"Future of SOC: More Security, Less Operations" was originally presented by Dr Anton Chuvakin in March 2024 at a virtual conference in Finland
The future of SOC looks less like its past. AI is part of the future, but engineering-led approach to SOC is more critical
Detection and Response of the future will be more heavily automated
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Future of SOC: More Security, Less Operations
1. Future of SOC: More
Security, Less Operations
Dr. Anton Chuvakin
Office of the CISO, Google Cloud
March 2024
https://medium.com/anton-on-security
https://cloud.withgoogle.com/cloudsecurity/podcast/
2. Inspiration!
[In 2024] “you can’t “ops” your way to
SOC success, but you can “dev” your way
there”
-- Dr. Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog)
So, which lessons does your SOC need? Operations
excellence or development success?
3. Outline
● SOC, a reminder
● Do we have to SOC, really?
● SOC automation: the ultimate in “easier said than done”
● SOC or “SOC”?
○ Do we have to engineer anything?
● AI will come and save us… right? RIGHT?
● Recommendations
5. A security operations center provides
centralized and consolidated
cybersecurity incident prevention,
detection and response capabilities.
–Gartner
A Classic SOC View!
SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
6. “We don’t have enough
skilled engineers to
make everything work”
“Our processes are too
manual, we are too slow
to respond to and
remediate threats”
“We struggle to build
effective detection and
have too many false
positives/negatives”
2003 or 2023? Sec Ops is Ripe for Transformation
“We can’t store and
analyze all data,
resulting in blindspots”
“It takes too long to
investigate alerts”
“It’s cost prohibitive to
ingest all the data we
need”
7. 07
This is How 20+ Years of Progress Look Like! :-(
Organizations were
notified of breaches by
external entities in 63%
of incidents
(Mandiant M-Trends 2023)
8. Know anybody who does not have
those problems?
Yeah, that’s us :-)
9. You think you want to know
just how Google does
Detection and Response?
WARNING FOR THOSE
VIEWING ON SLIDESHARE:
NEXT SLIDE IS SKIPPED
16. Problem What does Google do? What do most enterprises do?
Efficiency Automation/SRE is a mindset – part of the hiring
process, part of OKRs, and performance reviews
Experimenting with SOAR, full adoption is
tough due to minimal automation culture
Employee
Shortage
Requires coding interviews, attracts the best,
invests in growth
Hires traditional roles, no coding, outsources,
less growth, more stress
Employee
Burnout
40/40/20 between eng, operations, and learning Utilization is almost always >100%
Expensive Investment in efficiency solves for human costs Cost-prohibitive data ingestion, oftentimes
paying SIEM and DIY, increasing cost from
complexity
Efficacy Intel strongly embedded in D&R, mostly utilized
towards proactive work, strong collaboration
across teams & benefits from developer hygiene
CTI team produces great reports, SOC
consistently doing fire drills, >90% false
positive rate, uneven distribution of skill (Tier 3)
Google D&R vs Enterprise “SecOps”
17. Increase overall tooling footprint
1 Eliminate toil
Embrace change
2
Strive for continuous improvement
3
Bridge all siloes
4
Use service level objectives
5
Avoid hero mentality
6
7 Aim for simplicity
Should:
Restrict hiring to top professionals
Require an engineering-only culture
Aim for only incremental gain
Autonomic
Modern
Security
Operations
Principles
1
2
3
4
Should not:
18. 1 Reduce toil
Create an automation queue
Implement blameless postmortems
Conduct Weekly Incident Reviews
Implement SOAR
Hire Automation Engineer(s)
Train your team on toil and
automation
Implement CD/CR pipelines with metrics
Key activities to reduce toil
02
03
04
05
06
01
07
19. ● Analyst utilization gets optimized
● More creative work, less toil
● Time back to do more proactive
work
● Deeper operationalization of intel
● SecOps can scale with the
business!
Evolve Automation
10X is an Underestimate!
20. Three phases of SecOps transformation
Tactical
Carries a sense of
urgency and immediacy.
A cautious way of saying
“we’re in trouble and
need an immediate fix
before we go down in
flames.”
Often implies a 3-5 year
vision and a roadmap
how to achieve that
vision.
A major change that
completely reshapes
the organization in
response to, or
anticipation of,
significant changes in
organization’s
environment.
Strategic Transformational
People
Process
Technology
Influence
21. ● Model your D&R on DevOps, not best ops.
● A modern SOC is a team that “engineers” detection and
response for an organization
● Reduce toil in your SOC - shift toil to machines. Evolve
automation in SIEM, SOAR, threat intel, etc
● Magic? Relentless drive to D&R automation powered
by a rapid feedback loop and engineering — led
mentality.
● AI will help change the micro game for the defenders …
but not the macro game.
Recommendations
22. ● WTH is Modern SOC, Part 1
● Kill SOC Toil, Do SOC Eng
● The original ASO paper (2021)
● Google/Deloitte Future SOC papers
● Detection as Code? No, Detection as COOKING!
● Cooking Intelligent Detections from Threat Intelligence (Part 6)
● EP75 How We Scale Detection and Response at Google:
Automation, Metrics, Toil
Resources
23. Google_logo 2021 | Confidential and Proprietary pg. 23
More Resources
● “Achieving Autonomic Security Operations: Reducing toil”
● “Achieving Autonomic Security Operations: Automation as a Force
Multiplier”
● “Achieving Autonomic Security Operations: Why metrics matter (but not
how you think)”
● “More SRE Lessons for SOC: Simplicity Helps Security”
● “More SRE Lessons for SOC: Release Engineering Ideas”
● EP75 How We Scale Detection and Response at Google: Automation,
Metrics, Toil
● SRE Books