The Next Generation Security Operations Center: Part 1
Planning the adventure
Security Operations Centers have for years involved people, process and limited technology as it only involved the physical side rather than the virtual or cybersecurity side of the threat landscape. As technology has evolved, sophisticated systems have become frustrating to master and most difficult to maintain within an organization.
Unfortunately, tools are becoming more complicated, require more advanced training and hunting has become more an art than a science. The industry needs to embrace finding stability in their current tools, people and processes. Additionally, they must find how to extract current value vs. trying to buy the next best product.
While Gartner states that most of their clients with effective SOCs put the premium on people rather than technology or process, it’s been my experience that the right technology is also equally important for the organization as its team members. I have seen highly skilled security operations team members leave a particular company because of the lack of executive buy-in and budget for the right tools and the right process adoption or open-mindedness. If an organization is only going to invest heavily in its team, they should get ready for turnover. Smart teams know when they are set up to fail and will look elsewhere for the right culture and leadership. After all, no one wants to get thrown into the deep end with their hands behind their back.
Today’s Security Operations Center is changing and the need for automation is becoming mission critical. Markets and Markets report that the “Security Orchestration Market will be worth 1.6B by 2021.” We’re only just getting started.
As those organizations grow or mature their security capabilities, the need for a properly configured SOC becomes more and more evident. The diverse set of operational security functions, processes and departments justify the need to benefit from a centralized and coordinated operations center, thus providing justification for a SOC to exist in the first place.
Security operations teams or centers can vary a lot from one organization to the other, especially in terms of size, structure, process and even team responsibilities. Some of the processes often under the next generation SOC responsibilities range from:
- Cyber Incident Management
- Vulnerability Management
- Threat Intelligence & Hunting
- Network Monitoring and Detection
- Governance & Compliance Management
- Physical Security & Physical Threat Management
Apart from the definition of roles, responsibilities, budget, and need, organizations face other challenges when planning to establish a properly established SOC. It can be a big project, with little market awareness, documentation or knowledge; this can make it exceptionally difficult to do. Organizations often debate whether to fully outsource these activities or whether in-house would be more efficient.
Building a next-generation SOC can take months, if not years to plan, execute and deploy the necessary team, tools, processes. Companies interested in such an endeavor need to think outside of the box. Don’t stick to the traditional “let’s throw bodies at the problem” or other costly solutions. It might be a difficult conversation to have with the Board or the CFO after ending with a sum-zero.
I look forward to sharing my view of how the next-generation SOC will change the way we protect the world we live in today and those following our blog.