The complexity of today’s SOC functions means you probably can’t hire and keep a staff with all the necessary training Credit: Thinkstock “You simply cannot do incident response and all the functions of a security operations center anymore without vendor operational support.” That is a paraphrased version of what a colleague told me recently. At first, I raised my eyebrows; I’m a huge believer in self-reliance. After more consideration, though, I saw more than a little truth in the statement.A typical modern SOC covers numerous functions, including incident response, intrusion detection system (IDS) monitoring, threat hunting and threat intelligence. And that’s pretty much the bare minimum. Of course, in smaller environments, some of those functions may well be handled by the same person, but the functions nonetheless need to be there. This is 2016, after all.Almost all of the things found in a SOC — IDSs, security information and event management (SIEM), correlation and search tools, and a host of deeply technical tools such as disassemblers, decompilers, malware unpackers, etc. — require significant and fairly specialized tools. Clearly, you’re going to have several vendors in that mix, though they may not be lending operational support.Some of the tools require specialized training as well. Becoming proficient at things such as IDS and malware analysis is not something you can do by reading a vendor’s sales brochures. But again, tool training is a support element, albeit a vital one. What about operations? In the past 15 to 20 years, a cadre of security operations companies has appeared, companies that provide everything from staff augmentation during major incidents to deeply specialized services such as malware reverse engineering. Even threat intelligence companies have popped up. These companies provide expert support from their teams of engineers who specialize in threat monitoring and analysis. They can be highly effective at providing actionable technical information that can save a SOC staff a great deal of effort.So, yeah, I fully recognize there are companies out there that can offer enormously helpful services during times of crisis. But are they essential? Well, from firsthand observations of SOCs over the past five years, I can’t think of a single one that doesn’t have a dozen or so vendors on speed dial for operational support issues. Some of these aren’t used often, but when they’re needed, they’re really needed. Put differently, you probably could build a top-notch SOC without operational support, but you’d need expert-level-trained staff that span several highly technical functions, some of which you’ll only have occasional use for, in all likelihood. Even if you can afford to train and drill staff to that level of proficiency, you’re likely to have an unacceptable staff turnover rate if your tech A team is sitting around twiddling their thumbs much of the time.So my colleague’s assertion seems pretty spot on. But it surely wasn’t always the case that operational support in a SOC was as essential as it is today. That brings me to a bigger question. What has changed? Have the threats become so technically capable that they’re beating us, or have our support vendors evolved their services to the point that we’d be fools to not make use of them?We hear a lot about advanced persistent threats these days. Although I’m not a fan of that term, it’s doubtless that the attacks, techniques and tools used by our adversaries today have kept pretty close pace with Moore’s Law. Compare the earliest rootkits we saw in the 1990s with today’s malware, and it’s clear that things have advanced in a huge way. For example, analyzing the attackers’ tools requires a skill set that very few can muster.To try to meet that level of threat, innovative and enterprising vendors have built services that can be huge time-savers. These include appliances that largely automate much of the labor needed to reverse engineer all but the most stubborn of malware. This allows SOCs to answer some of the most pressing questions accurately and rapidly — questions such as whether a piece of malware is targeted at them or if it’s just a general piece of malware. These are the things that can make a tremendous difference in deciding on the most appropriate course of action to take during a crisis.So, what has changed? I’d say that, collectively, both the malware-writing and -analyzing communities have advanced in a seemingly never-ending arms race of sorts. I see those two as more or less in parallel with one another.And from those advances, a new generation of product and service vendors has been standing up to fill in voids and meet customer demands. Lastly, you have to credit some of these capabilities to general advances in our computing and networking systems. A modern SIEM can consume and analyze oceans of data thanks to faster processing, cheap and fast storage, and so forth. The good guys and the bad guys alike benefit from that.If you run a SOC today, you’d be well advised to seek an array of vendors that can help you when you need it most. Waiting until an emergency could well be too late to be helpful.With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University’s CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe