Future of SOC: More Security, Less Operations
Download as PPTX, PDF•0 likes•389 views
The document discusses the evolution and future of Security Operations Centers (SOCs), emphasizing the need for automation and development over traditional operational practices. It highlights challenges organizations face such as alert investigation delays and high false positive rates. Recommendations include adopting engineering principles, reducing manual toil, and leveraging AI to enhance cybersecurity efficiency.
![Inspiration!
[In 2024] “you can’t “ops” your way to
SOC success, but you can “dev” your way
there”
-- Dr. Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog)
So, which lessons does your SOC need? Operations
excellence or development success?](https://image.slidesharecdn.com/publicsocoffuturepast2024-finland-240329204549-1ef03faf/85/Future-of-SOC-More-Security-Less-Operations-2-320.jpg)
Future of SOC: More Security, Less Operations
- 1. Future of SOC: More Security, Less Operations Dr. Anton Chuvakin Office of the CISO, Google Cloud March 2024 https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast/
- 2. Inspiration! [In 2024] “you can’t “ops” your way to SOC success, but you can “dev” your way there” -- Dr. Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog) So, which lessons does your SOC need? Operations excellence or development success?
- 3. Outline ● SOC, a reminder ● Do we have to SOC, really? ● SOC automation: the ultimate in “easier said than done” ● SOC or “SOC”? ○ Do we have to engineer anything? ● AI will come and save us… right? RIGHT? ● Recommendations
- 4. SOC, SecOps, Security Operations Reminder
- 5. A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner A Classic SOC View! SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
- 6. “We don’t have enough skilled engineers to make everything work” “Our processes are too manual, we are too slow to respond to and remediate threats” “We struggle to build effective detection and have too many false positives/negatives” 2003 or 2023? Sec Ops is Ripe for Transformation “We can’t store and analyze all data, resulting in blindspots” “It takes too long to investigate alerts” “It’s cost prohibitive to ingest all the data we need”
- 7. 07 This is How 20+ Years of Progress Look Like! :-( Organizations were notified of breaches by external entities in 63% of incidents (Mandiant M-Trends 2023)
- 8. Know anybody who does not have those problems? Yeah, that’s us :-)
- 9. You think you want to know just how Google does Detection and Response? WARNING FOR THOSE VIEWING ON SLIDESHARE: NEXT SLIDE IS SKIPPED
- 10. Your SOC DNA? 1990s NOC and Help Center Security Engineering Team
- 11. Secret 1: Why There is No Door that Says “SOC” at Google? It is because of the letter “O”..
- 12. … just like “IT Operations” SRE
- 13. Q: Would you rather write threat detection rules in Python or in Go? A: Eh…. no?
- 14. SRE, DevOps and Modern IT
- 16. Problem What does Google do? What do most enterprises do? Efficiency Automation/SRE is a mindset – part of the hiring process, part of OKRs, and performance reviews Experimenting with SOAR, full adoption is tough due to minimal automation culture Employee Shortage Requires coding interviews, attracts the best, invests in growth Hires traditional roles, no coding, outsources, less growth, more stress Employee Burnout 40/40/20 between eng, operations, and learning Utilization is almost always >100% Expensive Investment in efficiency solves for human costs Cost-prohibitive data ingestion, oftentimes paying SIEM and DIY, increasing cost from complexity Efficacy Intel strongly embedded in D&R, mostly utilized towards proactive work, strong collaboration across teams & benefits from developer hygiene CTI team produces great reports, SOC consistently doing fire drills, >90% false positive rate, uneven distribution of skill (Tier 3) Google D&R vs Enterprise “SecOps”
- 17. Increase overall tooling footprint 1 Eliminate toil Embrace change 2 Strive for continuous improvement 3 Bridge all siloes 4 Use service level objectives 5 Avoid hero mentality 6 7 Aim for simplicity Should: Restrict hiring to top professionals Require an engineering-only culture Aim for only incremental gain Autonomic Modern Security Operations Principles 1 2 3 4 Should not:
- 18. 1 Reduce toil Create an automation queue Implement blameless postmortems Conduct Weekly Incident Reviews Implement SOAR Hire Automation Engineer(s) Train your team on toil and automation Implement CD/CR pipelines with metrics Key activities to reduce toil 02 03 04 05 06 01 07
- 19. ● Analyst utilization gets optimized ● More creative work, less toil ● Time back to do more proactive work ● Deeper operationalization of intel ● SecOps can scale with the business! Evolve Automation 10X is an Underestimate!
- 20. Three phases of SecOps transformation Tactical Carries a sense of urgency and immediacy. A cautious way of saying “we’re in trouble and need an immediate fix before we go down in flames.” Often implies a 3-5 year vision and a roadmap how to achieve that vision. A major change that completely reshapes the organization in response to, or anticipation of, significant changes in organization’s environment. Strategic Transformational People Process Technology Influence
- 21. ● Model your D&R on DevOps, not best ops. ● A modern SOC is a team that “engineers” detection and response for an organization ● Reduce toil in your SOC - shift toil to machines. Evolve automation in SIEM, SOAR, threat intel, etc ● Magic? Relentless drive to D&R automation powered by a rapid feedback loop and engineering — led mentality. ● AI will help change the micro game for the defenders … but not the macro game. Recommendations
- 22. ● WTH is Modern SOC, Part 1 ● Kill SOC Toil, Do SOC Eng ● The original ASO paper (2021) ● Google/Deloitte Future SOC papers ● Detection as Code? No, Detection as COOKING! ● Cooking Intelligent Detections from Threat Intelligence (Part 6) ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Resources
- 23. Google_logo 2021 | Confidential and Proprietary pg. 23 More Resources ● “Achieving Autonomic Security Operations: Reducing toil” ● “Achieving Autonomic Security Operations: Automation as a Force Multiplier” ● “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” ● “More SRE Lessons for SOC: Simplicity Helps Security” ● “More SRE Lessons for SOC: Release Engineering Ideas” ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil ● SRE Books