Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
Q&A Blog: Trends for the Modern SOC
Anton Chuvakin
Head of Solutions Strategy at Google Cloud
May 14, 2021

Chronicle recently hosted a very well-attended webinar with ISACA focused on the characteristics of a modern SOC (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and would like to follow up on these and highlight some of the answers.

Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

A: Skills such as threat hunting, threat intelligence, and data analytics are key characteristics of a modern SOC. While these are less common in traditional SOCs, they power the capabilities of the modern SOC that we discussed in the webinar.

Q: Can we achieve a fully automated AI/AL based — OODA? Fully automated onboard log sources, threat detection rule creation, playbook creation, response, automated integration, and execute.

A: Today and in the near future, the complete automation of most SOC processes is likely not possible — see reference link. The most difficult activities occur at the end of the chain where automated response and other actions take place. Certain situations also require human decision-making in order to deal with a high degree of uncertainty. Finally, the onboarding of many tricky telemetry sources may require humans to iterate and sometimes make changes to the configurations.

Today automation is more widespread in the areas like detection (create alerts) and triage (enrich and confirm alerts), but a lot less widespread in remediation and data onboarding. While we do not expect any massive changes here soon, as organizations adopt more public cloud, automation will grow in this area

Q: What is the difference between SIEM and SOC?

A: SIEM is a particular security tool, and a SOC is the name of a team that performs associated security processes and often uses a variety of security tools (including, for many SOCs, a SIEM).

Q: If we can’t get top tier attackers out of our network — how does a company handle that risk?

A: This is a tough challenge. Most organizations that encounter this will need to call for help, and invite a 3rd party incident response team to help investigate and ultimately get the attackers out.

It is entirely possible that you will encounter very advanced attackers, and in this case, you must ask for help and there is no way around it — cost notwithstanding.

Q: Can you touch on dispersed SOC staff especially in a COVID environment. Is it practical to spread your staff remotely across the USA? Outside the USA?

A: The “follow the sun” SOC model is very well known and many global organizations practice it — even if they do so with distributed teams rather than people. However, it is also very clear that during the pandemic many detection teams and formal SOCs operated in a distributed manner. The jury is likely still out regarding whether SOCs were more or less productive — but it definitely did not fail, so the model may work.

Q: What makes a good SOC?

A: My take is that an underfunctioning SOC is the one that over indexes on technology and has excessively rigid processes, while a good SOC is the one that really focuses on people as opposed to process/workflow.

Q: Regarding SOC tools, what do you think about AI tools used in SOC?

A: This is a fascinating question that I spent a good number of years trying to answer, starting from the time I was an analyst. I think over time I’ve reached a position that it makes sense to be skeptical about AI for security in the short term, but ultimately optimistic in the long term.

Naturally, there are a lot of vendors with overblown claims about how their ML/AI tools help security analysts. However, just as AI evolves to help other areas of human endeavor, cyber security is not an exception.

Today, the most likely machine learning tool that you will encounter in a SOC is some form of anomaly detection — such as a UEBA tool. These tools work and produce alerts that are often useful (just like rule-based alerts); however, it’s my take that there’s no magic cybersecurity AI today.

Q: What skill sets do you look for in threat hunter personnel?

A: Given that great hunting is ultimately an art, these artists need to also be top-tier technologists — and finding this skill set is difficult. Threat knowledge, deep technical knowledge, and creative thinking are all must-haves in this role.

Q: How can a small company/start up weigh out talent vs tools and cost?

A: Smaller organizations will often use more third-party services, and others won’t have a SOC in favor of an MSSP or an MDR provider. Others use a hybrid model. Naturally, this comes with its own pitfalls and benefits. The one key pitfall is that you can’t assume you can pay money to have someone take security completely off your hands.

Q: What about SOCs as a Service and Internal SOCs? Would your recommendations apply for both?

A: MSSPs and MDRs are the most common SOC-as-a-service providers. An MSSP provider may follow a more traditional SOC approach, or they may have the more modern SOC elements discussed in the webinar. On the other hand, many MDR providers I’ve encountered practice the modern SOC approach.

Check out the webinar replay here to learn more about the characteristics of a modern SOC. To learn more about how Chronicle can help equip your SOC with a modern security toolset, complete the Contact Sales form.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page