Going Beyond the SOC

By: Sam Jones

According to the FBI, the number of cyberattacks reported to its Cyber Division is up 400 percent compared to pre-pandemic levels, and attacks are getting worse. From financial sites to healthcare sites to government sites to supply chain industries, no one is safe from these attacks. The traditional defense against these threats is the Security Operations Center (SOC)—a room full of analysts watching for security alerts on TV screens—but this defense isn’t working very well. For proof, just ask the cybersecurity teams at Continental Pipeline, Target, TransUnion, or any of hundreds of other companies that have experienced significant attacks.

How a SOC works (and doesn’t)

The operating theory behind a SOC is that if you collect enough data across the enterprise through various IT and security tools, then use analysis platforms to rank and visualize the alerts from different tools, then finally deploy a tiered analyst team to manage and respond to the alerts, then surely, most or all cyberattacks will be spotted quickly and handled before they cause real damage. Real-world experience tells us otherwise.

There are several reasons why the SOC model is broken. In the first place, all those security tools issue lots of alerts—thousands of them, many of which are benign. For example, a user who’s typically in the office logging in from a remote location could trigger an alert, or a user logging in outside of business hours could trigger an alert. Security analysts must deal with hundreds or thousands of these “false positive” alerts each day.

Figure 1: A SOC in action

Another reason why SOCs fail is that each of the discrete cybersecurity tools in use has its own data format and often, its own console, and ultimately only depicts a single aspect of the organization’s security posture. In today’s world, many complex cyberattacks occur through two or more vectors. It’s not just somebody banging against a firewall; it could be a phishing attack through email, or a virus downloaded during a routine program update (as with the SolarWinds attack). The problem is that in a SOC, nobody natively sees the whole picture—that picture must be manually correlated across thousands of alerts by teams of analysts. Because this process is manual, it does not allow for robust automation, nor does it allow every alert to get attention.

So, there are too many alerts, too many tools, and not enough automatic data correlation among tools. But there’s also another problem: not enough analysts. A global study of cybersecurity professionals by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) reports that under-investment in cybersecurity tools, combined with the challenge of additional workloads for analysts, is causing a skills shortage that's leading to unfilled jobs and high burnout among information security staff. And that also drives analyst costs up: a top-tier cybersecurity analyst can earn $200,000 per year.

Of course, all of this is happening in a world where cyberattacks are growing more sophisticated and numerous by the month.

SOCless—another way

But what if companies abandoned the SOC idea? What if they distributed their cyber-defenses geographically and to a team of infrastructure experts? What if a platform automated away the mundane work of responding to low-priority alerts and the complex work of correlating across all IT and security tools? What if analysts spent their time proactively looking for threats and implementing best practice policies? What if alert fatigue didn’t exist? Is this possible?

It is. We can look to software development teams for an example of how it might work. In DevOps, a modern approach to software development, the best software companies in the world don’t line up their developers in rows in one room. They have systems that allow asynchronous collaborations from distributed people around the world. But there’s a lot more to it than just where people sit.


Latest Updates

Subscribe to our YouTube Channel