SOC modernization: 8 key considerations

Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole.

security monitoring
Thinkstock

The 2022 RSA Security Conference is just weeks away, and the security diaspora is boosted and ready to meet in person at the Moscone Center in San Francisco.

While we’ve certainly accomplished a lot working remotely over the past 2 years, cybersecurity remains in a precarious position in 2022, so an industry huddle is in order. We are at a point where the scale and complexity of historical security defenses either aren’t working or are stretched to their limits. This means CISOs need to think about security transformation, and as they do, every process and layer of the security technology stack is in play.

Now, there will be plenty of hype at the conference around security “platforms” like extended detection and response (XDR), cloud-native application protection platforms (CNAPPs), secure access service edge (SASE), and zero trust—all important topics but also strewn with industry hype and associated user confusion. My good friend Candy Alexander, president of ISSA International, and I will be discussing these trends during our RSA session on Tuesday morning (6/7).  But when I’m not presenting with Candy, I’ll be learning everything I can about security operations center (SOC) modernization.

Allow me to further describe just what I mean by SOC modernization. SOCs are where the proverbial rubber meets the road in cybersecurity. SOC analysts are tasked with detecting threats in a timely manner, investigating these threats to determine their scope and blast radius, disrupting cyberattacks to prevent or minimize damages, work with IT operations to fully restore business/IT operations, and then use these teachable moments to further reinforce their defenses.

Unfortunately, these processes have become cumbersome over the years. SOC personnel face a constant tsunami of alerts, forcing them to react using disconnected point tools and manual processes. And let’s not forget the global cybersecurity skills shortage. According to ESG research, The Life and Times of Cybersecurity Professionals 2021, 57% of organizations are impacted by the cybersecurity skills shortage, leading to increased staff workloads, high burnout rates, and an inability for security professionals to learn and use cybersecurity technologies to their full potential.

Considerations for SOC modernization planning

These issues should have sirens blaring in the CISO’s office, leading them toward strategies for SOC modernization. As they build these plans, they need to consider:

  1. The SOC architecture. Today’s disconnected tools have become tomorrow’s interoperable technology architecture. Whether you call this a security operations and analytics platform architecture (SOAPA, ESG’s term) or a cybersecurity mesh (Gartner’s term), disparate technologies like EDR, NDR, SIEM, TIP, and SOAR need tight integration. Some organizations refer to a modern SOC as a fusion center, combining threat researchers, SOC analysts, and incident responders. This mashup can only work if it is anchored with an open, customizable SOC architecture.
  2. Scale and performance. As the saying goes, ‘all data is security data.’ In other words, SOC teams are collecting, processing, and analyzing terabytes of data from security tools, IT infrastructure components, applications, CSPs, SaaS vendors, identity stores, threat intelligence feeds, and more to figure out whether they are under attack. This requires a highly scalable cloud backend that can ingest real-time data feeds and deliver acceptable response times for complex queries.
  3. Detection engineering. While technology vendors have gotten better at producing detection rules content, SOC teams need better tools for developing, modifying, and sharing custom rule sets easily. This means developing expertise with Yara rules (and Yara-L for Google Chronicle), Sigma rules, and Kestrel rules, while also participating in open-source projects like SNORT, BRO/Zeek, Suricata, etc. Specialist vendors like Anvilogic can help here.
  4. MITRE ATT&CK affinity. The MITRE ATT&CK framework has become a lingua franca of security operations, but many organizations haven’t gotten beyond using it as a reference source. SOC modernization takes this a step further by operationalizing MITRE ATT&CK for use cases like threat detection, controls assessment/engineering, tracking adversary behavior, and continuous testing. Yes, security tools should support MITRE ATT&CK, but this must go beyond simply relating alerts to tactics and techniques in the matrix. Rather, they should contribute to and participate in these more complete use cases.
  5. Risk-based context. When an asset is under attack, security analysts need to understand if it is a test/development server or a cloud-based workload hosting a business-critical application. To get this perspective, SOC modernization combines threat, vulnerability, and business context data for analysts. A quick look at the industry confirms this mixture is already happening. Cisco purchased Kenna Security for risk-based vulnerability management, Mandiant grabbed Intrigue for attack surface management, and Palo Alto gobbled up Expanse Networks for ASM as well. Meanwhile, SIEM leader Splunk provides risk-based alerting to help analysts prioritize response and remediation actions. SOC modernization makes this blend a requirement.
  6. Continuous testing. SOC modernization includes a commitment to constant improvement. This means understanding threat actor behavior, validating that security defenses can counteract modern attacks, and then reinforcing any defensive gaps that arise. CISOs are moving toward continuous red teaming and purple teaming for this very purpose. In this way, SOC modernization will drive demand for continuous testing and attack path management tools from vendors like AttackIQ, Cymulate, Randori, SafeBreach, and XMCyber.
  7. Deception technology. Okay, this one may be a bit controversial as most cybersecurity professionals think deception technology is only appropriate for elite practitioners—the infosec equivalent of Dumbledore. That was true 10 years ago but no longer. Modern deception technology can understand an organization’s assets, identities, and data and then emulate them by creating authentic lures and decoys. The best deception systems, like those from ZScaler/Smokescreen, do a good bit of the work themselves. Facing threats like ransomware that could take down all business operations, I believe it’s time that deception technology is added as a layer of defense (and more) for SOC modernization.
  8. Process automation. We’ve been at this for a number of years now, but I believe that SOC modernization will be a force multiplier for security operations process automation. Why? Technology integration makes things easier, low code/no code SOAR tools like those from Torq have alleviated the need for Python gurus, and many SOC technologies provide canned automation templates and workflows. Finally, SOC modernization gives CISOs the opportunity to assess and reengineer processes, making them more automation friendly.

SOC modernization extends beyond technology alone, providing organizations the opportunity to reassess skills and roles, while supporting a distributed workforce. More about that soon. Meanwhile, I’ll be combing the hallways, ballrooms, and meeting rooms at RSA, soaking in as much SOC modernization knowledge as I can.   

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022