SOC Analysis

How to Design an Efficient SOC: Fewer People, Better Processes and Advanced Technologies

    Chris Calvert
    by Chris Calvert
    category SOC Analysis

    Since its advent nearly a quarter century ago, the security operations center (SOC) has become part of the dominant paradigm in enterprise information security programs. Slightly over half of large enterprises have an in-house SOC, and perhaps as many as a third of midsized organizations either maintain their own small SOC or outsource SOC functionalities to a third-party provider.

    Despite the prevalence of SOCs, however, very few are considered “highly effective.” Nearly half of IT security practitioners surveyed for a recent Ponemon Institute benchmarking report indicated that they’re “dissatisfied” with their SOC’s ability to detect attacks and malicious activities. And SOCs are expensive. The average total cost for staffing and maintaining one tops $2.8 million dollars per year.

    Why are so many organizations paying so much to get so little satisfaction and so few results? The short answer is that this dominant paradigm is broken.

    Why the SOC? Where did the idea come from?

    According to the United States Department of Defense, an operations center is a facility or location, on- or off-base, where a commander directs, controls and coordinates all activities and operations during a crisis. Like “network operations center” (NOC), its cousin responsible for monitoring and managing network infrastructure with the goal of maintaining uptime and performance, the name of the “security operations center” migrated into the language of enterprise computing from the military.

    It’s unsurprising, then, that some of the first SOCs ever built were developed by the U.S. Army and Air Force to protect the classified data and sensitive intelligence information that its networks housed. As increasing numbers of private sector organizations began dealing with the repercussions of costly and damaging data breaches—breaches that could have been prevented if only there were a way of monitoring in real time the security sensor data that was already being collected at the time of the attacks—demand for the SOC as we know it today was born.

    Most SOCs share common design features. The core concept is that all security data collected from the organization’s IT environment flows to the SOC, all monitoring is done there and many tactical decisions about response and remediation are made within it. The SOC is meant to be the nerve center of IT security risk management in the organization.

    Just like the algorithm that determines how a new software program will run can be visualized in a flowchart, it’s possible to show all the procedures, interactions and learning loops according to which a SOC operates in a formal blueprint. By design, a SOC’s operational processes are intended to be formally structured, regular and repeatable. Thus the vast majority of today’s SOCs are built according to patterns that are highly amenable to automation.

    How to Increase the Efficiency and Effectiveness of Your SOC

    What’s the best way to repair a broken paradigm? And when does it make more sense to replace the old standard with a new model that’s better suited for success in today’s world?

    In the case of security operations, the primary bottleneck in the process and the stumbling block that’s preventing the vast majority of SOCs from performing as well as organizations need them to is the nature of human cognition. Human security analysts will never get better at monitoring enormous amounts of log data streaming across their consoles. Neither their long-term nor their short-term working memories will improve to the extent that it’ll become effortless for them to correlate an IP address associated with an alert with, say, a sequence of events that took place on another part of the network three weeks ago. Whereas automation can accomplish these kinds of tasks with ease.

    Why not, then, simply insert an intelligent automated monitoring solution into the appropriate point in a SOC’s existing workflow, leaving the rest of its processes and procedures in place? There’s no question that this would lead to some improvements, but the reality is that incorporating automation into security operations in this way is inherently a radical transformation.

    Like all forms of truly radical change, adopting technologies that are truly new and different requires that people and processes evolve as well.

    Making the best possible use of intelligent automation in security operations requires a mindset shift on the part of the security analysts who work alongside it; it demands cultural change of the entire organization; and it necessitates that processes and procedures be revamped entirely. Building a security operations workflow that’s truly efficient in today’s world calls for an entirely new paradigm.

    Reshaping SecOps for Tomorrow: The Cybersecurity Situation Center

    Here at Respond Software, we like to call the new paradigm—which will house the security operations programs of the future, and which our most innovative customers are building today—the “situation center” instead of the SOC. It’s a fresh model that has the flexibility and agility to meet the needs of future-facing organizations, and it represents the bold step forward that’s needed to defeat today’s omnipresent and highly sophisticated cyberattacks.

    Once the SOC monitoring tasks that are performed by humans in today’s SOCs are assumed by the machines for which they’re so much better suited, the entire SOC’s design can and should be reconfigured. No longer will we need such highly formalized, structured workflows.

    Instead, tomorrow’s situation center will be agile and informal, with processes that are constantly shifting and adapting as attackers alter their tactics. Fewer humans will work there, but those who do will have more important and interesting roles to play. They’ll work in close collaboration with one another and their colleagues in IT, rather than in isolation or within departmental silos. Decision-making will be less centralized—and will happen closer to the problem. The entire entity will maintain a strong focus on systemic immunity rather than simple upstream detection of problems and threats.

    And, as a result, the innovative organizations maintaining situation centers instead of traditional SOCs will enjoy cost savings as well as dramatically reduced risk profiles in comparison to their laggard peers.

    Does this sound farfetched? Remember that the SOC paradigm is a relatively new one within the history of enterprise computing. Thirty years ago, there were none, and organizations developed and built them. Today, it’s time to create something new.