MY TAKE: Equipping SOCs for the long haul – automation, edge security solidify network defenses

By Byron V. Acohido

Network security is in the throes of a metamorphosis. Advanced technologies and fresh security frameworks are being implemented to deter cyber attacks out at the services edge, where all the action is.

Related: Automating security-by-design in SecOps

This means Security Operations Centers are in a transition. SOCs came on the scene some 20 years ago as the focal point for defending on-premises datacenters of large enterprises. The role of SOCs today is both expanding and deepening, and in doing so, perhaps modeling what it will take to defend IT systems going forward – for organizations of all sizes.

I recently moderated a virtual panel on this topic featuring Scott Dally, director of security operations center Americas at NTT Security, and Devin Johnstone, senior security operations engineer at Palo Alto Networks.

For a full drill down please give a listen to the accompanying podcast version of that discussion. Here are the takeaways:

Pressurized landscape

Organizations today must withstand a constant barrage of cyber attacks. Primary vectors take the form of phishing campaigns, supply chain corruption and ransomware attacks, like the one that recently resulted in the shut down of Colonial Pipeline.

What’s happening is that digital transformation, while providing many benefits, has also dramatically expanded the attack surface. “An old problem is that many companies continue to cling to the notion that cybersecurity is just another cost center, instead of treating it as a potentially catastrophic exposure – one that needs to be continually mitigated,” Dally says.

Organizations are inundated from every direction and the pressure is intensifying. “As more things, like IoT, get connected to the network, it’s just opening up new vectors and putting network defenders behind the power curve, because they have so much to guard and an adversary only has to find one way in,” Dally says.

While Colonial Pipeline demonstrated the wallop of ransomware, SolarWinds highlighted how threat actors are taking full advantage of vulnerabilities arising from the complexities of meshing together digital-era supply chains.


“Supply chains are just incredibly difficult to secure,” Dally says. “You have to do a lot of research on your partners and vendors, and most organizations don’t have the time or don’t even know what questions to ask; they assume everything is good on the other side, when, in fact, it’s not.”

Leveraging automation

The original function of a SOC was to equip security analysts with everything they needed to detect and respond to any potentially malicious traffic detected inside a company’s firewall. However, as IT operations became more complex, information overload became a factor. Security information and event management systems — SIEMs — came along in about 2005 to screen all incoming data packets and kick out alerts to anything that seemed suspicious.


From the start SIEMs produced more alerts than any human could hope to productively process. “Before we had automation and the advances in machine learning that we have today, the SOC analyst had a very manual role,” Johnstone says. “There was a lot of overhead associated with having the analyst try to make sense of all of this log data coming in from the traditional SIEM. A lot more time was spent doing log management versus actually analyzing and responding to those alerts in more detail.”

User and entity (UEBA) technology and security orchestration, automation, and response (SOAR) systems began turning up in 2015 or so to help companies get over this hump. UEBA and SOAR solutions helped SOC analysts extract more timely and actionable threat intelligence from SIEM alerts.

SOAR, for instance, makes use of “playbooks” to automate security checks that an analyst previously had to perform manually. Playbooks have steadily matured, and today can account for as much as 70 percent  of the workflow to vet a SIEM alert vs. doing it manually.

“The goal today is to start leveraging more automation and machine learning to apply context to alert data,” Johnstone says. “We can use SOAR playbooks to gather context based on past incidents as well as data from other sources . . . the human analyst provides value by understanding the context of a situation, rather than just being the alert robot dealing with things that happen over and over again.”

Data driven decisions

Leveraging automation to help sort SIEM alerts is a big step forward. But it’s just a start. Automation has a bigger role to play in ingesting and correlating information from knowledge bases as well as integrating the outputs of other security tools, such as endpoint detection and response systems. “This enrichment of legacy SOC functionalities needs to continue if companies are to operate securely in the wild and wooly operating environment of cloud infrastructure and agile software development,” Dally says.

“Where we’re headed is for the SOC to use automation to get the right information in front of the people who can affect a decision,” he says. “And more and more decisions are going to be made based on the data that’s available, which means you can also automate the response activity.”

In SOCs today, the response to meaningful alerts is already much quicker and much more accurate than a couple of years ago. This trajectory has a long way yet to go. Over time, it should result in eliminating the perceived shortage of security analysts; and seasoned security analysts will be able to shift to more proactive, instead of just reactive, security tasks.

Full blown SOCs are likely to remain in place at large enterprises for the foreseeable future. That said, managed security service providers (MSSPs,) have a huge role to play leveraging and delivering these emerging SOC practices to help small- to mid-sized businesses defend their networks at the edges, where it counts most. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone