A Modern SOC Should Not Be Entirely Dependent On Human Operators and Their Personal Experience

The modern approach to Security Operations Center (SOC) development represents a fundamental challenge: the intersection between human operation and technology. Do humans enhance technology, or is human input holding SOCs back from using modern technology to its full potential? Can today’s technology even deliver on vendor promises in a typical SOC environment?

A modern SOC should not be entirely dependent on human operators and their personal experience. The issue has been a foundational problem with not only the methodologies used by SOCs for the past 15 to 20 years, but it should be questioned whether the problem is actually compounded by the technology itself.

Many large enterprise organizations fully dedicate less than one resource to running a modern SOC. What you end up with are multi-billion dollar organizations whose successes or failures are determined quite literally by the personal experience of one individual. Their application of that personal experience to tremendous amounts of data and correlative analysis provided by those systems.

This approach has yet to prove effective — nor could it have ever been even theoretically effective, given the modern threatscape and attack techniques.

The Inherently Flawed SIEM SOC Approach

MixMode’s white paper, “The Next Generation SOC Tool Stack: The Convergence of SIEM, NDR, and NTA,” dives into some of the primary issues at play when it comes to the human-technology divide impacting SOC effectiveness against network security threats. The way organizations approach SIEM is a prominent example.

It should come as no surprise that recent research backs up the idea that organizations have conflicted feelings about their SIEM investments. For example, the AlienVault 2019 SIEM Survey Report revealed that 76 percent of surveyed organizations said SIEM tools had resulted in a reduction of security breaches. An equal number ranked SIEM as “very” to “extremely” important to their organization’s overall security posture.

Still, a full 40 percent cited a lack of skilled security staff to actually operate SIEM platforms, identifying this disparity as a “bottleneck for optimizing platform usage,” Another 34 perfect cited the need to manually create and refine rules as a significant issue.

The sad truth is that many organizations discover, too late, that the cost to maintain SIEM extends well beyond the initial investment, and that that cost includes infrastructure and the cost to hire and train highly skilled personnel.

Once brought on board, organizations have to figure out how to keep them engaged in the long run, no easy task when the fundamental duties include deploying, tuning, and optimizing SIEM functions, day in and day out.

Security threats change and evolve over time, so the value of predefined rules, alerts, and dashboards diminish the instant they are deployed. SecOps personnel must constantly intervene to manually update the SIEM in order to stay ahead of current and predicted future risks.

Then there are the false positives.

Not only do the operational teams required to support and maintain the systems continue to grow, so do the volume of false positives, creating an endless cycle of more data, more people, more false positives, more tuning, and then starting out all over again.

Modern SOC teams can spend  25 percent of their workdays on threat hunting, and in particular, on swatting down false positives triggered by SIEM platforms. The true opportunity cost of all that wasted time would be impossible to calculate, but these teams are undoubtedly missing true security threats.

Leaving Legacy Behind

Organizations no longer have the luxury to wait and see how security vendors will improve on the SIEM, SOAR, and other products they’ve already invested in. Effective cybersecurity solutions, like MixMode’s third-wave, self-supervised AI, are created outside the limitations of the legacy architectures – and legacy human operations – that are making SOCs inefficient and ineffective today. The industry must be able to identify and address true positives as they happen, cost-effectively and resource-effectively, if they are to have true modern SOC and effective security posture. Schedule a demo of MixMode today.