For many years now, the Security Operations Center (SOC) has been a staple for security teams. It’s an essential part of ensuring that alerts are properly investigated to determine and manage the risk around possible security incidents. Naturally, the SOC is changing as the cybersecurity field changes. Another big driver, though, is how organizations’ reliance on and perceptions of cybersecurity teams are changing.
SOC in a Remote World
The traditional SOC came with visualizations of large rooms filled with monitors of streaming data, maps, and traffic flows. It was a command center, buzzing with activity meant to protect an organization from active threats. The Covid-19 pandemic totally upended this approach, pushing everyone out of the office where they are working remotely.
This shift has instigated a change in tooling and the way data is accessed within the SOC, moving away from locked-down internal networks and layers of firewalls. The same tools that enable SOC members to collaborate and access data more fluidly also open up opportunities to engage a broader workforce without geographic restrictions. This is also an enabler to facilitate faster or more efficient production of value.
SOC + DevSecOps
Recent years have seen an explosion of interest and engagement around DevSecOps, the work to unify across development, security, and operations teams. There is a natural feedback loop between development teams and a SOC. Collaboration needs to be tight between these two groups to ensure that:
- Alerts are set up for the right things for the technology, not just relying on some generic list of issues to alert on.
- The SOC understands how to contextualize and properly investigate the alerts.
- The development teams understand how to respond to and handle the issues that happen on their systems as well as how to collaborate with the SOC for added support or investigations.
The last bullet is about, in my mind, reinforcing a mindset of ownership over security outcomes and collaborating to enhance that capability, not absolve oneself of it.
Related to the above, development teams are taking more ownership over the health of the services they’re building. The explosion of services like New Relic, DataDog, and SysDig is enabling teams to own their service’s uptime, the drift, and the security posture. I believe that the SOC needs to adapt the way they manage their data, the accessibility to it, and the comfort level with letting others in. When the SOC lets other teams in and delegates some parts of its responsibility to other teams, trust is built and speed of delivery across the board is enabled.
Rapid Response and the Role of Automation
The SOC received a surge of automation support with the introduction of SOAR tooling. This class of tooling allowed teams to more seamlessly automate team workflows, connect tools together, and test enhancement ideas. I believe that an integrated SOC is necessary in this world. There are no silver bullet solutions or threat actors engaged across such a broad spectrum of technologies within our environments.
Automation and SOAR investments also enable the SOC to expand its purview of responsibilities. The SOC normally operates in the detection and response domains (using the NIST CSF framework). Assembling automated playbooks allows it to operate in the protection or recovery domains as well.
Here’s a scenario. Consider a deception platform (Acalvio) connected with EDR (Crowdstrike) that triggers a ransomware attack. It initiates an event in IDM (Okta) to lock a user account or device management solution to lock or quarantine a device during an investigation.
Codifying attack vectors through SOAR response can be a powerful way to engage the SOC outside of the normal lanes of responsibility.
The SOC has historically operated as a detection and response function within the security team. The way that data and collaboration tools, cross-team engagement, and SOAR tools are improving is expanding the how and where that a SOC can add value to an organization.
I encourage all security leaders to be thinking about their SOC, not as something they can simply outsource and put in a box. Rather, think of how they can take a group of people who can engage across an organization to drive enhancements in event-driven response to security issues.
Want more cybersecurity insights? Visit the Cybersecurity channel: