The 3 Pillars of the Modern-Day SOC

The world is changing. The way we do business, the way we communicate and the way we secure the enterprise are all vastly different today than they were 20 years ago. The reality is that we have to automate in the enterprise if we are to remain relevant in an increasingly competitive digital world.

Automation and security are a natural pairing, and when we think about the broader cybersecurity skills talent gap, we really should be thinking about how we can replace simple tasks through automation to make way for teams and security practitioners to be more innovative, focused and strategic.

That’s why modern enterprises must be all-in on bringing together the tech and security innovations of today, and using those tools and techniques to completely redefine how we do security operations. This starts with creating a new model for how a security operations center (SOC) should be structured and how it should function.

So how exactly should you approach building a modern-day SOC, and what does it look like in terms of techniques, talent and tooling? There are three pillars that establish a solid foundation.

Adopt a More Rigorous Mindset

One way to do this is to build your modern SOC on the backbone of a military technique called the OODA loop, which was coined by U.S. Air Force fighter pilot and Pentagon consultant of the late 20th century, John Boyd.

Boyd created the OODA loop to implement a change in military doctrine that focused on an air-to-air combat model. OODA stands for Observe, Orient, Decide and Act, and Boyd’s thinking was that if you followed this model and ensured that your OODA loop was faster than that of your adversary’s, then you’d win the conflict.

Applying that to today’s modern security operations, all of the decisions made by your security leadership—whether it’s around the people, process or tools you’re using—should be aimed at reducing your OODA loop to a point where, when a situation arises, you can easily follow the protocol to observe the behavior, orient yourself, make effective and efficient decisions and then act upon those decisions.

Build and Maintain an Agile Team

But it’s not enough in building a modern-day SOC to have the right processes in place. You also need the right people that are collectively and transparently working toward the same shared goal.

Historically, security has been full of naysayers. However, it’s time to shift our mindset to that of transparency and enablement, where security teams are plugged into other departments and are able to move forward with their programs as quickly and as securely as they can without creating bottlenecks.

One example of a company doing this in spades is The Pokemon Co. International. It operates with a dotted-line approach that allows the security team to share information horizontally, which empowers development, operations, finance and other cross-functional teams to also move forward in true DevSecOps spirit. This security team structure is successful because it enables each group to work in unison among their own teams and cross-departmentally.

In addition to knowing how to structure your security team, you also need to know what to look for when recruiting new talent. Here are three tips from Pokemon’s director of Information Security and Data Protection Officer John Visneski:

  • Go Against the Grain. Unfortunately there are no purple security unicorns out there. Instead of finding the “ideal” security professional, go against the grain. Find people with the attitude and aptitude to succeed, regardless of direct security experience.
  • Prioritize an Operational Mindset. Find talent pools that know how the sausage is made. QAs and test engineers are good at automation and finding gaps in seams, which is very applicable to security. Their value-add is that they are problem solvers first and security professionals second.
  • Think Transparency. The goal is to get your security team to a point where they’re sharing information at a rapid enough pace and integrating themselves with the rest of the business. This allows for core functions to help solve each other’s problems and share use cases, and it can only be successful if you create a culture that is open and transparent.

The bottom line: Don’t be afraid to think outside of the box when it comes to recruiting talent. Security skills can be learned. What delivers real value to a company are people that have a desire to be there, a thirst for knowledge and the capability to execute on the job.

Now that you have your process and your people, you need your third pillar for building a modern-day SOC: toolsets.

Build a Toolset Based on Innovation and Strong Vendor Relationships

The driving force behind Pokemon’s modern toolset is its move away from an old-school customer mentality of presenting a budget to a vendor and asking for services. They see the customer-vendor relationship as a two-way partnership with mutually invested interests and clear benefits on both sides.

Establishing a collaborative relationship with a few key vendors allows you to build the core base of your security platform while the rest of the stack remains modular in nature. This plug-and-play model is key as security and threat environments continue to evolve, because it allows for flexibility in swapping in and out new vendors or tools as they come along. As long as the foundation of the platform is strong, the rest of the stack can evolve to match the current needs of the threat landscape.

The threat landscape is only going to grow more complex, technologies more advanced and attackers more sophisticated. If you truly want to stay ahead of those trends and build a modern-day SOC, then you’ve got to be progressive in how you think about your security stack, teams and operations. Because regardless of whether you’re an on-premises, hybrid or cloud environment, the industry and business are going to leave you no choice but to adopt a modern application stack, whether or not you want to.

George Gerchow

Avatar photo

George Gerchow

As Sumo Logic's Chief Security Officer, George Gerchow ‪brings over 20 years of information technology and systems management expertise to the application of IT processes and disciplines. His background includes the security, compliance, and cloud computing disciplines.

george-gerchow has 3 posts and counting.See all posts by george-gerchow

Secure Coding Practices