Automated SOCs — Musings from Industry Analysts (and Ex-analysts)

Figure 1 — Typical phases of threat detection, investigation, and response in SOCs

Legacy/operational maturity model for SOCs

The legacy way to look at making a SOC more autonomous is to automate as much as possible each of the phases of the SOC, from left to right, starting with collection and detection. Legacy SOC approaches are based on two wrong assumptions:

Figure 2 — Tactical maturity model and metrics for SOCs based on speeds and feeds — timing, log ingestion and volume

What comprises an end-to-end use case?

Historically, most security use cases have been focused on security monitoring, including threat detection, but also other scenarios such as detection of policy and compliance violations or misuse of corporate resources. These other scenarios can also be considered as threats to the organization, which provides a good framework to approach the SOC’s mission. Of course, monitoring and detection are key. But not enough, because monitoring and detecting threats is not the end goal, it is only the first step towards one of the primary goals of the SOC — to return the organization back to a known, good state after an incident.

Figure 3 — Content for end-to-end, full lifecycle of a use case

Proper maturity model for SOCs

Once a use case is defined, SOC analysts can easily treat its full lifecycle as a continuum. Then we can introduce a maturity model that focuses on use case sophistication and complexity, based on our ability to automate this use case from end to end rather than left to right. A successful maturity model hence follows use case complexity and coverage as described below.

Figure 4 — Proper maturity model based on outcomes, use case complexity and coverage

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.