A few days ago we did a very well-attended webinar focused on the modern Security Operations Center (SOC) approach (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and just like in the good old times, I am writing a blog where I cover some of the answers.
Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?
A: From our presentation, it’s relatively clear that such skills include threat hunting, threat intelligence, data analytics, and others. These are less common at traditional SOCs, but they power the enabling capabilities of the modern SOC that we discussed. Also see this paper.
Q: Can we achieve a fully automated AI/AL based — OODA? Fully automated onboard log sources, threat detection rule creation, playbook creation, response, automated integration, and execute.
A: Today and in the near future, I do not believe that a complete automation of most SOC processes is possible — see link. Frankly, the most troublesome part is at the end of the chain where automated response and other actions happen. They’re also other situations that require human decision-making to deal with a high degree of uncertainty. Finally, even onboarding for many tricky telemetry sources requires humans to iterate and tweak the configurations sometimes.
Today automation is more widespread in the areas like detection (create alerts) and triage (enrich and confirm alerts), but a lot less widespread in remediation and data onboarding. I do not expect any massive change here soon, but as organizations adopt more public cloud, automation will grow in these areas too. So, ask me again in, say, 5 years, but really more like 10.
Q: What is the difference between SIEM and SOC?
A: This distinction should be abundantly clear from the presentation : SIEM is a particular security tool while SOC is the name of a team together with associated processes and tools they use (including, for many SOCs, a SIEM).
That is why I am always a bit skeptical when I hear SOC-as-a-service, and I prefer the term MDR instead.
Q: If we can’t get top tier attackers out of our network — how does a company handle that risk?
A: It is hard to give prescriptive advice here as this is a tough challenge and it falls into the heavy “it depends” territory. Most organizations that encountered this will need to call for help and invite a 3rd party incident response team to help them investigate and ultimately get the attackers out.
As sad as it may sound, it is entirely possible that you will encounter an attacker who is just better than your own team (even if your team is good). In this case you will need also to ask for help and there is no way around it, cost notwithstanding.
Q: Am I correct in understanding that we are hearing advocacy of taking a risk-based approach to design and management of a modern SOC? I think that is what I am hearing here. Correct?
A: It’s not entirely clear what “risk-based” means here in your question. Most currently functioning SOCs are not exactly built based on a fixed checklist from a compliance regulation. In that sense, most SOCs I encountered are at least somewhat risk-based.
Q: Can you touch on dispersed SOC staff especially in a COVID environment. Is it practical to spread your staff remotely across the USA? Outside USA?
A: Follow the sun model for SOC is very well known and many global organizations practice exactly that, even if they do so with distributed teams, not people. However, it is also very clear that during the current pandemic many detection teams and formal SOCs operated in a distributed manner. I feel that the jury is still out regarding whether they were more or less productive, but for sure it was not a failure, hence the model may work.
Q: What makes a good SOC?
A: Frankly, I do not think I have a short answer to this question (long answer, another). I think a bad SOC is the one that over indexes on technology and had excessively rigid processes, while a good SOC is the one that really focuses on people, and then on process/workflow.
Q: Regarding SOC tools, what do you think about AI tools used in SOC?
A: This is of course a fascinating question that I spent a good number of years trying to answer, starting from the time I was an analyst. I think over time I’ve reached a position that the only way is to be skeptical about AI for security in the short term, but ultimately optimistic in the long term.
Naturally, we have a lot of vendors with madly (sorry, no links here …) overblown claims about how their ML/AI tools help security analysts. However, just as AI evolves to help other areas of human endeavor, cyber security is not an exception.
Today, the most likely machine learning — based tool that you will encounter in a SOC is some form of anomaly detection such as a UEBA tool or an NDR. Of course, these tools work and they produce alerts that are often useful (just as regular rule-based alerts). However, it’s very clear to me that today there’s no magic of “cyber AI” in today’s SOCs.
Q: What skill sets do you look for in threat hunter personnel?
A: This is a madly difficult question to answer, and I did try to answer it in my analyst days. Given that great hunting is ultimately an art, but that said artist need to also be a top-tier technologist, defining a skill set is very difficult. For sure, threat knowledge, deep IT technical knowledge and creative thinking are all must-haves here.
Q: How can a small company/start up weigh out talent vs tools and cost?
A: This is yet another question that I’ve tackled back in my analyst days. It became very clear to us early on that as smaller organizations will use more third-party services, what some would call outsourcing. Some won’t have a SOC at all and will utilize an MSSP or an MDR provider. Others will use a hybrid model.
Naturally, this comes with its own pitfalls and benefits. The one key pitfall is that one can’t assume that you can pay somebody money and they take security off your hands…
Q: What about SOCs as a Service and Internal SOCs? Would your recommendations apply for both?
A: If by SOC-as-a-service, you mean using an MSSP or an MDR provider, then some of the recommendations from the webinar do apply as well. An MSSP provider may follow a more traditional SOC approach or they may use the modern SOC elements discussed here. Many MDR providers I encountered practice modern SOC approach.
Q: What is the difference between Security Operation Center and Security Operation Control?
A: I have never encountered an industry term “Security Operation Control.” I don’t know what that is. Google (the search, that is) does not seem to, either.
*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/soc-trends-isac-webinar-q-a-8e500093a1d3?source=rss-11065c9e943e------2