The Next Generation Security Operations Center – Part 1 – Planning the Adventure
Security Operations Centers have previously been known for years as an activity that involves people, process and limited technology as it only involved the physical side rather than the virtual or cyber security side of the threat landscape. As technology and solution sets have evolved, sophisticated systems have become the component most frustrating to master and most difficult to maintain within an organization.
Unfortunately, tools are becoming more complicated, require more advanced training and hunting has become more an art than a science. From my view the industry needs to embrace finding stability in their current tools, people and processes and finding how to extract current value vs. trying to buy the next best product.
While Gartner states that most of their clients with effective SOCs put the premium on people rather than technology or process, it’s been my experience that the right technology is also equally important for the organization as its team members. I have seen highly skilled security operations team members leave a particular company because of the lack of executive buy-in and budget for the right tools and the right process adoption or open-mindedness. If an organization is only going to invest heavily in its team, they better be be prepared for turn over. Smart teams know when they are being setup to fail and will look elsewhere for the right culture and leadership as no one wants to be throw into the deep end of the pool with their hands tied behind their back.
Today’s Security Operations Center is changing and the need for automation is becoming mission critical. Markets and Markets reports that the “Security Orchestration Market will be worth a 1.6B by 2021”, and we’re only just getting started.
As those organizations grow or mature their security capabilities, the need for a properly configured SOC becomes more and more evident. The diverse set of operational security functions, processes and departments justify the need to benefit from a centralized and coordinated operations center, thus providing justification for a SOC to exist in the first place.
Security operations teams or centers can vary a lot from one organization to the other, especially in terms of size, structure, process and even team responsibilities. Some of the processes often under the next generation SOC responsibilities range from:
-
Cyber Incident Management
-
Vulnerability Management
-
Threat Intelligence & Hunting
-
Network Monitoring and Detection
-
Governance & Compliance Management
-
Physical Security & Physical Threat Management
Apart from the definition of roles, responsibilities, budget and need, organizations face other challenges when planning to establish a properly established SOC. Putting a next generation SOC can be a big project with little market awareness, documentation or knowledge that can make it exceptionally difficult to do. Organizations often debate around the selection of fully outsourcing these activities or if its possible to do a better job in house while costing less.
Building a next generation SOC can take months, if not years to plan, execute and deploy the necessary team, tools, processes. Companies interested in such an endeavor need to be prepared to think outside of the box and not stick to the traditional “let’s throw bodies at the problem” or only suffer costly lessons that might be a difficult conversation with the Board or the CFO after ending with a sum zero.
I look forward to sharing my view of how the next generation soc will change the way we protect the world we live in today and those following our blog.