Chronicle recently hosted a very well-attended webinar with ISACA focused on the characteristics of a modern SOC (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and would like to follow up on these and highlight some of the answers.
Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?
A: Skills such as threat hunting, threat intelligence, and data analytics are key characteristics of a modern SOC. While these are less common in traditional SOCs, they power the capabilities of the modern SOC that we discussed in the webinar.
Q: Can we achieve a fully automated AI/AL based — OODA? Fully automated onboard log sources, threat detection rule creation, playbook creation, response, automated integration, and execute.
A: Today and in the near future, the complete automation of most SOC processes is likely not possible — see reference link. The most difficult activities occur at the end of the chain where automated response and other actions take place. Certain situations also require human decision-making in order to deal with a high degree of uncertainty. Finally, the onboarding of many tricky telemetry sources may require humans to iterate and sometimes make changes to the configurations.
Today automation is more widespread in the areas like detection (create alerts) and triage (enrich and confirm alerts), but a lot less widespread in remediation and data onboarding. While we do not expect any massive changes here soon, as organizations adopt more public cloud, automation will grow in this area
Q: What is the difference between SIEM and SOC?
A: SIEM is a particular security tool, and a SOC is the name of a team that performs associated security processes and often uses a variety of security tools (including, for many SOCs, a SIEM).
Q: If we can’t get top tier attackers out of our network — how does a company handle that risk?
A: This is a tough challenge. Most organizations that encounter this will need to call for help, and invite a 3rd party incident response team to help investigate and ultimately get the attackers out.
It is entirely possible that you will encounter very advanced attackers, and in this case, you must ask for help and there is no way around it — cost notwithstanding.
Q: Can you touch on dispersed SOC staff especially in a COVID environment. Is it practical to spread your staff remotely across the USA? Outside the USA?
A: The “follow the sun” SOC model is very well known and many global organizations practice it — even if they do so with distributed teams rather than people. However, it is also very clear that during the pandemic many detection teams and formal SOCs operated in a distributed manner. The jury is likely still out regarding whether SOCs were more or less productive — but it definitely did not fail, so the model may work.
Q: What makes a good SOC?
A: My take is that an underfunctioning SOC is the one that over indexes on technology and has excessively rigid processes, while a good SOC is the one that really focuses on people as opposed to process/workflow.
Q: Regarding SOC tools, what do you think about AI tools used in SOC?
A: This is a fascinating question that I spent a good number of years trying to answer, starting from the time I was an analyst. I think over time I’ve reached a position that it makes sense to be skeptical about AI for security in the short term, but ultimately optimistic in the long term.
Naturally, there are a lot of vendors with overblown claims about how their ML/AI tools help security analysts. However, just as AI evolves to help other areas of human endeavor, cyber security is not an exception.
Today, the most likely machine learning tool that you will encounter in a SOC is some form of anomaly detection — such as a UEBA tool. These tools work and produce alerts that are often useful (just like rule-based alerts); however, it’s my take that there’s no magic cybersecurity AI today.
Q: What skill sets do you look for in threat hunter personnel?
A: Given that great hunting is ultimately an art, these artists need to also be top-tier technologists — and finding this skill set is difficult. Threat knowledge, deep technical knowledge, and creative thinking are all must-haves in this role.
Q: How can a small company/start up weigh out talent vs tools and cost?
A: Smaller organizations will often use more third-party services, and others won’t have a SOC in favor of an MSSP or an MDR provider. Others use a hybrid model. Naturally, this comes with its own pitfalls and benefits. The one key pitfall is that you can’t assume you can pay money to have someone take security completely off your hands.
Q: What about SOCs as a Service and Internal SOCs? Would your recommendations apply for both?
A: MSSPs and MDRs are the most common SOC-as-a-service providers. An MSSP provider may follow a more traditional SOC approach, or they may have the more modern SOC elements discussed in the webinar. On the other hand, many MDR providers I’ve encountered practice the modern SOC approach.
Check out the webinar replay here to learn more about the characteristics of a modern SOC. To learn more about how Chronicle can help equip your SOC with a modern security toolset, complete the Contact Sales form.