Security Operations Centers (SOCs) are largely confined to use by big businesses and governments, especially large federal governments and large enterprises among the global 1,000.
Unfortunately, the resources - and available security talent - that are common among global 1,000 and large federal governments are not common among local governments, small businesses, and most healthcare service delivery institutions. And the numbers back this up, if data breaches are representative performance indicators.
Data Breach and Cybercrime Indicators
For example, the data breach statistics of the Identity Theft Resource Center reveals it is the combination of medical, healthcare and business sectors that account for the largest share - averaging almost eight-in-ten (79 percent) - of data breach events tracked by the center between 2012 and 2016.
By comparison, the data from Hackmageddon for November 2016 reveals that 80 plus percent of cyberattacks it tracks are due to cybercrime, with the majority of these directed at three industry sectors: hotel and hospitality sector (23.5 percent), the retail sector (17.6 percent), and the entertainment sector (11.8 percent).
The remaining targets in November of 2016 - as tracked by Hackmageddon - include email marketing companies, software firms, adhesive, glue and tape companies, online food ordering firms, video game companies, lotteries, recruitment sites, and property management firms. What characterizes the list of Hackmageddon targets - at least for November 2016 anyway - are smaller firms with fewer resources and less mature cybersecurity programs involving talent, equipment, risk controls, finances, and management systems.
So, is having a SOC the difference between good and bad outcomes? No, not necessarily. But in theory having access to the capabilities of a SOC spells the difference between knowing you've been breached, and not knowing it. Although even here there is some dispute as to the effectiveness of SOCs.
Today's SOCs are So Yesterday
For example, when most people are asked when they find out about a data breach or data loss event, the answer is invariably "afterwards" with the source most often being from somewhere / someone outside the organization who notices something on darknets, or notices the resale of identity and medical, health or credit-related account information. A "we might find out about it" seems to be the more prevalent profile among small businesses, whereas the most common profile among larger enterprises and federal governments is "we find out about it afterwards - often from someone outside our organization."
Which raises a good question: what good are SOCs today?
Based on the evidence: not much good at all.
So, why do large enterprises and federal governments spend much more on SOCs than others (and spend a lot they do...)?
Well, some of the answer to this question has to do with psychology of the herd, some with external pressure from auditors and certification bodies, some has to do with "we can because we have the resources" to others that committed big dollars to a heavy lifting exercise that must show some improvement, even if it is slight.
For others, the legacy SOC of today it a leftover of the optimism in silver bullets typical of the white hat community.
The Changing Nature of SOCs
The SOC of yesterday however is about to experience change the likes of which it has never seen before.
In the old days (even up to today), SOCs are instrumented using data piped to large databases from numerous security log event collectors, including those on network switches, routers, large telcos, compute and data storage farms.
Using a variety of tools ranging from embedded transforms, pivots, ETL transforms, and to Hadoop and Spark lakes, data pipes transport relevant security event data to analytics that are supposed to identify anomalies hidden like needles in haystacks.
Unfortunately, the approach is not working well, except among the largest and most resourced - and even then incident and consequences become fat tails.
The SOC of the future does not use the legacy design concepts of the past ten years to implement immediate visibility into what is occurring that might be / is dangerous to the organization. Moreover, the advances in technology and its applications will be made easily and affordably as Cloud SOC services for all organizations, small and large alike.
Some of the emerging technology changes that are contributing to the new Cloud SOC services include:
- Deception systems. One of the breakthroughs for the new SOC comes from the arrival of augmented reality services delivered via the Cloud that shower an organizations network with lures that always identify an attack in real-time as it occurs.
- Data science. Another breakthrough for the new SOC comes from the arrival of cognitive, AI, and ML data intelligence systems that comb through patterns of data to predict security events before they hit.
- Threat and risk services. Another breakthrough for the new SOC comes from the arrival of predictive data intelligence systems trained on and learning from signals in the external environment of the Cloud around the world.
- Orchestration services. A further breakthrough for the new SOC comes from hybrid orchestration systems that provide visibility across the hybrid nature of the modern IT landscape.
The future of the SOC looks nothing like the SOC of today with its heavyweight and expensive on-premises SIEM systems, databases, data engineering, hindsight rear-mirror analytics and narrow reach. Instead the changing nature of SOCs is a Security as a Service (SaaS) subscription, and begins to look more like the next silver bullet.
Hopefully we'll be smarter about it this time - and with the help of predictive analytics there is some hope we will - and dig into its seams as we make progress. The black-hats surely will.