After a long, long, long writing effort … eh … break, we are ready with our 5th Deloitte and Google Cloud Future of the SOC paper “Future of SOC: Transform the ‘How’.”
As a reminder (and I promise you do need it; it has been years…), the previous 4 papers are:
When facing the question of whether to evolve or optimize a Security Operations Center (SOC), security leaders have numerous risks and rewards to consider. Disruptions to normal operations, migration challenges, compatibility issues, advantages of new technologies, and learning curves for the teams involved are many important factors to consider.
Previously in our “Future of the SOC” series, we explored the conditions in which security leaders could transform SOC tools and practices vs conditions in which leaders could double down and improve their existing tooling and ways. Specifically, in our “Future of the SOC: Evolution or Optimization — Choose Your Path,” we laid out a decision matrix to help navigate the decision on whether to change or stay.
However, when we wrote the previous paper, lots of people asked us: OK, we ran through the process and the process led us to the need to transform (rather than optimize) our SOC. How do we go about it? Are there boosters or amplifiers for this? Are there related projects you can latch on, as this whole transformation business is just hard? This is exactly what we cover here in our current paper.
Specifically, we explore the change decision tree through the lens of three common scenarios as drivers for transformation: Cloud migration, Managed Detection and Response (MDR) adoption, and DevOps evolution.
My favorite quotes:
- “As organizations migrate to the cloud, there’s a notable shift from endpoint-centric security models to a broader focus on data correlation and aggregation facilitated by SIEM and SOAR technologies. This shift is crucial for adapting to the dynamic, distributed nature of cloud environments and for effectively managing the increased complexity and profusion of security data. ” [A.C. — in less polite terms, “EDR-huggers” need to either push their EDR vendors to do real, not-endpoint-centric Cloud D&R or stop hugging…]
- ‘Shadow operations teams: Observe the incumbent service providers’ operations teams and/or the Customer Operations team in their day-to-day activities to understand and document lessons learned, known issues, exception scenarios, priorities, and dependencies” [A.C. — in this MDR-centric transformation the point is actually … getting better by learning from them, not doing the “four letter o” word … “outsourcing” 🙂 ]
- “The main challenge is that when the IT counterpart to security is much faster (hours vs. months, in some cases), security needs to “speed up or shut up.” Agile IT with 1990s-style slow security will fight, and the modern approach (IT) will normally win… putting the organization at risk.” [A.C. — never bet against inertia in large enterprise IT!]
- “A modern SOC should be an integral part of the DevOps ecosystem. It should prioritize speed, automation, and a mindset that treats security as an essential component of the development process from the outset. ” [A.C. — this sounds cliche, but security should not fight DevOps, but learn and adopt from it]
The paper is full of gems that go far beyond these quotes. Go and read it, but do consider rereading the previous paper before doing to.
Related blog posts:
