Jan 26, 2023
Some think of a security operations center as the cybersecurity equivalent of "making it." But is that really the case? Zscaler CISO Tony Fergusson has his doubts.
Are SOCs just the emperor’s new clothes?
It’s sometimes suggested in this industry that a security operations center (SOC) is a sign of superior cybersecurity and business success.
But is that really wisdom? Or is it a false assumption getting more and more false every year?
See if this story sounds familiar: A company makes a splash, swiftly grows its market and user base, and posts a few good quarters. The media, as a result, anoints it a unicorn and throws confetti, and the positive PR multiplies the company’s brand strength and success.
But along with all that attention, this company soon finds itself the focus of malicious actors: hackers, malware, criminal organizations, and even state-sponsored groups.
Maybe the underlying motive is cash, maybe it’s sensitive customer information, maybe it’s corporate espionage, maybe it’s influence, or maybe it’s something else entirely. But whatever the motive, the company soon realizes it needs a new level of expertise to deal with such threats, some of which are more sophisticated than ever.
At this point, it decides to invest in a SOC.
If you’re like me, that idea conjures up images from the Mission Impossible franchise: hundreds of giant screens, each full of scrolling multicolored code, located in cavernous rooms populated by guys in black who have infinite skills and a grim capacity to deal with any threat of any type. It’s awe-inspiring.
If you have a SOC, in other words…that means not only that you’re safe but also that you’ve made it into the winner’s circle. Or so goes the common wisdom.
The problem is that the common wisdom, in my opinion, is at best out of date and at worst grossly misleading. While I think a SOC still has its uses – active defense, red teaming, patch management – I believe their capabilities regarding threat detection and response are greatly overblown for most organizations most of the time. And that’s problematic given the complexity of modern network topologies, the range of security threats, and the appalling business ramifications in the event of a breach.
Let me tell you why.
Very few organizations are prepared to cope with a SOC-supplied data tsunami
To begin with, modern data volumes are off the scale. Data today stems from more sources, faster than ever before — and the rate of change is headed up, not headed down. As more devices are connected to the internet, the volume of data will only swell.
People talk about a data deluge, but is that a strong enough term? To me, it seems more like a data tsunami.
How does even the best-informed, best-equipped SOC find the true security events inside that tsunami? It’d be nice if this challenge were as simple as finding a needle in a haystack, but unfortunately, it’s more like finding ten straws of hay in a hundred floating haystacks distributed across a tidal wave, which, if arranged in the right way and seen from the proper perspective, spell the word “breach.”
Even the best SOC will struggle to correlate all incoming data points in such a way as to identify true breaches with consistent accuracy.
The data tsunami, in short, floods the SOC with false positives that distract the SOC team and prevent it from focusing its time and energy on genuine security-relevant issues that require immediate attention. According to the threat intelligence firm Mandiant, only SOCs only generate alerts for 9 percent of attacks and 45 percent of alerts are ultimately false positives.
As a good illustration of this problem, picture a team that gets security alerts whenever someone with admin privileges logs into a particular database deemed mission-critical. This database is undoubtedly a key asset, hence the policy, but it yields so many false alerts for the SOC team to consider that they eventually decide the policy has to go. Replacing it, they implement a flavor of two-factor authentication, assume the database is safe, and call it a day.
At that point, a hacker who has compromised admin credentials can stealthily enter the network, making very little noise (and by extension data sent to your SOC). The attacker can then encrypt valuable data and hold it for ransom, copy some or all of it to an alternate logical location, delete or change information inside it, or any combination of the above.
Oops.
What kind of zero-to-sixty time has your SOC team got?
This scenario brings us to the second major problem with a conventional SOC: the ticking clock.
Once a breach like the one described above has begun, the faster it’s detected, the faster it can be shut down, and the lower the consequences for the organization.
The security vendor CrowdStrike popularized a response framework known as the 1-10-60 challenge. This states that a SOC’s goal should be detecting threats within one minute, understanding the threat within 10 minutes, and remediating it within 60 minutes. These numbers are based on CrowdStrike analysis that found that, in 2021, the average breakout time for hackers from initial infection to lateral spread was one hour and 38 minutes.
But thanks to many factors (not least among them the sheer size of the data tsunami), 1-10-60 is an unrealistic response time for most organizations (a human-powered response, at least). In reality, detection, response, and remediation times are typically far slower. This is especially true given the difficulties of staffing a SOC in light of today’s cybersecurity talent crunch.
A major supply-side hack illustrates an instance of the above. It was a case of a trusted and widely-deployed network administration tool with compromised source code. Subsequently, that compromised version took an incredible amount of time to detect after it had been rolled out to users because it appeared as legitimate as any other known-good tool.
Thus a significant U.S. adversary, which had sponsored the hacker group responsible for compromising the code, had literally months — the better part of a year — to inspect at will the networks, services, and data of government organizations, the military, and leading businesses.
All the human talent in all the relevant SOCs combined still did not have the resources or skills to swiftly identify and deal with a supply-side attack of that nature.
Building the better mousetrap
So what do I recommend instead of a traditional SOC?
Well, let me sketch it out briefly:
- A security architecture flexible and powerful enough to support any network topology of any scope or complexity, including limitless numbers of remote workers, external data sources, and service delivery platforms, including third-party clouds
- A comprehensive zero-trust implementation capable of ensuring all network transactions throughout the organization involve only verified, validated entities with the appropriate privileges
- A policy enforcement point between the organization’s infrastructure and assets and the rest of the internet so that assets are never exposed and can never directly be attacked
- AI and machine learning capabilities to augment human threat hunting and analysis, backed by massive data sets, comprehensive domain knowledge, and sophisticated models.
- An analytical assessment of detected threats, meaning that malicious actors aren’t just detected and blocked — they’re treated as a source of key security intel that, once it’s understood, then informs and improves the entire security strategy
And finally, I suggest:
- Using deception technology as the cheese in the mousetrap. In a recent report entitled The State of Zero Trust Transformation, 2023, Zscaler found that, among their top reasons for implementing zero trust, 65% of companies cited "improving the detection of advanced threats or Web application attacks and broadening security for data." A good way to do that is to, rather than passively waiting for intruders to trip a wire that alerts your SOC, proactively lure them to traps you’ve already set. This is both a great way to detect malicious intent and a method of automating your defenses; modern deception solutions deliver high-fidelity alerts and automatically quarantine a user who's taken the cheese not visible to authorized users.
No security strategy is perfect. But it’s my firm opinion that the above solutions will deliver faster, more effective, and more affordable protection and response capabilities than any conventional SOC is likely to. And over time, as data volumes and threat sophistication continue to scale, this approach will only grow in value.
What to read next
6 ways deception technology levels up your SOC
Stop advanced hackers cold with cloud-driven deception intelligence
Recommended