The Expert View: The Future SOC

Cybersecurity remains a pressing challenge in today’s increasingly complex organisational environments. As businesses adapt to a massively distributed architecture, the discussion on the future of Security Operations Centers (SOCs) becomes paramount. Recently, industry leaders gathered at a TEISS Breakfast Briefing hosted by Adarma to delve into this crucial topic. Here are the key insights and observations from the event:

Advanced Risk Assessment:

Businesses are facing an environment with massively distributed architecture and service consumption, from multi-cloud installations to IT estates that mix on-premises and off-premises systems. Therefore, it’s essential that organisations consider their controls on all those environments to protect their data. The SOC of the future will need oversight of all those environments while also staying abreast of new tools and technologies, such as artificial intelligence (AI) and machine learning (ML).

Securing the estate is challenging because many organisations do not have a good enough overview of their assets. But they can’t understand risk without an up-to-date picture of their assets - and part of staying up to date is making regular risk assessments. Companies assess their credit risk frequently, for example, but are often happy to evaluate cyber risk just once a year. Both are existential risks and need to be monitored regularly.

This allows for a more mature attitude to risk. Most businesses say they carry out all their patches, or at least try to, but some attendees argued that this could be a less mature approach. It isn’t worth patching a vulnerability identified by a manufacturer if you know that you are not at risk from that problem, perhaps because the asset in question on your estate is not connected to the internet. You could spend the time on something more useful instead. However, you can only make this decision with a clear understanding of your IT environment.

Focus on the Big Picture:

Beyond immediate security alerts, the future SOC must focus on detecting subtle indicators of potential threats. One attendee said businesses give most attention to immediate security alerts at the expense of smaller, less obvious events that might be chained together to point to a more complex threat. A series of small actions playing out over several years might be overlooked entirely by many SOCs. However, sophisticated attackers are often willing to play a long game to get the access they want.

Adding to this risk is the fact that many SOCs only keep logs for the past six months unless they are in a regulated sector where longer record-keeping is mandated. It can be expensive to store records for longer periods, but some patterns of suspicious behaviour do not become apparent in just six months, underscoring the need for extended record-keeping capabilities.

Provide the Right Incentives:

Organisations must understand whether they are using the right Key Performance Indicators (KPIs) to measure and incentivise the performance of their SOCs. Often, businesses default to measuring things that are easy to measure, but these can incentivise the wrong behaviours. For example, Mean Time to Respond (MTTR) is a common KPI, but how much does speed of response tell you? The most critical factor is resolving the incident or even spotting it before it develops.

One attendee argued that businesses should focus on Key Risk Indicators (KRIs) and concentrate on driving risk down. Then, the question becomes, what risks are you eliminating and how quickly? This is more important than what has been achieved. For instance, if you are patching servers, then the number that matters is not how many you have done but how many you haven’t.

Overall, attendees agreed SOC teams are being incentivised on quantity when they want to be assessed on quality. They want to spend their time hunting for the hard-to-find risks and vulnerabilities. That ties into a point another attendee made about staff retention. He said SOC analysts are hard to “keep entertained”, so they tend to change jobs frequently. Recruiting replacements is time-consuming and expensive, so he plans to outsource his SOC entirely to avoid dealing with that.

Communicating with the Board:

Incorporating the aforementioned modifications into the upcoming SOC is subject to funding from the board, which has been a roadblock for many individuals attending the briefing. One attendee summed up their experience by saying, "We are attempting to offer solutions to those who are not taking cyber threats seriously." The difficulty lies in finding a more effective way to communicate the importance of cybersecurity.

One method is to turn the risk into a monetary figure. In this case, the CISO would present a ‘risk value’, which is the likelihood of something happening multiplied by how much the company would lose if it did. The CISO could then explain that the risk value is £4 billion and talk about the extent to which various options could reduce that.

Be Proactive and Flexible:

It’s imperative to prioritise proactive and flexible strategies. The evolving threat landscape demands continual adaptation to emerging tools and technologies. However, while embracing innovation, future SOCs must guard against the risk of technological lock-in, which can impede future flexibility and responsiveness. A proactive stance entails not only adopting new solutions when appropriate but also maintaining agility to pivot in response to evolving threats and organisational needs. By fostering a culture of adaptability and foresight, future SOCs can effectively navigate the dynamic cybersecurity landscape and mitigate emerging risks.

Let’s Talk:

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders’, our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.