The ‘lazy’ SOC model

In the contemporary landscape, the paramount importance of security is becoming increasingly evident, casting a spotlight on the escalating workload of the Security Operations Center (SOC). This burgeoning workload is characterized not only by a surge in the sheer volume of requests and inquiries but also by the growing intricacy of security challenges. In this dynamic environment, when a security incident unfolds, there is an implicit expectation for the SOC to respond promptly and with pinpoint accuracy. Simultaneously, the SOC grapples with a persistent conundrum exacerbated by a global shortage of highly skilled security professionals — recruitment and retention.

As someone who has worn the dual hats of a SOC manager and SOC consultant, I have frequently fielded the question of how to address these formidable challenges. My response, which has not wavered over time and is likely to remain consistent, is that I am in the process of transforming the current SOC model into what I fondly refer to as the “lazy SOC model”. This assertion, intriguing in its paradoxical nature, typically prompts a deep and thoughtful conversation, as it begs the question: What exactly is a “lazy SOC model”?

The “lazy SOC model” represents a visionary approach to security operations. Rather than being complacent or lethargic, it centers on efficiency, innovation, and strategic thinking. It acknowledges that the traditional, reactive methods of handling security incidents are no longer sustainable or effective. Instead, it seeks to proactively eliminate as much manual toil and repetitive tasks as possible, allowing the SOC team to focus on the most critical aspects of security.

Whenever I attempt to elucidate the intricacies of this model, I often find myself met with perplexed expressions. People’s faces contort with a mixture of curiosity and trepidation. The fear of their livelihoods being usurped by automation is a common response. It’s a natural reaction to the concept of transitioning towards a more streamlined, or what some might call a “lazy SOC model”. This evolution would inevitably lead to the replacement of existing job profiles with newer, adapted roles. However, such transformations are hardly unique to the IT industry.

In fact, the history of technology is replete with examples of seismic shifts that triggered anxiety about job security. The introduction of computers, the internet, and cloud computing each had their share of naysayers predicting widespread unemployment. But, history has shown that these changes don’t transpire overnight. There’s always a transitional period during which individuals can adapt to the evolving landscape.

During this transition, individuals have the opportunity to assess whether they wish to embrace the emerging job profiles. It becomes a deeply personal decision. The chance for reskilling and upskilling often exists, and it’s not uncommon for these newly formed roles to be more fulfilling or offer greater opportunities for professional growth. The fear of automation replacing jobs is indeed real, but with time, preparation, and a forward-thinking perspective, individuals can often thrive in the face of technological progress.

Automation is poised to bring about a profound transformation within the security industry, ushering in a new era marked by several pivotal changes. This evolution is not only necessitated by its role in addressing the persistent skill shortage that has long plagued the industry but is also fueled by the recognition that adversaries are equally harnessing the power of automation. The motivation behind this shift lies in the fact that both security professionals and malicious actors grapple with an array of monotonous and repetitive tasks, which can now be efficiently automated.

The concept of the “lazy SOC model” has a significant impact on how security operations are managed. In this model, there is a central, unified interface often referred to as the “single pane of glass”. This single pane of glass is essentially a dashboard or platform that provides a comprehensive view of an organization’s security landscape.

The idea behind this model is that all security personnel, analysts, and stakeholders have access to the same interface, which offers real-time insights and data about the organization’s security posture. Instead of the traditional approach where security professionals had to juggle multiple tools and dashboards, the “lazy SOC model” streamlines this process.

In the traditional setup, the complexity of managing multiple tools and systems can be overwhelming. It often involves switching between various security solutions, each with its own interface and data presentation. This manual switching consumes valuable time and effort, which could be better spent on actively responding to security incidents and threats. Furthermore, the cognitive load imposed by managing multiple tools can lead to errors, including the potential for the wrong security alert to be prioritized or overlooked.

By contrast, the “lazy SOC model” simplifies and optimizes the security workflow. It reduces the need to constantly switch between different tools, as all pertinent information is readily available on the single pane of glass. This approach not only saves time but also minimizes the risk of human error when assessing and prioritizing security alerts.

While having an optimized SOC is undoubtedly crucial in the realm of cybersecurity, it’s important to recognize that its effectiveness doesn’t solely hinge on prevention and detection capabilities. A pivotal facet of what we might call the “lazy SOC model” lies in the organization’s ability to respond promptly and effectively to a cyber attack. This is where the rubber meets the road, so to speak.

Inevitably, in the ever-evolving landscape of cyber threats, one of your security controls will flag an event as potentially malicious. At this juncture, the initial triage phase is set into motion. It’s the moment of truth, where you need to swiftly ascertain whether this is a true-positive, an actual security incident that requires attention, or a false alarm. The significance of accurate detection and classification cannot be overstated, as it determines whether valuable resources should be allocated to investigate and mitigate a potential threat.

But here’s the catch: determining the nature of the incident and deciding on the appropriate response isn’t solely within the purview of the SOC team. In many cases, the SOC operates within a broader organizational context, and its hands are tied when it comes to implementing changes or taking action. The reason for this is that the SOC’s primary role is to monitor, detect, and provide expert analysis, not to make alterations to the network or systems.

