This Two-Part Series, comes with thanks from Rob Demain, the CEO and Founder of e2e-assure, world leaders in the set up and operation of SOCs, delivery of SOCaaS and developers of cyber monitoring platform CUMULO.
With substantial cyber security expertise and experience under his belt, Rob provides his insights into traditional versus modern SOC’s and what it takes to build and deliver a truly effective SOC service in a dynamic cyber threat environment.
The story starts with an analysis of the ‘woes’ of the traditional SOC model.
Since launching in 2013 e2e have used their own, specially designed SOC platform (“CUMULO”), designed as the ultimate analyst support tool, and have focused on recruiting the best and most diverse analysts in the business. Seven years on e2e is a leading UK SOC provider with a global presence and since 2019, a dedicated SOC based out of Canberra alongside Australian partner AUCloud – supporting AUCloud’s core IaaS customers indirectly and directly.
e2e recruits a wide and diverse workforce and in 2019 launched a dedicated programme (e2e-engage) focused on training and employing neuro-diverse individuals. A year on, the program is hailed as one of the major success stories and exemplar in the Cyber sector; with e2e providing real jobs, exciting futures and new opportunities whilst benefiting from the new talent they have found.
For these as well as other reasons e2e has emerged as a leader in their space and an example of how a unique cyber company can be founded and become hugely successful; in this case by doing things differently because they saw the opportunities created by the mistakes made by traditional SOC businesses.
e2e has their own take on what a modern SOC should look like and why the traditional SOC approached is increasingly less effective.
What is the problem with traditional SOC’s?
In summary, traditional SOC’s are expensive, low value, inflexible and routinely fail to deliver what is expected. The key reasons for this are listed below.
Traditional SOC technology is broken
- Focused on marketing ‘ideas’ and technical ‘features’, traditional SOC’s focus on things that are mostly of no use to a SOC operation, often make things worse by creating new sources of noisy alerts.
- They typically rely on old fashioned clumsy technology that is slow to adapt to the changing threat environment, and even slower, or indeed opposed to, incorporating the features that help the analyst do their job.
- Difficult to deploy and maintain, with an inordinate amount of time wasted on actual deployment and relatedly, trying to make them work – is a headache but ultimately a key distraction to the business and operation of the SOC.
- SOC’s are expensive, with crazy licensing models based on Gb/S or EPS rather than delivering Cyber Value, Cyber outcomes and risk mitigation.
- A SIEM is NOT a SOC; SIEMS do not deliver the required security outcomes (there is a breakdown in the relationship between the SOC operating model/desired outcomes and the traditional SOC technology).
Traditional SOC operating models are broken and are based on incorrect assumptions
- Technology heavy SOC’s rely on expensive third-party solutions, which were never designed to fit SOC operating models. Because of this the SOC operating models are forced to favour technology instead of processes, operating procedures and effective workflow.
- “Technology can solve the problem” – is incorrect; technology should assist humans in solving the problem – with the emphasis on humans being the most critical and important element.
- “AI can fix the problem” – is incorrect. AI can assist humans in performing their analysis, but it should not present them with impossible questions they cannot reverse engineer/answer/analyse (which seems to be the focus of most detection AI).
- “SOC automation can fix the problem” – is incorrect. Automation can assist a SOC analyst in their analysis process and can be trained to automate the ‘best’ analyst routines, but it cannot replace humans. Good SOC automation is about automating the routine and basic SOC tasks to make best use of human analyst time.
Traditional SOC spend models are broken
The ratios of people to technology are wrong.
Traditional SOC:
- 75% spent on technology, 25% on staff, training, process/playbook development.
- Traditional SOC’s spend more time maintaining the SOC technology then providing security operation services.
Modern SOC:
- 25% spent on technology, 75% on staff, training, process/playbook development.
- A SOC is about building an effective end to end operation, not about deploying and maintaining a SIEM (technology focused SOC).
- Technology focused SOC’s suffer from lack of flexibility, analyst frustration and customers and the business lack of visibility into what the SOC is doing.
In summary – with the best of intentions the reliance on technology is itself the flaw. It’s not that the technology is not relevant. It is just that when technology (including the setting up, operating and maintaining) becomes THE focus, the purpose and priorities of the SOC inevitably start to misalign with the focus of the activity. How to avoid this – is the topic of the second part of this story.
For Part Two of this blog: https://www.australiacloud.com.au/media/the-traditional-vs-the-modern-soc-back-to-the-future-part-two/
