Let me begin by stating the obvious: The cyberattack surface is growing exponentially and diversely. Essentially, it’s a bigger shark and we’ve got the same small boat.
The environments, platforms, services, regions and time zones that constitute modern enterprise operations and drive digital transformation for business continue to require increasing specialization and expertise beyond current in-house capabilities. Through a security lens, enterprise attack surfaces are expanding beyond the business’s ability to protect.
Meanwhile, global hiring and retention of security experts continue to be weak spots, and direct access to specialized security knowledge and experience is becoming increasingly difficult and costly. And while all of that is happening, the volume, duration, pace and sophistication of attacks continue to increase and require significant acceleration in SOC response times and durability — and subsequent autonomous response systems.
Saying we’re in a conundrum is vastly understating things
The security industry is at the gate of a forced SOC evolution, and pressure is coming from all directions to drive that change. As the cliché goes, the more things change, the more they stay the same. Plenty has happened that has tried to look like evolution. For the last decade, the security industry that powers SOCs has fixated on automation as the key to alleviating some of the pressures. But have things really changed?
SOAR was a brief shining light that has come and mostly gone, having been absorbed back into SIEM, as the legacy SIEM vendors acquired dedicated SOAR vendors to make up for their shortcomings in human workflow automation. This didn’t solve much, as analysts were more or less left in the lurch. They faced the same automation integration challenges, only now they’re locked into a single vendor (where previously an “independent” SOAR offered the prospect of multivendor connectors and flexibility to operate independently of SIEM lock-in).
And that’s not the end of our automation woes. Automation, on its best day, is still too playbook-oriented. To get things done, experts must, essentially, write scripts for each new system, connector and application in an enterprise. If we had set out to create librarians out of analysts, that’s an area in which our industry could say it actually has succeeded!
But in all seriousness, we’re caught in a linear script development cycle and automation hasn’t yielded the reduction in analyst workloads that we so desperately need.
So how do we break the cycle?
Here are two major breakthroughs that will move the SOC evolution needle forward. First, we must successfully implement and use AI “smart” orchestration systems within the SOC. I’m sure many SOC analysts and CISOs are jaded from past promises, but the reality is that AI and ML approaches have matured significantly over the past year and have reached the inflection point of their “hockey stick” usefulness trajectory and the value they can bring. I think as an industry it’s time we start to move past our fear of turning on automated response and protection capabilities that are powered by this new generation of AI and ML. By embracing it, SOCs will become much more effective at detection, which will lead to a reduction in the number of distinct alerts and false positives (put that in the win column for reducing analyst workloads).
The second breakthrough would be the ability to tap a global community of contributors via marketplace ecosystems or, to put it simply: sharing is caring. Detection-as-code, policy-as-code, blah-as-code have redefined content development and vendor-proprietary product-dependent content. Platform-independent content (ranging from alerts, threat detection, playbooks, etc.) is rapidly and readily available from a global array of sources, and availability will continue to increase. The ability to tap a global pool of expertise is more prevalent than ever and it feels like the gig economy is finally coming to the security world via the SOC. I think this would have surprised many people just a few years ago, but in the wise words of one Jim Carrey — “Desperation is a necessary ingredient to learning anything.”
I don’t care how, but I want it now!
Well, you can’t have it…yet. But you can start. Both “smart” machine intelligence and content marketplaces directly address the pressure points I mentioned previously, but the industry is still in the early stages of the SOC evolution. Right now, organizations must look at their SOC and decide how they’re going to reorganize and prioritize to discover and implement the people, tools and partners they’ll need to usher in the evolution.
There are some philosophical hurdles to overcome, but I believe business needs will drive the pace of change. At one time, penetration testing was in-house only, then it extended to trusted vendors managed under restrictive agreements, and then to industry-accredited providers. Now businesses can tap broad communities of bug-bounty-based individual contractors and cloud-based automated attack simulators. We successfully managed those industry changes, and I’m pretty sure we can do the same for incident response and investigation.