Security Operations Center: The Changing and Evolving SOC

Security spending in 2016 was nearly 35x that of 2004, and market analysts project it to grow more than 10% year-over-year for the foreseeable future. The overall innovation and rapid advancement of information technology are the underpinnings of this growth, to which the proliferation of cyber crime is the major driver.

The evolution of the cyber security market in response to IT expansion leads to a number of secondary outcomes. Among them are a rapidly-increasing surface area (in number of devices, number of connections, or amount of data) which must be defended, huge leaps in both offensive and defensive technology and capabilities, growing complexity and inter-connectivity among distributed essential business processes, and a constant need to manage the threats and vulnerabilities created by these advances and changes in surface area.

Constrained by limited resources, security management has focused on maximizing the utilization of tools to stay ahead in the day-to-day battles of cyber security. In the trenches, it is all too easy to miss the big picture. Just as individual machine-utilization thinking constrained manufacturing companies prior to the invention of lean manufacturing (throughput utilization, specifically), cyber warriors were caught in a never-ending pursuit of working backlogs of individual sensor-alerts, rather than managing IT security performance for the best result at the enterprise level.

Like a game of security “whack-a-mole,” the task got harder and harder as more security systems created more events and alerts. The irony is that the addition of systems is meant to make organizations more secure, while the reality is that even fully-resourced organizations struggle to understand the performance of any individual security system, never mind the enterprise’s overall security posture.

One of the most effective approaches that has emerged to address this in recent years is the Security Operations Center (SOC), where both organizational and technical information security resources are centrally managed.

The Security Operations Center

The SOC developed much the same way as its older sibling, the Network Operations Center (NOC); where the NOC centralized all manner of information and data flow, at its foundation, the SOC is the nerve center of all IT security functions. The SOC is where all the security data flows to, where all the decisions are made and where all the activity happens — very much like a tactical operations center in the military. The SOC is where the rest of the organization puts its trust that cyber security risk is being managed.

Within the SOC are staff who are suited to perform three essential security functions: monitoring, planning and execution. The SOC collocates (often physically, but sometimes virtually) highly technical and skilled employees, such as security engineers and security analysts. This promotes economies of scale and efficacy of operations. Using this structure, the SOC has evolved rapidly in response to organizations experiencing dramatic and enduring increases in cyber crime.

The Challenges Presented by Change

A SOC is only as good as its ability to match the pace of organizational and environmental change. Lately, most businesses have undergone digital transformations that continue unabated. Meanwhile, every alteration to the IT landscape and business operation within an enterprise affects cyber security operations, compounding the pressure from cyber threats. This includes minor changes, such as new software versions, all the way to major shifts, such as the rise of mobile computing and the cloud.

The complexity of the problems a SOC addresses mirror that of the business environment, and transformational changes in business IT infrastructure require the same in security. Without a complementary shift in SOC capabilities, it is very easy for security operations to fall behind.

Then two things can happen: First, the SOC becomes divorced from the business decisions that are made as a result of IT security operations. Second, with the growing distance between security and business performance, a prevention mindset sets in – rather than managing security operations to organizational impact of cyber threats, the primary measure of success, which both business and security leaders agree on is that no incidents are to happen.

Perfect security is a myth, and any success factor predicated on it is destined to disappoint. Just as other business processes embrace decision support and business Intelligence systems to measure operations performance and drive optimization, so should SOC operations. IT security is business security.

The History of the Security Operations Center (SOC)

“The customer is always wrong!” This seems like a poor way to market cyber security solutions, yet it is prevalent in the industry. All too often, sales and marketing focuses on telling their audience just how insecure they are, and they need to adopt some new solution immediately in order to have a chance of fixing things. It is sales by sowing fear, uncertainty and doubt (FUD). FUD became the predominant sales tactic among security vendors because they struggle to measure the efficacy of their solutions.

This analysis will not use FUD. Our goal in this segment is to present a view of how SOC organizations have developed over time, what common shortcomings exist, and how the new SOC will avoid these. To be concise, our point is that the legwork that you and others have done in building SOC capabilities for your organization has all been in support of building the next generation of SOCs.

In the Beginning, there was Prevention and Response

During the lifetime of the SOC, its prevailing paradigm has largely been one of prevention and immediate response. Defenders purchased and deployed tools and platforms based on their ability to prevent incidents, and to rapidly respond when an incident was detected.

As organizations came to rely more and more on digital systems and content, the amount of “stuff” that needed protecting grew quickly. However, as IT was seen in a supporting role for business operations – a cost center – so was cyber security. Like IT, security was to be guaranteed at minimum cost and clearly belonged with IT. Security vendors responded with FUD, creating solutions that would identify and prevent sometimes extremely obscure and edge-case events.  Best intentions and corporate dynamics led to dozens of products, each offering part of the ‘solution’ to the security challenge.  What was lost is knowledge about what contribution any individual product is making to the overall security posture of an organization when each product type is creating a steady stream of data that is incompatible with the streams from all other products.

Which leads us to a common problem SOC leaders face, wasting extraordinary amounts of time generating reports nobody in business leadership can or wants to read.

Telling the Story of IT Security

Volumes have been written about how to explain the value and benefits of IT to non-technical business leaders (we have even written one of those volumes ourselves). IT security is every bit as complex as IT and additionally suffers from its value being defined through the absence of cyber incidents. Proving a negative (or the absence of something) is a known tricky problem, ideally solved in monetary loss probabilities that are generally not attainable from data available to security teams. Technical explanations are met with quizzical looks, and over-simplifications fail to convey a believable message. So what is a CISO to do when the CEO walks into the SOC and asks, “How are we doing?”

In order to be successful in their roles, SOC leaders must be able to instill an understanding of what they do and how it impacts the business. Since getting to monetary loss probabilities involves time-consuming analysis, these probabilities do not lend themselves to day-to-day calculation of operational metrics for cyber security. Luckily, there are three categories of metrics that are obtainable and, with a little coaching, quite understandable by both technical and non-technical executives: key performance, risk and control indicators.

Where is the Security Operations Center going next?

The SOC is about to get a lot more intelligent. Business intelligence has worked to change the game for other executives, and it is now it is poised to be transformative for strategic cyber security leadership.

The evolution of the cyber security industry has arrived at the same place as many IT technologies did only recently: platform disruption. Traditional business models and technologies rely on information-sharing via a complex lattice of interconnection. Platforms, on the other hand, provide a common communication and application interface backbone that obviate the need for process-to-process or technology-to-technology interconnects.

Several recent developments indicate that the cyber security industry is on the cusp of such disruption:

  • The emergence of Security Operations Analytics and Reporting (SOAR) applications, that are essentially Business Intelligence platforms for Security Operations – and –
  • The aggregation of capabilities in security technologies such as next-generation firewalls – and –
  • M&A activity in cyber security creating virtual platforms that have combining capabilities

Change is always challenging; however, it is also an era of excitement, growth and opportunity in security operations. The next frontier for security operations is here. Are you ahead of the curve?