The Expert View: Security Operations Design - Staying Adaptable and Agile in the Face of Change

The Security Operations Centre (SOC) is undergoing a paradigm shift, said James Todd, Chief Technology Officer at Adarma, opening a TEISS breakfast briefing at the Goring Hotel in London. He told the attendees, all senior security experts from various sectors, that organisations must protect a wider range of environments from a rapidly changing selection of threats.

Mr Todd said the SOC can use data to help in this battle, but the velocity, variety, and volume of data are constantly increasing. That data is expensive to store and move to new environments, so the challenge is getting smarter in designing security operations.

Unlocking value

Building and managing your own security operation is not ideal for every organisation, attendees said. Smaller businesses don’t have the staff they need to manage everything, for example, but even some larger companies are put off by the cost. That means relying on third parties. This approach can offer significant value.

Jules Anderson, Enterprise Sales Director at Adarma, pointed out that working with a managed security service provider with relationships with leading vendors provides value by delivering the scale that unlocks lower costs. Similarly, many third-party SOCs provide value because they offer industry-wide expertise rather than a more niche focus.

Those at the briefing agreed that the goal is to consolidate multiple vendors into a single dashboard to make all the insights available. However, that is very hard to achieve for various reasons, such as cost and compatibility.

At the briefing, some expressed concern about a recent wave of mergers and acquisitions in the cybersecurity space. They are wary of signing a long contract with a supplier only to find that the company is bought by another company and then ignored. They want to know that companies they partner with will continue to invest in and develop their products for the long term.

Avoiding lock-in

Another reason attendees are wary of long, “sticky” contracts is that they don’t want to be locked in with a supplier and then find that their needs change. One delegate says his company will only sign one-year contracts unless a supplier is part of its long-term plans.

Lock-in can also be problematic if switching from one product to another becomes difficult due to its compatibility with others. Mr Todd added that this can be avoided by building your security operations on an open architecture, which is a growing trend.

In addition to open architecture, another emerging approach is the federated model. This retains central control of security operations but allows for greater autonomy at lower levels. For example, Microsoft Azure includes security tools built specifically for that environment, so it makes sense to use those while retaining an overview at the top level to track emerging trends and actions being taken.

Mr Todd said that this architecture is more likely in future than monolithic, centralised approaches to security. However, organisations still need a solution to the volumes of data produced across these various environments. One attendee said his organisation produces petabytes of data daily; storing that is impractical for cost reasons and because it is difficult to draw meaningful insights from so much data.

Liberating human analysts

Those at the briefing agreed that the key is to turn data into information and then be smart about what is applied and where. Some delegates suggested that automation can help here. Artificial intelligence (AI) and machine learning (ML) can analyse large data sets to find patterns that might elude human analysts. They can also take on many of the repetitive tasks, such as filtering alerts so that human analysts can focus on more complex problems.

Even so, training AI and ML tools requires data, so organisations must ensure that they have the data needed to train the AI and that any such use of it fits within regulatory concerns. Regulations like GDPR affect what can be done with data.

Mr Todd said, summarising the briefing, that the future SOC must also include measurement and efficacy tools. That will allow organisations to consistently assess their performance and whether they are using resources effectively. Security remains a people and process business, even though we are in an increasingly data-driven world. Technology is there to drive value in security operations.


To learn more, please visit: www.adarma.com