Future SOC

Are you waiting for something bad, or going somewhere good? A CEO asked me that once. It is one of those deep questions that more information security people need to ask themselves.

In the world of cybersecurity, the conventional thinking for a Security Operations Center (SOC) is to plant people at consoles and have them passively monitor alerts. When an alert is serious enough, they react to stop the attack. Whether this is done internally or through a managed security provider, the end result is the same: a passive approach to security.

Passive security is not effective. Every breach over the past 10 years is proof of this, including the latest breach from Wendy’s. All of the breached companies from the past five years had a SOCs and/or managed security providers. They still missed the attack.

People passively monitoring alerts is not an effective SOC strategy. We need a Future SOC.

SOC Drop

We can trace the SOC failure to four primary reasons:

• It is reactive
  Once the alert has gone off, it is too late to stop it. Alerts are the hacker’s way of saying goodbye.
• It incentivizes inaction
  When people are in a passive role, a serious incident means additional work and intense scrutiny. This creates an incentive to dismiss alerts.
• It assumes you know everything
  Passive security assumes your data provides a complete picture of the environment. Even under ideal conditions, there are ample blind spots in the data.
• The 4:00 AM Fallacy
  Waiting for an alert or a call from a managed security provider hinges your cybersecurity decision-making on panic. It is unrealistic to think an analyst, sitting at a console in the middle of the night, can react with the speed and decisiveness necessary to protect the business. People generally make short-sighted decisions in moments of panic.

If the security of your business depends on a people passively watching data, you can almost count on a breach. We need a new approach.

The Game is On

To overcome these weaknesses, we must transform IT security teams from passive victims, to active hunters. The SOC of the future will look much different:

• Extensive automation
  Only technology can react at the speed of attack. The future SOC will automate security wherever possible. Security Analytics technologies are now capable of detecting, tracking, categorizing, blocking, and eradicating malicious code with no human intervention necessary.
• Extreme agility
  The SOC of the future must adapt quickly to new threats and techniques. SOC teams will require more authority and autonomy to enact change throughout the organization, without resorting to inefficient approval hierarchies.
• Hunting
  Rather than waiting for an alerts, analysts are actively and aggressively searching attackers and malware. They are conducting routine data hunts, chasing leads, and eradicating potential exploit vectors.
• It is a game
  People are incentivized to optimize the environment, accelerate processes, automate detections, and annihilate attackers. When they do, they are rewarded, like a video game.

How do you build this next-generation SOC?

1. Ditch the console mentality
   You must get in the game, to win.  That means owning the responsibility of security, completely. It also means your managed security partners must be inside your environment, rather than you being inside theirs. Sending events to some far-off data center is fine for storage and reporting, but it is not going to protect your business.
2. Train your people
   Teach them how to hunt for IoCs and build reporting and analytic tools that support collaboration. Your hunters must be ninjas, able to move through the environment swiftly, quietly, and with great nose for trouble.
3. Automate, automate, automate
   It is more important to make your controls work together, than to pick the best controls.  There are orchestration tools which can coordinate responses across disparate platforms.  Seek out Security Analytics platforms that unite NGFW, endpoint, SIEM, sandboxing, and more into a cohesive ecosystem. Phantom, the Sandbox winner from RSA 2016 is a good example of these innovative orchestration platforms. Fortinet, Cisco, and ForcePoint are also leaders in this space as well.
4. Leadership Level-Up
   If your organization cannot mature, change, and get better, then no amount of new technologies or trained staff will make a difference.  You must become comfortable with the uncomfortable. This means security leadership that can persuade, coach, and inspire people.

Cybersecurity is not a passive effort.  We cannot wait for an attack.  We must go on offense and seek out the attackers before the breach.

What are you waiting for?