Associate feature: Reimagining the Security Operations Center (SOC)

Introduction

While today's Security Operations Centers (SOCs) grapple with overwhelming alerts and tool complexity, the future is bright. By reimagining SOC design with machine learning and automation, we can transform security analysts into 'Centaurs' – humans empowered by AI to achieve unprecedented threat detection and response capabilities.

The Problem: Overwhelmed Analysts, Overabundant Tools

Analysts in modern SOCs are inundated with alerts from various tools: Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Cloud Detection and Response (CDR) systems, among others. The volume of data and the complexity of managing different tools contribute to alert fatigue. Additionally, organizations must invest considerable time and resources to procure, train-on, and onboard these increasingly specialized technologies. This situation calls for a fundamental reevaluation of the SOC’s operating model.

A New Vision: Automate, Integrate, Augment

To build a more effective SOC, we propose a three-pronged approach:

1. A new approach to Technology with an emphasis on automation-first and a common data plane: This extensible platform takes the best of the capabilities offered by key SOC capabilities such as Security Orchestration, Automation, and Response (SOAR), Security Information and Event Management (SIEM), User and Entity Behavioural Analytics (UEBA), etc. Automation will ensure mundane tasks can be offloaded to machines, allowing human analysts to focus their efforts on more complex and strategic activities. The common data plane serves as the linchpin, providing an integrated view of security data, enabling automated threat analytics (aka Machine Learning/ML-driven insights) and Threat Hunting.
2. Threat Analytics at Scale and Machine-driven insights: With a purpose-built common data plane, established ML techniques can be applied to deliver actionable threat intelligence (e.g. detect signs of exfiltration) with a low false positive rate relative to existing ML-driven point products such as UEBA. Machine-driven insights such as automated scoring of incidents helps to define where teams should focus. Emerging Artificial Intelligence (AI) technologies like Large Language Models (LLMs) can amongst other things help analysts navigate incidents, suggest next actions and pull live threat intelligence data
3. Rethink the Operating Model: Traditional SOCs operate on a tier-based model, where alerts are escalated from one tier to the next based on task complexity. This model leads to analyst burnout and low job satisfaction for ‘lower’ Tier analysts that are forced to carry the burden of repetitive tasks. Instead, we advocate for a flatter SOC operating model. In this new paradigm, technologies like automation and machine learning enhance each analyst's productivity, eliminating the need for a rigid tier structure.

The Path Forward: Building a Centaur-Focused SOC 

The cornerstone of the reimagined SOC is the concept of the "Centaur" analyst—humans augmented by technology to achieve superior performance. By integrating advanced tools and methods, we can ensure that every analyst has access to the full spectrum of SOC capabilities.

The good news is that the Cybersecurity technology industry is trending towards this, at Palo Alto Networks we’re proud to have played a central role in this movement. Introducing the term XDR (now known as Extended Detection and Response/XDR) to the industry and in recent years unifying the best of our own SOC technologies into Cortex XSIAM. The unified SOC platform referenced in this paper isn’t just theoretical, our SOC and our customers are reaping the rewards of Cortex XSIAM each day.

Conclusion

In our experience, this approach benefits all parts of the SOC from the analysts to the engineering team to third parties delivering value added services. Reimagining the SOC means transforming security analysts into Centaurs—professionals whose capabilities are amplified through automation and advanced analytics, enabling higher performance and lowering churn in the SOC. Happier, more productive analysts backed by an extensible unified SOC platform naturally leads to a reduction in risk for organizations. In the end if we go beyond buzzwords to reimagine the SOC, everyone wins. Except of course, the adversaries.

This article is sponsored by Palo Alto.

www.paloaltonetworks.com