So, addressing an incident requires collaboration with various IT teams across the organization. This collaboration extends beyond the SOC and may involve network administrators, system administrators, and application owners. They hold the keys to making necessary changes, whether it’s blocking a suspicious IP address, quarantining a compromised system, or patching a vulnerability.

While many companies consider it sufficient to merely generate tickets within their IT Service Management (ITSM) solution, they often fail to realize the full potential of the “lazy SOC model”. This model offers a significant advantage in enhancing the efficiency of SOCs, but its true power remains untapped as long as the SOC must continue to manually follow up with response teams to confirm the implementation of their recommendations.

To fully harness the capabilities of the “lazy SOC model”, it is essential to go beyond the initial ticket generation and embrace the concept of automated response to security incidents. This proactive approach ensures that security incidents are addressed with remarkable speed, resulting in a remarkably reduced Mean Time to Contain (MTTC).

The core principle of the “lazy SOC model” lies in minimizing manual interventions and maximizing automation. Instead of relying on human intervention to check the status of recommendations, the SOC leverages automated workflows to validate and enforce security measures. This means that, upon detection of a security incident, the SOC system not only generates a ticket but also autonomously triggers a response, implementing the recommended actions in real-time.

The transformation from a reactive SOC, which often takes hours or even days to address security incidents, to a proactive and “lazy” SOC leads to an MTTC measured in seconds. This radical reduction in response time not only significantly enhances security posture but also minimizes potential damage and data breaches. By automating incident response, the “lazy SOC model” fundamentally alters the dynamics of cybersecurity, ensuring that threats are promptly neutralized before they can inflict substantial harm.

Effective cybersecurity measures necessitate close collaboration with the business. It’s a shared responsibility to ensure the security of our systems and data. When a malware infection is detected on a user device, it’s vital that all parties involved are on the same page. The immediate response is to isolate the affected user device, a step that typically garners unanimous agreement.

However, the complexity arises when dealing with more substantial threats, such as account breaches or network breaches. In these situations, it’s imperative to work in tandem with the business to formulate a response strategy. A mutually agreed-upon decision needs to be reached, which outlines the extent and duration of the automatic responses that the SOC can initiate. This collaborative approach ensures that the response is both effective and aligned with the organization’s specific needs and risk tolerance.

To further reinforce this approach, it’s essential to document this risk appetite accurately. This can be accomplished by logging the agreed-upon response strategy in the corporate risk register. By doing so, not only does it serve as a reference point for all stakeholders, but it also aids in establishing a clear, comprehensive view of the organization’s overall risk management approach. This transparency and documentation of the agreed-upon response strategy help foster a stronger and more coordinated approach to cybersecurity within the organization.

In addition to monitoring, the role of the Enterprise Vulnerability Manager (EVM) holds significant importance within the SOC. Traditionally, the size of an organization’s infrastructure has often determined the manpower allocated to the EVM program. Nevertheless, I propose a paradigm shift. Through effective management and the application of automation, the majority, if not all, EVM responsibilities can be streamlined. This automated approach culminates in the creation of an exceptionally efficient EVM team, potentially consisting of as few as two or three individuals.

An EVM program typically encompasses various critical areas, including discovery scanning, unauthenticated scanning, authenticated scanning, and CIS-Benchmark scanning. With the exception of discovery scanning, these scanning profiles share a common thread — they heavily rely on the CMDB. Consequently, it becomes imperative that these scanning profiles remain updated in accordance with changes in the CMDB. This necessitates both the vulnerability scanning software and the CMDB to offer accessible APIs. Furthermore, within the SOC, an automation platform should be in place to establish a seamless connection between these two platforms.

Once this connection is established, the scanning profiles are continually synchronized with the CMDB, ensuring their accuracy in real-time. As a result, manual intervention becomes obsolete. Now, you might be wondering, what serves as the source for discovery scanning if it’s not the CMDB? The answer lies in your DNS, DHCP, and IP Address Management (DDI) solution, often facilitated by systems like Infoblox.

For organizations that have already implemented Infoblox, the integration of this system with an automation platform represents a significant advancement. It paves the way for seamlessly incorporating your DDI solution into the vulnerability scanning process, resulting in a highly efficient and effective discovery scanning mechanism. This holistic approach to cybersecurity operations unites your EVM procedures, leading to a significant streamlining of the entire process. This consolidation has the added benefit of reducing the reliance on a large workforce to carry out these critical functions.

As a result of this integration, organizations can maintain a robust security posture while operating with a lean EVM team. This means that fewer personnel are required to manage and execute vulnerability scanning, freeing up valuable resources and manpower for other mission-critical tasks and projects. In essence, the synergy between Infoblox and the automation platform empowers organizations to optimize their security measures, increase operational efficiency, and reallocate human resources where they are needed most, thereby enhancing the overall agility and effectiveness of the organization’s security strategy.