself without human interaction.” 

Chris Triolo noted the future of the modern enterprise should have systemic immunity, citing, “Once you’ve been infected, you can understand how it happened and apply controls so that will never happen again. The problem we have today is that we don’t have the time to do it. Respond can free up the time, so you can immunize yourself against a particular kind of attack and never have to spend time dealing with that again. We’re reliving the same events over and over again. If we can make progress, we can refocus so that we do more.

With the unanimous emphasis on automation, the conversation then turned to a discussion of where companies planned to refocus resources.  

At Mass Mutual, Jim noted that they allocate budget to address higher-priority risk. If we can generate savings in SOC, we can reinvest scarce resources to the highest risk. We now have SOC analysts that are freed up to do cyber-hunting.    

At Kyriba, Eric shared, From a budgeting and planning perspective – the cost/benefit of not hiring FTEs for SOC, it was huge. I could reallocate FTE to higher-risk projects. Security analysts became security engineers to enact change and work on higher-risk projects. We can focus more on data flows and data protection and scrutinize it more thoroughly. We are more excited; now I’m working on more engineering projects, and the staff is more proactive.” 

Ramachandra Hegde noted that now his team has more available time to learn about their business. Without automation, you can’t get to capacity. Now we have time for analysts to understand the business. It’s important to understand the business and risk, not just the technology. We can free up time to understand a day in the life of colleagues in our business units.  

If you are looking to automate your SOC, check out the Respond Analyst