SOAR and “Curve-jumping” in Security Operations

Lets think about this together — can you really jump to the “next curve” in security, or do you have to travel the entire journey from the old ways to the cutting edge?

This is a harder question than it appears and there are temptations on both sides of the argument. Also, there are false answers on both sides, tempting though they may be (e.g. “always buy stuff with ‘next-gen’ in the name and you’d be at the cutting edge!” pitfall)

For example, should you try to maximize the value you can get from your traditional anti-virus or jump to some NG thing? Should you try to build a SOC circa 2002 and then evolve it to the modern SOC stage? Or should you try your hand at elite practices like threat hunting when you barely got to configuring your SIEM in a useful manner?

The main risk with the approach of incremental steps and traveling the same journey, that the top tier organizations have traveled, is that in 10 years, you’d still be 10 years behind…

The risks with curve jumping are many: you can jump and miss (wasting resources and time) or you can jump at the wrong curve or you simply have no idea where to jump and where the next curve is. After all, CRAWL-WALK-RUN is there for a reason, and there is no CRAWL-JUMP-JUMP…is there?

attrib license https://flic.kr/p/dNMK3m

Intuitively, it feels that jumping to NG tools (however defined) is possible (leaving whether it’s desirable aside, for now). But what about jumping to NG processes like, say, agile and DevOps (or DevSecOps, if you know what this is) – or even hunting and threat intelligence fusion? Does jumping to the next curve in terms of security processes and practices really require that your current processes are very mature – or not? In fact, can excessive current-gen process maturity make you excessively rigid, and thus less likely to jump to the next curve and to some next-gen process?

As it relates to SOAR and SOC/CIRT automation, this reduces the discussion to the following: should I implement manual processes first, refine them, refine them more and then progress to (partial) automation via a SOAR tool? Or, should you “curve-jump” to some next-gen SOAR-centric security processes, perhaps using SOAR magic?

Finally, please don’t hold it against me, but if I am given no additional context and no sufficient information, I usually lean towards incremental change and not jumping. In essence, I prefer to suffer from the risks of not jumping [which are very real!] vs the risks of jumping and missing (or jumping the the wrong curve) [which are just as real]…

[Discussion topic idea credit goes to Ben].

Blog posts related to this topic: