“Flickering screens, a sickly, yellow glow. Humming servers, a constant, low thrum of digital malaise. Alerts screamed into the void, a cacophony of meaningless noise, lost in the echoing expanse of our digital tomb. Playbooks, relics of a forgotten war, their pages yellowed and brittle, offered no solace, only a hollow echo of outdated procedures. We were digital ghosts, sorting through the digital detritus of a network that had long since abandoned us. Management saw tickets, not threats, numbers on a spreadsheet, not human beings drowning in a sea of pointless, false alerts. Training: PowerPoint purgatory, a soul-crushing parade of bullet points and stock photos, designed to induce sleep, not understanding.
Each sunrise, a fresh wave of futility crashed against our resolve, another day of meaningless tasks and unfulfilled potential. We were Sisyphus, eternally pushing the boulder of alerts uphill, only to watch it roll back down, crushing our spirits with its relentless weight. The network decayed around us, a slow, agonizing rot, and we decayed with it, our skills atrophying, our purpose fading. Meaningless tasks, endless nights, the same alerts, the same useless playbooks, the same hollow promises. The hum never stopped, a constant, droning reminder of our insignificance, a soundtrack to our slow, digital demise.” [Gemini 2.0 Flash when prompted ‘write a very very depressing short story about working in a bad SOC’]
So, where am I going with this?
- You have a SOC, and you hate your SOC; you have a right to do so — frankly your SOC sucks. And it causes pain.
- You are vaguely aware that a better model may exist [OK, it does exist, but you are not yet convinced that it does or that it applies to you, so I am using “may” here]
- You have no idea whatsoever what to do about it.
Sure, you read a lot on this, you read the original SOCless piece from Netflix (2018), its ADS prequel (2017), other prequels (also 2017, with this gem “When a human being is needed to manually receive an alert, contextualize it, investigate it, and mitigate it… it is a declaration of failure.”) and more recent writing like our ASO (2021), my “baby ASO” (2024), and even some practical advice on “SOCless on-call” (here as well).
Yet you are left with utter confusion about “modern SOC”, “SOCless” (or is it “sock-less”?) practical applicability in your environment. Depression is creeping in. You start to believe in ghosts … and AI SOC seems plausible by comparison.
Any hope, Anton?
Maybe.
Let’s borrow from Cognitive Behavior Therapy and start with the facts (PLEASE, if you see a vile opinion creep in the list below, let me know)
- Classic “NOC DNA” or “helpdesk DNA” SOC is not working well enough for modern threats and environments (but mostly the environments)
- The “Alert Tsunami” continues to overwhelm analysts. Traditional SOCs are drowning in a sea of alerts, many of which are false positives. This has not changed in decades.
- Many ways to make it slightly better exist, none of them (even used collectively) truly fix the problem described in 1, but only make this slightly less painful, at best.
- AI, naively applied, is one of the ways mentioned in #3 above. It works. It helps. It does not “fix it.”
- Living with the problem unsolved remains possible for many organizations, and this will be true for some time. It is considered “OK” to have a 2005-style SOC in 2025
. - Some try to outsource the problem; it occasionally “works” and sometimes fails spectacularly. Otherwise, see item #3 again.
- A way (never stated to be the only way, hence “a”) to actually fix this exists (SOCless, ASO, etc) but it remains largely unachievable by many.
- SOCless or “engineering-led approach to D&R” does not mean “just abolish your SOC.” The way involves radical change, not (only) incremental improvements. This is what those who did it report
- Attempts to make less radical changes to solve the problem are largely unsuccessful (yes, linking to my own blog as an example). This is filed under “You Can’t Cross a Chasm in Two Small Jumps”
- Simply buying modern tools (modern SaaS SIEM/SOAR, “decoupled SIEM”, etc) does not change anything if people/processes remain in “NOC DNA” 1980s land. Rewind your Walkman!
- New environments (newsflash: cloud is new to some!) add complexity. The shift to cloud and hybrid environments has expanded the attack surface and introduced new challenges and “alien” [to classic security!] IT practices like DevOps, further straining traditional SOC models
- It is a lot easier to modernize your SOC (D&R) if the rest of your stack is modern as well (security and, yes, IT as well).
With me so far? So what’s next? Let’s try these for now (additional advice):
The path — SOC team lead:
- Self-assess: Realize where you are with your team (SOC is a team first!)
- Prioritize Automation: Identify and implement automation opportunities (likely using SOAR or a DIY equivalent) to reduce manual work and optimize analyst time. Pick up a fight with toil!
- Start with the low-hanging fruit. Identify the 3 most repetitive tasks your analysts are doing and automate those this week. Use SOAR, or even a simple Python script.
- Shift Metrics: Move from volume-based (e.g., tickets closed) to effectiveness-based metrics (e.g., automation coverage) to measure true impact.
- Develop Engineers: Encourage analysts to learn detection engineering and implement role rotations to build engineering skills in the team.
The path — SOC “analyst” / team member:
- Learn Detection: Focus on understanding how detections are created, not just responding to them, to improve proactive threat hunting.
- Suggest Automations: Identify and recommend tasks suitable for automation to reduce manual toil.
- Improve Processes: Participate in blameless postmortems to learn from incidents and improve processes, make the feedback loop faster.
The path — CISO or equivalent:
- Acknowledge SOC Evolution: Recognize that traditional SOC models need radical change, not just minor improvements, for modern environments and threats. Stop obsessing over tools, start obsessing over people.
- Invest in Engineering: Allocate resources for automation and engineering skills within the SOC for long-term effectiveness. Allocate 10% of your SOC budget specifically for training and development in engineering skills. Track it, measure it, hold people accountable!
- Align Metrics: Ensure SOC metrics reflect strategic security goals, focusing on effectiveness vs threats over operational efficiency.
More on this soon! Now, go and pick one of these recommendations and implement it this week.
Related resources (a lot more of those are all over the blog):
- Baby ASO: A Minimal Viable Transformation for Your SOC (this is Part 1 to this blog)
- DtSR Episode 632 — The Politics of Detection Response and Security Ops
- New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5)
- Building the SOC of the Future — JP Bourget — ESW #399
- New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center” (2021)
- EP180 SOC Crossroads: Optimization vs Transformation — Two Paths for Security Operations Center
- By Anton Chuvakin (Ex-Gartner VP Research; Head Security Google Cloud)
Original link of post is here
Comments