Are SOCs just the emperor's new clothes?

It's sometimes suggested in this industry that a security operations center (SOC) is a sign of superior cybersecurity and business success. But is that really wisdom? Or is it a false assumption getting more and more false every year?

See if this story sounds familiar: a company makes a splash, swiftly grows its market and user base, and posts a few good quarters. The media anoints it a unicorn and throws confetti. But along with all that attention, this company soon finds itself the focus of malicious actors — hackers, malware, criminal organisations, and even state-sponsored groups. It decides to invest in a SOC.

If you're like me, that conjures up images from the Mission Impossible franchise: hundreds of giant screens full of scrolling multicoloured code, in cavernous rooms populated by specialists with infinite skills and a grim capacity to deal with any threat. If you have a SOC, that means you've made it into the winner's circle. Or so goes the common wisdom.

The problem is that the common wisdom, in my opinion, is at best out of date and at worst grossly misleading. While a SOC still has its uses — active defence, red teaming, patch management — I believe their capabilities regarding threat detection and response are greatly overblown for most organisations. That's problematic given the complexity of modern network topologies, the range of security threats, and the consequences of a breach.

Very few organisations are prepared to cope with a SOC-supplied data tsunami

Modern data volumes are off the scale. Data today stems from more sources, faster than ever before — and the rate of change is headed up, not down. How does even the best-equipped SOC find the true security events inside that tsunami? It's less like finding a needle in a haystack, and more like finding ten straws of hay in a hundred floating haystacks distributed across a tidal wave, which, arranged in the right way, spell the word "breach."

According to the threat intelligence firm Mandiant, SOCs only generate alerts for 9% of attacks, and 45% of those alerts are ultimately false positives. This data tsunami floods the SOC with distractions, preventing the team from focusing its energy on genuine security issues requiring immediate attention.

What kind of zero-to-sixty time has your SOC team got?

The security vendor CrowdStrike popularised a response framework known as the 1-10-60 challenge: detect threats within one minute, understand the threat within 10 minutes, and remediate within 60. These numbers are based on analysis that found the average breakout time for hackers — from initial infection to lateral spread — was one hour and 38 minutes in 2021.

But 1-10-60 is an unrealistic response time for most organisations. Detection, response, and remediation times are typically far slower in practice, especially given the difficulties of staffing a SOC in today's cybersecurity talent crunch. A major supply-chain hack illustrates this perfectly: a trusted and widely-deployed network administration tool with compromised source code went undetected for the better part of a year, giving a state-sponsored adversary months to inspect the networks of government organisations, the military, and leading businesses. All the SOC talent combined still did not have the resources to swiftly identify and deal with it.

Building the better mousetrap

So what do I recommend instead of a traditional SOC? A few things working in concert:

No security strategy is perfect. But it's my firm opinion that these solutions will deliver faster, more effective, and more affordable protection than any conventional SOC is likely to. And over time, as data volumes and threat sophistication continue to scale, this approach will only grow in value.

Originally published on CXO REvolutionaries, Zscaler · 27 January 2023.