Source/Credits/Written By: Ela Gezerli Ozdemir
What does a modern SOC look like and what will a future SOC look like?
First, let me explain what SOC (security operations centre) is
SOC is a place where security analysts and SIEM engineers monitor and analyze email, computer network and internet of things traffic (IoT) of organizations and Government entities for 24/7. A security team operating within a SOC utilizes a combination of security application/tools for monitoring, analyzing, reporting and communication purposes. Whilst performing these tasks, they also follow a set of documented procedures and policies. Upon detecting and analyzing a security incident, SOC team works closely with incident response team to ensure security concerns are addressed and solved.
Most of the current design of Security Operations Centers (SOCs) provides services for monitoring and analyzing security events and alerts for its multiple clients, thus rendering them multi-tenanted. Modern SOCs have highly skilled security analysts, SIEM engineers, threat intelligent, security services advisers and sales team. Security analysts regularly collaborate with the Computer Security Incident Response (CSIRT) team around the clock to timely action and resolve cyber security incidents. By using various communication tools, team members and SOC manager frequently communicate with each other to eliminate a potential miscommunication and ensure all the required steps are appropriately taken throughout the process. SOC teams, Security Services Advisors (SSA), customers and stakeholders also regularly communicate to provide update on their security postures and policies as well as other developments/changes/requirements where necessary.
WHAT DOES A FUTURE SOC LOOK LIKE?
The future SOC is envisioned to shape around the current cyber security trends, needs and ever-evolving technology. Changes to available data structure, security incident and event management tools and products, integration of Artificial Intelligence and automation, ubiquity of Internet of Things (IoT), evolution of cyber security threats etc. will likely to determine the future of SOC design on an ongoing basis.
In light of ever-changing conditions, the future SOC would look like the following:
1. There will be a need for more integration of security practices into DevOps to create a “Security as Code” approach between engineers and security teams in a SOC. DevOps is a combination of software developments and IT operations which enable enterprises and government entities to leverage off DevSecOps’s testing and vulnerability management services within a SOC while they maintain their own dedicated security teams. SecOps team will collaborate with DevSecOps team by providing them with tools and training to ensure solid monitoring and analysis.
2. Integration of Automation and Artificial intelligence technique will help accelerate the processing time between detection and remediation of a security breach. However, the automation remediation (AR) should be implemented almost perfectly otherwise it may pose a risk in applying complex logic in a SOC environment where there are many variables related to a security incident.
3. Cloud technology will help SOC to have a flexible storage and computing for exponentially expanding data originated from disparate sources. One of the advantages of integrating cloud technology into the SOC is that cloud technology easily adapts to cutting-edge technologies. The downside of incorporating cloud technology into security operations would be losing the ability to quickly switch between the technology providers. Most providers require a 3-year contract today; however, in parallel with the changes providers would be expected to adjust their contract conditions to offer more flexible options.
4. SOCs will have increased responsibilities such as more risk assessments, threat intelligence, fraud investigations, forensic analysis, security policy and procedure development, security trainings.
5. SIEMs will be more sophisticated with more powerful security tools, apps and many other useful methodologies. This would help prevent or minimize the occurrence of false positives, which would, in return, save analysts time so that they could focus on true positives and give more feedback on improvement in every aspect of the SOC.
6. Tools and defenses could be developed protecting against zero-day threats and vulnerabilities which could help SOC to be better prepared.
While all these anticipated changes would have positive impact on cyber security’s future, talent shortage in cyber security sector, however, would need a closer attention. Unlike other career pathways, the recruitment process in cyber security is a lot more different as it involves handling sensitive information and requires security clearance. The recruitment process prolonged by security clearance process could be daunting and put off people. To this end, in planning the future’s SOC, it is also important to look for the ways to make the recruitment process shorter and efficient for people seeking to make a career in or currently studying cyber security. No matter how successfully Automation Remediation and Artificial Intelligence are integrated into SOCs in the future, there will still be a need for people to manage and use these integrated AI solutions. Having sufficient talented people in a SOC would also mean more collaboration, good service quality and minimizing cyber fatigue, which can lead to serious security risks.
In summary, cyber security will continue to evolve. Things keep changing overnight, so when planning to design a future SOC, we need to consider all the current and possible changes in the future in order to be one step ahead of cyber criminals. Therefore, as a security professional we have to closely follow up the adversaries’ techniques and tactics, cyber security publications and reports of enterprises and technology companies along with the evolution and trends of security threats. That indicates we will never have a perfect, stable SOC for a long period of time.