The SOC of the Future: Predictions from the Front Line

Last updated at Thu, 11 Jan 2018 15:55:24 GMT

There is no perfect security operations center, and I say that having worked at one in the past and collaborated with many others since then. That said, as an industry, we are always evolving and improving.

Recently, I shared 6 lessons learned while working in a SOC, and today I want to talk about where we at Komand believe the SOC is heading in the future and why. Here are seven predictions for how the SOC will evolve over the next few years:

1. Security Will Perform More Engineering Work

In an increasingly complex threat landscape, security will start getting more involved with development—as well as operations, IT, and other cross-functional groups in order to secure across all types of systems using automation.  From a talent perspective (and a career growth perspective), this means that more security engineers will need to have at least some software engineering skills.

If you’re a security engineer right now with software engineering skills, you’ll find yourself in high demand (although the talent pipeline will likely catch up to the demand eventually).  For organizations that cannot hire one of these coveted talent unicorns, security orchestration platforms can provide a bridge for your organization by empowering your existing team to perform sophisticated automations without a heavy software engineering lift.

2. The Wall Will Come Down

There has long existed an invisible wall between security and the rest of the organization. But it’s crumbling, and will continue to do so at a rapid clip in the coming years. Part of this is because security posture affects all aspects of an organization, and everyone needs to take ownership of it.  

So in addition to security taking a greater role in designing security into development and operations, security monitoring and other tasks that are currently the purview of the SOC will increasingly be crowdsourced to other aspects of the business (see: distributed security alerting).  Engineering, operations and general IT personnel will all be required to own more parts of security in order to make it scale.

This is a good thing for both sides of the equation, as security touches nearly every aspect of running a successful business amidst today’s threat landscape.

3. Machine Learning Will Drastically Improve Detection

Threat detection in the SOC of the future will be smarter.  The challenge right now is that teams are using many products for data collection and alerting, and collecting tons of data on a granular level. We now have the big data systems to store all of this data and, yes, there is some limited  ability to  analyze it, but teams can still (easily) drown in the “noise” of all this data.

When it comes to sifting through security alerts, the technology needed to accurately identify the real threats among thousands of unprioritized alerts is still nascent.  Machines can already do a lot of amazing things, like driving cars and recognizing faces. Now,  machine learning and artificial intelligence are starting to be applied to threat detection. That’s a good thing, since it means detection will become more accurate (fewer false positives) and more automated (less time spent on early stages of triage).

4. Sharing Will Be Caring (And Standard Practice)

When it comes to security engineering and architecture, designing systems that have security built in is still very challenging. Frankly, many organizations do not have the skills needed to accomplish this in-house.  However, it’s never been easier (or more important) to crowdsource and open source all kinds of security capabilities.

Like herd immunity, sharing tools, processes, and techniques around security will actually keep the entire community safer from hackers with bad intentions. The SOC of the future will focus not just on its own needs, but on enabling other organizations to implement security best practices too. As the industry continues to work together,  security innovation will no longer be limited to organizations with high budgets and cutting-edge talent.

5. Education Holds the Key to the Skills Gap

If your job is to hire security folks, then you already know that it’s really hard to find qualified candidates! Part of the challenge is that traditional schools still aren’t really teaching the skills necessary for IT security today. The only options for many people right now are: on-the-job training, self-training, or purchasing courses like SANS.  This doesn’t scale well.

We as a community need to develop better methods and formats for training the next-generation security workforce.   In service of this goal, we should be taking advantage of emerging technologies in the education space, like e-learning platforms and MOOCs. I predict that the coming years will see significant growth in this area, and that’s fundamental to the future of the SOC.

6. Teams Will Run Lean, With Outside Experts On Hand

Currently, internal security teams (outside of high-risk industries like finance and healthcare) tend to be fairly small (if they exist at all). This is the case even at large technology companies. In the next few years, security teams will not get smaller, but as demand increases for security skills, it’s likely that teams will be “extended” via technology.

We are starting to see new models that offer outsourced speciality help for security-related functions like application security testing, penetration testing, compliance, and many more. This means both skilled consultants and platforms that connect companies with talent will be increasingly important. The companies that choose to outsource or crowdsource their security needs to skilled external teams will drive innovation in this space.

7. The Dawn of the Age of Security Orchestration

The glue that binds threat detection and response is often fragile. In many organizations, security teams rely on manual efforts  to  coordinate incident response processes, which can be tedious and imperfect. To be smarter and faster, security practitioners  need  to rely on broad automation to handle everything from security monitoring to incident response to vulnerability management in a more effective way.

That said, just as important as automation is the connective tissue that ties one part of the process to the next. At Komand, we call this security orchestration. The reality is that there are many great security tools out there, but what we really need is for them to play nicely together if we are going to succeed at defending our organizations. Automation is good, but orchestration is the secret sauce of a successful SOC.  

Orchestration and automation will help small teams (who are often strapped for resources) and large teams (who have massive environments to manage and monitor), and push us toward a future where security is a well-oiled machine, integrated with the larger organization, and systematically focused on the right tasks at the right time.

To get you going with security orchestration and automation, we've got an eBook on Security Automation Best Practices. In this guide, we cover: how to prepare your security org for orchestration and automation, criteria for building or buying, when to bring automation if for maximum effectiveness, and much more!