Back To The Future 1 – Traditional vs. Modern SOCs
Since launching in 2013 e2e have used our own, specially designed SOC platform “Cumulo”, designed as the ultimate analyst support tool, and have focused on recruiting the best and most diverse analysts in the business.
Seven years on e2e is a leading UK SOC provider with a global presence and since 2019, a dedicated SOC based out of Canberra alongside Australian partner AUCloud – supporting AUCloud’s core IaaS customers indirectly and directly.
e2e recruits a wide and diverse workforce and in 2019 launched a dedicated programme e2e-engage focused on training and employing neuro-diverse individuals. A year on, the program is hailed as one of the major success stories and exemplar in the Cyber sector; with e2e providing real jobs, exciting futures and new opportunities – whilst benefiting from the new talent we have found.
Here is what we think a modern SOC should look like, and why the traditional SOC approached is increasingly less effective.
The Problem With A Traditional SOC
In summary, traditional SOCs are expensive, low value, inflexible and routinely fail to deliver what is expected. The key reasons for this are:
Traditional SOC technology is broken
- Focused on marketing ‘ideas’ and technical ‘features’, traditional SOC’s focus on things that are mostly of no use to a SOC operation, often make things worse by creating new sources of noisy alerts.
- They typically rely on old fashioned clumsy technology that is slow to adapt to the changing threat environment, and even slower, or indeed opposed to, incorporating the features that help the analyst do their job.
- Difficult to deploy and maintain, with an inordinate amount of time wasted on actual deployment and relatedly, trying to make them work – is a headache but ultimately a key distraction to the business and operation of the SOC.
- SOCs are expensive, with crazy licensing models based on Gb/S or EPS rather than delivering Cyber Value, Cyber outcomes and risk mitigation.
- A SIEM is NOT a SOC; SIEMS do not deliver the required security outcomes (there is a breakdown in the relationship between the SOC operating model/desired outcomes and the traditional SOC technology).
Traditional SOC operating models are broken and are based on incorrect assumptions
- Technology heavy SOCs rely on expensive third-party solutions, which were never designed to fit SOC operating models. Because of this the SOC operating models are forced to favour technology instead of processes, operating procedures and effective workflow.
- “Technology can solve the problem” – is incorrect; technology should assist humans in solving the problem – with the emphasis on humans being the most critical and important element.
- “AI can fix the problem” – is incorrect. AI can assist humans in performing their analysis, but it should not present them with impossible questions they cannot reverse engineer/answer/analyse (which seems to be the focus of most detection AI).
- “SOC automation can fix the problem” – is incorrect. Automation can assist a SOC analyst in their analysis process and can be trained to automate the ‘best’ analyst routines, but it cannot replace humans. Good SOC automation is about automating the routine and basic SOC tasks to make best use of human analyst time.
Traditional SOC spend models are broken
The ratios of people to technology are wrong.
- 75% spent on technology, 25% on staff, training, and process/playbook development.
- More time spent maintaining the SOC technology then providing security operation services.
- 25% spent on technology, 75% on staff, training, process/playbook development.
- A SOC is about building an effective end to end operation, not about deploying and maintaining a SIEM (technology focused SOC).
- Technology focused SOCs suffer from lack of flexibility, analyst frustration and customers and the business lack of visibility into what the SOC is doing.
In summary – even with the best of intentions, the reliance on technology is itself the flaw. It’s not that the technology is not relevant. It is just that when technology (including the setting up, operating and maintaining) becomes THE focus, the purpose and priorities of the SOC inevitably start to misalign with the focus of the activity. How to avoid this – is the topic of the second part of this story.