SOC

How security operations can thrive in the ‘anywhere era’

Today’s columnist, Amos Stern of Siemplify, argues that the industry needs more agile, flexible SOCs today, like the one at the IBM Security Command Center in Cambridge, Mass. (Credit: IBM)

Recently a business publication asked me to share perspective for its new weekly column profiling New York-based Israeli start-ups. The questions that the reporter asked forced me to think long and hard about what it’s like running a cybersecurity company in the Big Apple after planting its roots in Tel Aviv, especially in light of the ongoing pandemic. This exercise was interesting in and of itself, but it also prompted me to reflect much more broadly on the past 20 months and how infosec as a whole has been reshaped.

From my perch in the CEO’s office of a thriving cybersecurity start-up, I see rapid transformation in our industry. Widespread migration to the cloud and the shift to remote work during the health crisis means that there are no longer distinct perimeters encircling corporate networks. When coupled with the adoption of IoT and the “bring your own device” trend this means that security teams have an almost impossibly large attack surface to protect. At the same time, thanks to stringent compliance requirements and evolving corporate attitudes toward risk, organizations now desire holistic visibility and continuous threat monitoring, detection, and response.

All this has created a situation where the average enterprise security operations center (SOC) has a wide assortment of good security tools at its disposal, but alerts have become incessant and security analysts are bombarded with unorganized, out-of-context and unactionable data difficult for security teams to triage, prioritize, and act on. This also raises the risk of larger issues, like burnout, among security professionals at a time when the industry already faces a dearth of skilled workers.

In total, the situation has become untenable. The traditional SOC and the approaches of the past no longer meet the needs of the average business.

The SOC must evolve and address the unique challenges of today’s reality. It will require new technologies, processes, and ways of thinking. With remote and hybrid work now the norm, security operations must itself embrace decentralization, location-independence, and people-centricity. We need more agile SOCs that are flexible and sustainable. It’s time for an “anywhere operations” approach to cybersecurity. By this, I mean that a SOC must have the following capabilities:

  • Operate at scale, no matter where the security team may reside, at any time and in any capacity.
  • Automate workflows and accelerate processes, while freeing people to do more strategic work.
  • Hire talent where they live as opposed to where the office is based.

Whether they are modernizing their own internal security operations, or selecting a managed security service provider as a partner, organizations must do the following:

  • Embrace cloud-native security operations. The shift to the cloud has swept across every area of business, including SecOps. With networks, applications and other assets that the SOC protects increasingly being built on cloud-native foundations, it makes sense that the tools and platforms security teams use are also constructed with this architecture. This grants the SOC access to the attractive benefits of cloud native: Rapid innovation, scalability, and business resiliency, all of which help improve threat detection, investigation and response. In addition, cloud-native SOCs are built to flourish in a remote-centric world, as cloud-native gets engineered for the cloud without having to rely on physical servers.
  • Foster collaboration. SOCs are no longer self-contained. Organizations are increasingly leveraging MSSPs and MDR providers for agility, scale and cost-savings and to help fill competency gaps. At the same time, security operations professionals are increasingly working remotely rather than in a centralized office. Taken together, the need for real-time collaboration with both distributed colleagues and external partners has never been greater.
  • Automate. The modern SOC must embrace automation. Automation helps reduce human intervention in time-consuming and tedious tasks, and addresses the talent shortage prominent in cybersecurity. Increasing the use of automation also helps speed response times and reduces risk by creating repeatable detection and response processes, freeing up analysts and engineers to work on more strategic – and more inspiring – tasks.
  • Transform the culture. The modern SOC must transform its culture in two main ways: First, starters security teams are too often viewed as a risk-averse group who say “no” to requests for new tools, applications and cloud services. This must change. Rebuffing requests only results in employees seeking workarounds and introducing shadow IT, which increases risk and weaker security.  Second, SOCs must develop greater racial, gender and cultural diversity within their teams. Heterogeneous teams make an organization’s security posture stronger by bringing unique perspectives, different ways of analyzing problems and novel solutions.

The cybersecurity and business landscapes have changed dramatically since the days when SOCs first emerged. Today, organizations are multi-cloud, hybrid, and without perimeters. Threats are more prolific and professionalized. The attack surface has expanded, and organizations, including their security teams, are more remote and dispersed.

We have reached a defining period for SecOps, and business-as-usual won’t suffice. SOCs must transform to meet today’s new realities. By embracing the elements of “anywhere security operations,” which include increased use of cloud-native, collaboration, and automation technologies – as well as greater focus on transforming culture –  SOCs can succeed in this new paradigm.

Amos Stern, co-founder and CEO, Siemplify

prestitial ad