By Anton Chuvakin (originally posted at Anton on Security)
Back in August, we released our first Google/Chronicle — Deloitte Security Operations Center (SOC) paper titled “Future of the SOC: Forces shaping modern security operations” (launch blog, paper PDF) and promised a series of three more papers covering SOC people, process and technology.
Here is the next paper “Future of the SOC: SOC People — Skills, Not Tiers” (PDF) and you can easily guess it focuses on the PEOPLE aspect of the SOC. As I often said, “A SOC is first a team, all the other stuff comes later” (or something like that).
My favorite quotes are below:
“The genealogy of today’s [i.e. NOT the future SOC we are writing about — A.C.] SOC workforce model stems from the IT help desk. This approach originated from the application of the hierarchical industrial-age assembly line: passing issues from first to second line and further up. In simpler times, this model was sufficient — technology density was low and problems could be solved with in-person interactions, all at a minimal cost.” — overall, we now feel that IT helpdesk roots constrain the modern/future SOC and send its development in potentially wrong directions.
”A workforce model fit for an entirely different purpose may serve as a useful analog: the Special Forces Operational Detachment Alpha, also known as the “A Team.” As the primary operational element of a larger organization, this small team is composed of individuals with all the necessary skills to complete virtually any tactical operation autonomously.” — and if you want a more peaceful analogy, think QA [find and fix bugs], not helpdesk [wait for issues and handle them].
Example SOC Skills
“Another principle that works for large organizations is outsource capacity, but not capability. This relies on the fact that to outsource a function well, a degree of internal expertise is required to judge a provider, both in the beginning and over time. Hence, to outsource well, you need to have at least some expertise in the area” — you’ve seen me talk about it, and this is tricky in real life; to select a good partner for MSSP/MDR, you need enough knowledge to tell good from bad. Also, expect the SOC of the future to use some services for some things; “every SOC is a hybrid SOC.”
”SOCs can no longer pair every event with a human analyst. The model simply does not scale to today’s business, IT, and threats. This means automation and outsourcing, but it also means a different skill model, rather than a hierarchical pyramid of the past” — this is a bit meta and not terribly actionable, but I assure you — this is useful.
“Unlike widgets on the production line, security events should be considered as part of contextual fabric. This implies that a naive per alert model is broken as well, just as the “SOC as a funnel” model” — remember that the SOC mission is threats, not alerts! To fix this, approach early alert triage differently (rather than “easy? fix. hard? punt!” of helpdesk)
Now, go and read the full paper “Future of the SOC: SOC People — Skills, Not Tiers” (PDF).
Two more SOC papers are coming, one on processes (we are writing this one now and it will be very fun!) and one on technology inside and around the modern SOC.