Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New Paper: “Future of the SOC: Forces shaping modern security operations”
Anton Chuvakin
Head of Solutions Strategy at Google Cloud
August 20, 2020

By Anton Chuvakin, originally posted at Anton on Security.

For some reason, I just cannot leave the topic of Security Operation Center (SOC) alone. In fact, I now am participating in a very fun effort to write a series of papers on the future of SOC by Google Cloud and Deloitte (for the impatient: download it here).

My favorite quotes are below:

  • We do start by saying that even back in the 1990s security analysts complained about alert volumes and false positives (such as from IDS) and that “Today these same problems are trying to be solved — fatigue from high rates of false positives, too much data, too many alerts — without noticing that the landscape has shifted in profound ways.”

  • In fact, “Solutions envisioned in the 1980s, 1990s, and 2000s would have turned out productive had the problems remained static.” However, 100 rule-based alerts per IDS analyst in 1995 are just not the same 100 ML-based UEBA alerts per analyst today.

  • “This paper defines “forces” as key salient factors that are shaping the modern challenges a SOC must overcome to continuously mature:

  • a) Expanding attack surface

  • b) Security talent shortage [A.C. — while there are well-reasoned arguments against the concept of talent shortage in security, my impression that for SOC the shortage is real]

  • c) Too many alerts from too many tools”

  • “In essence, many traditional organizations have to secure the past (e.g., mainframes), the present (e.g., servers, PCs, phones) and the future (e.g., containers, serverless, IoT)” and this makes the mission of ‘doing SOC well’ very hard.

  • “Humans cannot scale to cover all alerts, but machines (such as ML algorithms) on their own just don’t cut it. As the SOC increases in maturity, the solution to the problem of too much of everything may come from many sources.” So, this sounds a bit bla, but this is the reality: IMHO for the foreseeable future in security, we will need both humans and machines.

  • “While many will say automation is the answer, SOC automation today is predominantly focused on automating the routine tasks (enriching logs with context and threat intel), as well as automating some remediating actions (with the decisions to do so largely remaining in human hands).” This is something to keep in mind when hearing others ramble “automation is the answer” to every security question …

  • ”The 21st century must conquer the next frontier for automation — automating the decisions and some of the related cognitive processes. While some vendors already promise that today, the operational reality of today’s SOC does not support this claim.” This hidden gem is actually THE big new thought in the paper. Have you almost missed it? :-)

  • “A good SOC implements a well-organized process that works, but also does not suppress the creativity of its analysts. ” OK, so your reaction to this is “ha, easier said than done!” but the reality is that done it must be (this is discussed a bit here, BTW) …

  • “Almost every SOC of the future is a hybrid model that works together with service providers — be it your MDR (Managed Detection and Response), co-managed SIEM, managed EDR, or a full-on MSSP. “ Expressed back here (and also here), this idea remains at the forefront of many security operations leaders.

No, go and read the full paper “Future of the SOC: Forces shaping modern security operations.” More SOC papers coming on people, process and technology inside and around the modern SOC.

Secops

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page