The SOC is dead — long live the SOC!

Overwhelmed by existing traffic volumes and held back by a shortage of skilled workers, the average Security Operations Center is approaching a state of crisis – and the challenges will only worsen if SOCs don’t evolve.

No doubt about it, the SOC’s mission is vital: detect and respond to all threats. Unfortunately, most SOCs today fall short. Here’s why:

SOCs were designed with just one or two core products that focused on logging and controlling dedicated environments. The typical SOC operating model of “monitor and report” limits the ability to proactively respond to threats. Instead, many SOCs issue the same vulnerability reports month after month, hoping the problems will be corrected, but desensitizing the recipients with so much repetition.

Many security issues require cross-team coordination and control. If the owner of a troublesome machine fails to remediate the issues, the machine can be left infected for weeks, even months, possibly exposing the organization to serious breaches.

The introduction of IoT security events will compound these issues. They may have overriding safety imperatives that require real-time detection and immediate prioritization and response. Streaming analytics, machine learning and orchestration will no doubt be part of any solution, further complicating security.

Next-generation SOCs

Smart organizations will create next-generation SOCs and related services by adopting a more proactive operating model that fosters collaboration between the SOC and the business. Changes to the security organization, as mentioned above, should change the SOC too, helping it forge stronger connections with the business. Security and IT teams must collaborate more effectively, both with each other and the business. In this way, they can ensure threat responses are prioritized according to business objectives, not IT objectives.

Ideally, the approach also includes the use of common incident management systems, which enable fewer handoffs between teams while providing a consolidated view for action rather than just reaction.

Automating data collection and analysis is also necessary, allowing teams to deal confidently with an otherwise overwhelming number of alerts. Similarly, given rising concern over data breaches, smart organizations will establish connected hubs of information from which they can share threat indicators and incident response processes with partners and suppliers.

SOCs that evolve in these directions will fulfill their mission and enjoy long and healthy lives.

Sydney-Tran-headshotSydney Tran is the DXC Global Lead for Integrated Security Operations & Threat Intel and has more than fifteen years of experience in the management and development of cyber security programs and solutions. Sydney has provided expert cyber threat intelligence advice to all levels of clients and organizations across the globe.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.