Evolution of the SOC – From the Dark Ages to Enlightenment, shifting to an agile threat informed cyber defense program
How important is the Security Operations Center (SOC) to a business and a security leader's overall success?
The answer is a bit cloudier than one would believe, given the length of time the SOC has been part of our security program lexicon. NIST CSF, ISO, and other regulatory frameworks provide definitions of managing risks and control effectiveness, but the scope of the SOC has been entirely guided within the business.
The SOC's genesis was born out of the need for centralized continuous monitoring and triage of compliance and cyber threats. As a result, we have seen SOCs evolve into tools like Trustwave Fusion and other cyber defense organization constructs.
What is fascinating is how similar different organizations' cyber defense teams can be, yet how personalized they are required to become to fuse with the organization's business model. This evolution is more than just technology maturity and adoption of threat intelligence, fraud, and OT operations. The evolution also includes the cost and culture shift in a decentralized and virtual workforce model vs the historical windowless bunkers with blindingly bright wall of oversized screens.
The evolution of the SOC into a modern data threat informed, cyber defense tool is a reactionary evolution to the accelerated adoption of digital innovation, including cloud, 5G, artificial intelligence and machine learning, and possibly the Metaverse, amongst other new platforms.
History always gives us some perspective on how to best approach helping your business make a shift from the SOC" Dark Ages" to "modern Threat Informed Enlightenment" of cyber defense operations that can speak to the business value of the operations while utilizing the intelligence to power a more resilient business.
The Dark Ages of the SOC
It is 2007. You walk into a darkened room, not unlike the NORAD war room made famous in the movie Wargames or NASA flight center. The space is filled with desks hosting multiple monitors that display all the information gathered by a somewhat new technology called SIEM but the Intrusion Detection System (IDS), and firewalls were the primary instrument of choice to drive alerts and analyst prioritization.
In such a room, we would see more than 20 SOC analysts working in this muted environment through rotating shifts to achieve 24/7 coverage out of this single location. Technology management was critical to perform hands-on remediation activities which also was typically manually managed via Excel, Word doc, or email. Given the job market today, I'm fairly certain this model is officially outdated, if not impossible, to reconstruct.
A bit later, in the 2000s, we would start building a new security operations center model. At this time, there was a huge emphasis on the physical components of the building itself. Even the 2010s saw more emphasis placed on developing a 'Next-Gen' workspace in the business.
Does this practice sound strategic to the business? Is this a critical success criterion for the security leader?
One can make a case to avoid financial penalties in lack of compliance, but only perhaps the security leader is championing the strategic importance of this operation. This scenario is one of the reasons why the industry has tried to steer clear from not just the reuse of the term SOC, but also SIEM given the lack of translatable business value from past levels of investments in these technologies.
Things started to change in the back half of the 2010s. Companies moving from paper to digital and shifting from on-prem to IaaS, PaaS, and SaaS changed the landscape and began to challenge the importance of having a physical space for the SOC. Early forms of the digital, or virtual, SOC began to be formulated and appear.
SOC' Enlightenment' and the Age of Threat Informed Cyber Defense
Now the question arises: How do current security operations effectively fuse with the business and ensure it can provide that necessary continuous resilience to allow the business to continue to be competitive in the market and grow?
While the idea of a fully automated SOC has been kicked around for years (Looking at you SOC-in-A-Box SIEM appliances and more recently some of the SOAR messaging) the possibility of implementing a "Skynet" all-knowing system with no human interaction is still not in the cards. This is probably a good thing seeing how things worked out in that story.
So, with Skynet out of the picture, SOCs will continue to evolve. Cloud-powered, highly virtual operations with decentralized teams were pressed into reaction action during the COVID-19 pandemic. While organizations may have varying levels of comfort in adopting this operating model, it became an adapt-or-fail model to ensure cyber resilience did not suffer while moving out of the physical SOC bunker.
Playbook automation, virtual war rooms, well-defined governance, and data science became necessary to running an effective and efficient remote team.
What is fascinating is how the log monitoring, triage, and response data has rapidly diversified in parallel, challenging security teams to understand where the gaps are with onboarding a plethora of OT data from identity (edge), purpose-built IoT, and the legacy OT environment.
Effectively identifying, deploying, and managing use cases continuously in the SIEM, SOAR, EDR, and XDR is a a good way to assess how agile the security operations are today. However, the tools alone are not agile, which is why the strategy, skills, and availability of the humans powering the threat-informed defense is necessary to achieve success.
The challenge organizations face is well-known in the supply chain world. Sourcing, training, and growing talent, while sustaining the performance of the existing operations is a full-time job. Perhaps, security programs should mirror the approach used by professional sports teams and have scouting departments and farm systems in place to nurture entry-level analysts.
Establishing predictable operations that can sustain success while cautiously evolving with the business growth and threat actors is not easy to take on alone.
The Role of Trust and Partnerships
Trust is paramount to success with the board, your peers, and the operations team in the vision executed for cyber defense success. Effectively partnering with IT/NOC, Fraud, OT, and other operational units inside the organization is a key step in turning the security SOC into a business-enabling threat-informed defense center.
SIEMs, EDRs, and MSSPs have been in the market for some time and may generate a variety of responses subject to past experiences. We can dress them up as XDRs and MDRs capable of performing today's threat-informed defense mission. However, it still requires organizations to assess the operating model and determine which areas they can perform alone, with a partner, or in a shared co-managed model. This assessment is as relevant to threat intelligence sharing within the ISAC community as it is to identify the correct 'vendor' to integrate with your cyber defense program.
Regardless of how you decide to source talent and skills to empower the cyber defense program, there is power in sharing your vision with partnerships you can trust. At the scale, data continues to diversify and grow to power businesses; it is an opportunity to blueprint what does "great" look like for you and identify a partner who shares your vision.
Regardless of what the future holds in advanced AI, ML, and Automation, define the strategy, identify the key use cases and required telemetry, assess and calibrate the tools and teams with the cyber readiness of the use cases, and be vigilant in sustaining the operations and continuous improvement.