SOCwise: A Security Operation Center (SOC) Resource to Bookmark

The core of any organisation is the management of cyber threats with a security function, both internally and externally. McAfee was and remains committed to the protection of cyber assets. We are committed to the development of security operations and this commitment comes with experience and passion. This is SOCwise’s monthly blog, podcast and discussion series, led by two highly trained and dedicated security specialists.  It is an ongoing source of useful advice on NCS issues, selected functional lessons on NCS, best practices from a number of projects and customers, and perspectives for future security operations.  We also invite guests to contribute to this series.


By Michael Leland, Technical Director of Security Operations, McAfee.

From the perspective of the SIEM heir, nothing is more important to a security analyst than intelligence. Note that I didn’t say any data or information – I didn’t even say threat information. I’m talking about situational awareness. I’m talking specifically about the business, user and data context, which provides critical insight and guidance to support timely, accurate and informed security event decisions. A typical NOC analyst can manage dozens of incidents per team, some requiring no more than a few minutes and even fewer clicks to quickly and accurately determine the risk and impact of a potentially malicious activity. Some incidents require much more effort to resolve, hoping to understand the intent, effect and attribution.

In most cases, we see the role of the NCS analyst as that of a data researcher – asking and answering questions about core data to determine whether an attack is obvious and, if so, the extent and impact of the competitive interaction. Modern NCS has evolved from centralised data collection, information dissemination and information coordination – where each security actor was part of a predefined set of expectations during the assessment and implementation process – to a fully distributed group of owners/owners (application development, operations, analysts, change architects, management) where lines of authority, expectations and responsibilities are sometimes so blurred that they are unrecognizable.

How can today’s NOC maintain the highest level of threat detection, incident response and compliance when it may no longer have all (and sometimes only part of) the context needed to turn data into information? Will the security centres in the future be similar to those we have built in recent years? From mass labour – from emigration from the homeland by an unexpected pandemic to the cloud change initiatives revolutionising our modern society – it is well known that the entire SOC starting point is slowly crumbling away. These are just some of the questions we will try to answer in this series of blogs.

By Ismael Valenzuela, Chief Engineer, McAfee.

I’ve been in this business for 20 years, which we used to call information security. During this period I had the opportunity to work both in defense and attack, as a practitioner, consultant, architect, engineer, student, and as author and instructor of SANS. I want to believe I learned something during that time. For example, as a penetration tester and red team, I learned that there is always a way, that prevention is perfect and detection is mandatory. As a security architect, I have learned that a defensible architecture is the right balance between prevention, surveillance, detection and response. As an incident response specialist I learned that time, planning and strategy are the most important factors to deter the enemy. As a safety analyst, I learned how to automate and network human machines to perform more analysis and collect less data. As a threat hunter, I have learned to focus on hostile behavior instead of vulnerability. And as management, risk and compliance consultants, security is about trade-offs, costs and benefits, flexibility, adaptability and the recognition that for most of our customers, security is not their core business, but what they do to stay in the business. Summarising 20 years in a few sentences is not easy, but no one has summed it up better than Bruce Schneier, who, in my opinion, wrote exactly 20 years ago: Safety is a process, not a product.

And I’m sure you’ll agree with me that the processes have changed a lot over the last 20 years. This change, which has already started with the introduction of Cloud and DevOps technologies, now creates an interesting and unforeseen circumstance. Just when the security operations were getting off the ground, and just when they finally got out of the computer and got the respect and budget to achieve the desired results, just when we thought we’d succeeded, we were told to pack our bags, get out of the physical limitations of the NCS, and let everyone work remotely.

If that doesn’t bring enough uncertainty, I read that Gartner predicts that 85% of the data centers will be gone by 2025. So I can’t help wondering: Is this the end? The SOC is dead, as we know? What does the future of SecOps look like in this new paradigm? How will the roles change? Do the developers have security in the way you code, do you? Is it realistic to expect a fully automated NCS in the near future?

Join this new SOCwise series in which Michael and I explore the answers to these and other questions about the future and democratization of SOC and SecOps.

x3Cimg height=1 width=1 style=display:no src= />x3C/noscript>’) ;

Related Tags:

security operations center,benefits of security operations center,security operations center framework,security operations center outcomes,soc workflow diagram,security operations center best practices