Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future
Today’s SOC has an increasingly difficult job protecting growing and expanding organizations. The landscape is changing and the SOC needs to change with the times or risk falling behind the evolution of business, IT, and threats.
But you have choices! Your future fate is not set in stone and can be changed: some optimize what they have without drastic upheaval, while others choose to truly transform their detection and response.
Join us as we show you a vision of what the SOC will look like in the near future and how to choose the best course of action today.
Originally aired at https://cloudonair.withgoogle.com/events/2023-dec-security-talks
Video https://youtu.be/KbQbuFAPY2c?si=0llv1v_CkVtvsyms
4. A security operations center provides
centralized and consolidated
cybersecurity incident prevention,
detection and response capabilities.
–Gartner
Reminder: Classic SOC Defined
SOC is first a TEAM. Next a PROCESS. It uses TECHNOLOGY too.
5. 05
“We don’t have enough
skilled engineers to
make everything work”
“Our processes are too
manual, we are too slow
to respond to and
remediate threats”
“We struggle to build
effective detection and
have too many false
positives/negatives”
2003 or 2023? SecOps is Ripe for Transformation
“We can’t store and
analyze all data,
resulting in blindspots”
“It takes too long to
investigate alerts”
“It’s cost prohibitive to
ingest all the data we
need”
6. 06
This is How 20+ Years of Progress Look Like!
Organizations were
notified of breaches by
external entities in 63%
of incidents
(Mandiant M-Trends 2023)
10. Two Roads for SOC
Optimize your SOC.
This involves making
incremental improvements to
your SOC, such as adding new
tools and technologies, refining
some processes or improving
your incident response
processes.
Transform your SOC.
This involves completely
overhauling your SOC, from its
architecture and processes to its
staffing and training. Typically this
means moving to a more
engineering-led approach such as
Autonomic Security Operations.
11. In Other Words …
MAKE EXISTING
THINGS BETTER!
BUILD or BUY
NEW THINGS!
or
16. Dimensions: The Secret Wisdom
Capacity for change
Tools and customizations
Strength of SOC talent
Security budget
17. Example Decision Run
● Security budget
○ Pros: current spend unsustainable
○ Cons: minimal money to run tools
● Capacity for change
○ Pros: change is driven from the
top
○ Cons: maxed out capacity for
change
● Tools and customizations
○ Pros: stock tools, used in OOB ways;
tools seen as failing
○ Cons: customized tools, tied to unique
processes; tools mostly work
● Strength / size of SOC talent
○ Pros: team at the end of line, burned
out
○ Cons: team unwilling to change or
“married” to tools
18. Optimize: Key Focus Areas (Examples)
● Filter logs to reduce the load on SIEM, etc
● Speed up searches
● Enhance SIEM with EDR/XDR, etc
● Review alert triage process, review bottlenecks
● Train SOC analysts better
● Tune canned detection content
19. Transform: Key Focus Areas (Examples)
● Migrate to modern SaaS SIEM (scale + ease)
● Workflows via SOAR or similar
● “Automate-first” for alert triage, humans deals with leftovers
● Start turning SOC analysis into D&R engineers
● Threat hunting (and red teaming) powers new detections
● Threat intelligence for detection, triage, response, planning
● Expanding role for AI in your SOC
20. 020
Modern Tooling Advantages
Old
Reactive
People Dependent
Threat Intel Feeds
Alerts and Plumbing
Capacity / Cost Constrained
New
Reactive + Proactive + Adapted by Risk
AI Augmented
Applied Threat Intel & Curated Outcomes
Context Driven Investigation & Response
Operationally Scalable
21. Transform Caveat: Some Things Still Stay!
● You collect data (logs, endpoint, traffic, etc)
● You retain data, some centrally, some federated
● You enrich signals
● You analyze data and make conclusions
● You rely on humans for understanding
true unknowns (even though AI helps!)
● You also rely on humans for incident response
23. Recommendations
● Assess where you are (duh!) - use the framework
○ Can you improve what you have?
○ Do you have capacity for change?
○ Do you face a chasm and “cross in 10 jumps” won’t work?
● Once chosen, focus on things that matter to that
choice
● If you “optimize”, be aware that you choose that for
today
● Don’t be afraid of “transform”!
24. SOC: Lessons from Ops or from Dev?
“You can’t “ops” your way to SOC
success, but you can “dev” your way
there”
-- Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog)