Back in 2016 when I was a Gartner analyst, I was obsessed with the same question.
As I said in my now-dead Gartner blog, a lot of security operation centers looked like they were built on a blueprint of a classic paper written by somebody from ArcSight around 2003.
However the conversations I mention above imply that we collectively still lack clarity on the modern SOC concept.
Note that there is another element to this discussion.
Those who read the original Netflix 2018 SOCless paper would be very familiar with an engineering-led model for D&R operations.
2018 is half a decade away and it pains me to say that the elements of this model are not widely adopted by many organizations, outside of the cream of the cream of the crop of tech companies.
That model, while extremely effective, seems to be living exclusively in these ultra-elite companies.
Some elements from our 2016 paper still look modern, but can be done a) in a non-modern manner or b) in a manner decoupled from a SOC. For example, you can have a SOAR tool that you either cannot handle, or only use for phishing playbooks.
Another example: you can hunt, but then not flow the findings into detections powering your SOC. Expansion beyond SIEM/logs was modern circa 2015, but now everybody has EDR. Everybody sane moved or is moving to SaaS SIEM. Threat intel use gradually expanded, but there is no revolution happening here - just improvements.
We treated selective use of outsourcing and MDRs as a sign of modernity in a SOC, but as an auxiliary one at that.
Automating L1 and L2 jobs is a goal, not a characteristic.
Redoing the team structure away from the L1/L2/L3 funnel is a byproduct of a SOC transformation, not a goal.
AI does not transform anything on its own, humans do.
I think the center of gravity for a modern SOC is automation.
It is the relentless drive to D&R automation powered by a rapid and thus effective feedback loop and engineering - led mentality.
To put it mildly, automation in a SOC is commonly misunderstood.
Modern SOC, as I hypothesize here, is about a relentless drive to automate yourself out of a SOC job, something that SRE people did before us.
We have a bit of a road ahead I am thinking of another blog that examines other dimensions that describe a modern SOC circa 2024.
WTH is Modern SOC, Part 1 was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin.
This Cyber News was published on securityboulevard.com. Publication date: Sat, 09 Dec 2023 05:13:06 +0000