SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence

Published in

Anton on Security

6 min readApr 14, 2022

For many years, security practitioners imagined a security operations center (SOC) as a big room, full of expensive monitors and chairs. In these minds, rows of analysts sitting in those chairs and watching those monitors for blinking alerts made SOC, well, a SOC.

This vision of the security operations center is derived from the original vision of the network operation center (NOC) that predates SOC by perhaps another decade or two. That itself may be derived from the picture of a vast control center for some facility going back to the 1960s.

WHAT

Is this vision of the modern SOC? Those who subscribe to the above vision of the SOC imagine that the word “center” in SOC stands for central location, a central physical facility.

For them, the word “center” in SOC indicates a place. They talk about centralizing the operational capabilities and about the central location for the analysts. They think of centralizing security operations personnel, rather than, say, federating or distributing it.

Some people in the industry contest this vision, but they contest it by saying that “SOC is dead.” To me, this sounds like they agree with above vision, they just want it gone. They talk about the need to kill your SOC, or claim that they operate SOCless.

Is there a conflict here?

Would you be surprised to hear that there isn’t? When I think of a modern security operations center, I don’t imagine a room. Two years of security operations during a global pandemic should have trained this vision out of people’s minds. After all, if you can operate a distributed SOC for two years, why can’t you continue doing so? Notice that I just mentioned a distributed SOC — but isn’t it a contradiction in terms: distributed and center?

Further, pandemic has taught us that a physical center is not truly indispensable for a SOC. A distributed SOC model seems that it will survive post-pandemic and bring with it benefits for finding best talent and help building the most diverse teams. However, these “distributed SOCs”, remain as the “center” of control, “center” of coordination, “center” of expertise — a center of detections and response excellence.

I think we live in an era of the distributed security operation center and there is no contradiction here. The magic is that the word center does not stand for a location, but it stands for a center of excellence.

Indeed, most organizations will need to retain some form of centralized detection and response function because of contractual obligations, compliance, central oversight of otherwise highly autonomous business units or agencies, etc. Even so, successful security organizations will be those that decentralize and distribute authority, control, expertise as much as possible. How? By adding a new definition of SOC: Security Operations Center of Excellence.

Think about it — when you think of a center of excellence, say for cloud migration, do you imagine a vast room with blinking lights? Probably not. When you think that some organization has a center of excellence in cloud security — does it have to be a physical facility with walls and guards?

Naturally, this approach to security operations dramatically simplifies hiring by allowing you to hire the talent where it exists without being constrained by a geographical area. This advantage may be a decisive factor for organizations, constrained by telling shortages in this area.

Autonomic security operations vision calls for imagining your SOC as a security operations center of excellence. And because “SOCoE” is a nasty acronym , why don’t we just call it … SOC.

WHY

What is the motivation for this transition? Apart from the current conditions with increasing work from home, there are other motivating factors. For example, many organizations operate with security expertise being distributed. When IT went through a DevOps and SRE transformation, many types of expertise became decentralized, distributed across teams. So did security, right? However, for many organizations security operations - a SOC - remain a central function. But why? Why can’t security operations be distributed yet preserving the excellence of a Security Operations Center of excellence aka SOC?

Among other things, this transformation also allows for business context and application context to be better incorporated in security operations activities. After all, local teams in various offices and organizations have insights critical for effective security operations. For example, confirming alerts often requires collaboration from those teams such as application owners. A traditional vision of central SOC involves SOC analysts chasing those team members in order to confirm what the alert really means. But why do it? Why not federate alert triage, at least for some alerts?

With digital transformation happening there are more dev teams who need this security skills. A “SO CoE” helps develop these embedded folks and later maybe provide them with an API they can hook their CI/CD to for centrally reporting something if/when needed (well, we are dreaming here, but whatever … this is looking like a more philosophical post anyhow). But largely winning here means enabling these folks to be successful, not trying to do the work for them from a central location.

HOW

Naturally, many organizations will like the concept of SOC as the center of excellence for security operations. However, they would not be able to start moving in this direction. What are some of the key elements for evolving your security operations center towards the center of excellence rather than a physical location?

Naturally, my first advice would focus on studying Autonomic Security Operations approach as well as deriving other lessons from SRE learnings, as they transformed IT.

More tactically, organizations that experimented with decentralized and distributed security operations during the global pandemic should focus on aggregating, summarizing and operationalizing those lessons to make them a permanent feature of their work.

Notably, many elements of ASO vision work better in a distributed environment and not really require one physical room. As a side note, this is not a movement against a physical SOC — if some analysts collaborate better while yelling over the low cubicle walls to their colleagues, that is perfectly ok.

WHAT’S NEXT

This is all nice and interesting, but what are the practical implications for your security operations team today?

The first bit of advice is a caution that thinking that SOC is dead is at least misguided. If we correctly define SOC as the team focused on detection and response, it is not dead but needed now more than ever.

However, the in-person physical SOC may well be dead. Moreover, for many environments and situations, perhaps it should be dead as this model may not even work. Why not? Because you simply cannot put enough people in the room if you’re scaling the team linearly with threats and assets growth. Virtual and distributed is the only way to go, and expanding this to a “SOC as SO CoE” will produce even better results down the same path.

SOC as a CoE (or as a capability, as stated here) means that excellence in detection and response is not just about hiring the best SOC analysts you can. It is about engineering better detections, but also making the environment support D&R work better. SOC as a SO CoE is about running “influence operations” to make the detections and response more successful. As I said, before, I think “you can’t “ops” your way to SOC success, but you can “dev” your way there” (source’)

Thanks to Dave Herrald for ideas and some text contributions.

SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence

Written by Anton Chuvakin