New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5)

Published in

Anton on Security

3 min readJan 18, 2024

After a long, long, long writing effort … eh … break, we are ready with our 4th Deloitte / Google Future of the SOC paper “Future of the SOC: Evolution or Optimization — Choose Your Path” (alternative URL)

As a reminder (and I promise you do need it; it has been years), the previous 3 papers are:

“New Paper: “Future of the SOC: Forces shaping modern security operations” (Paper 1 of 4)”
“New Paper: “Future of the SOC: SOC People — Skills, Not Tiers” (Paper 2 of 4)”
“New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)”

SOCs are facing many challenges, including the increasing volume and complexity of security data, the shortage of skilled security personnel, and the need to improve the efficiency and effectiveness of security operations. To address these challenges, organizations have two choices: transform or optimize their SOC.

Transforming the SOC involves completely overhauling its architecture, processes, staffing, and training. Optimizing the SOC involves making incremental improvements to tools, technologies, processes, and incident response. The decision of whether to transform or optimize depends on factors such as budget, risk appetite, and technical capabilities. Taking action is crucial as the risks of inaction are significant, especially with the increasing sophistication and frequency of cyberattacks.

My favorite quotes:

“Many SOCs find themselves wrestling with a decision to change their ways or continue burning out, barely managing their current technology stack. Is there a way for the SOC to evolve or change their approach?”

“If you decide to transform your SOC, you will need to invest in new technologies and processes. This can be a costly and time-consuming process, but ultimately rewarding. A transformed SOC can be more efficient and effective at detecting and responding to growing and changing threats.”
“If you decide to optimize your SOC, you will focus on improving the efficiency and effectiveness of your existing processes. This less costly and less time-consuming approach may not be as effective as SOC transformation.”
“When the result of assessing a security organization indicates that the best path forward is to invest time, money, and effort into a different strategy, then it is time to identify what changes are required and what can stay the same. Security leaders need to look ahead to consider their in-house skillsets, partnered skill sets, budget, and technologies when determining where to increase investment or make changes.”
“An organization could grow so large that its continued growth in visibility and detection becomes unsustainable for budgetary, performance, or talent reasons.”
“Finally, even in a transformed SOC, some things really do stay the same. Log collection, atomic detections, and deep human knowledge of the enterprise environment remain essential for a successful SOC.”
“How do you decide which road is right for you? Here are the dimensions:
Security budget
Capacity for change
Tools and customizations
Strength/size of SOC talent”
[As an example], An organization may not like the current SOC tool stack, but lack the capacity for change. In this case, the decision to optimize for now will essentially make itself.“ [look for a few more in the section called “Scenarios for change”]
“Both updating to a new technology stack and maximizing a legacy stack carry inherent risks. “
“Assess if you made the right decision before you do anything drastic like flushing your old technologies and processes. Run concurrent ops and prove out your value before cutting the old.”

The paper is full of gems that go far beyond these quotes. Go and read the paper! (alternative URL)

Related blog posts:

New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5)

Written by Anton Chuvakin