Why traditional 'control room' style security operation centres (SOCs) face extinction

Posted on 12 October 2016


A Google image search for 'Security Operations Centre (SOC)' returns the classic perception of intrusion detection – a mission control style room, with clusters of big screens showing fancy imagery. However, in a modern world of contemporary cyber threats, has this ‘old era’ approach of intrusion detection had its day?


All show and no substance

From a marketing perspective, the mission control style SOC has everything going for it. It looks extremely impressive, delivering the ‘wow-factor’ potential clients and senior management expect. However, this approach has long been criticised by security professionals, who argue that the ‘show piece’ effect is nothing more than smoke and mirrors – a visual pretence that obfuscates its lack of ability to actually detect attacks and deliver actionable intelligence in real time.


Projects such as Threat Butt do well to emphasise this point, through their humorous focus on the threat maps that are often displayed by SOCs, showing “live attack data” shooting across the map in all directions. While impressive to the untrained eye, what does this all actually mean?

The truth is not a lot.

Intrusion detection has built up a bad reputation for itself over the last ten years or more that it has existed. Why? Because attacks have been on the rise, and the intrusion detection industry simply hasn’t developed quickly enough to keep up with modern attackers.


If we equate this with our own experience, we have conducted countless targeted attack simulations against organisations across the globe. Despite companies having various forms of security measures in place, these attacks have a 100% success rate. The truth is that very little (if any) malicious activity conducted on their infrastructure is even detected.


Whilst log collection and analysis can be a beneficial component of an attack detection system, tools such as SIEMs are often not effective on their own. They provide a mountain of data that is very difficult for SOCs to process, and a huge number of daily alerts with the overwhelming majority being false positives. Even when a legitimate attack or compromise is identified, it can be very difficult to investigate or respond to the issue without additional capabilities. This is often used in conjunction with threat intelligence/signature focused approaches (which ultimately are one and the same); at best it ends up being a system that can only detect compromises that have been seen before – it won’t pick up any new, advanced, targeted attacks.


However, detection is now moving beyond a room full of analysts on standby, simply waiting for automated tools to push alerts to them before they jump into action. As other threats continue to loom beneath the surface, it is our job to take a more proactive approach and hunt them down…

The dawn of the ‘threat hunter’

This new era of detection is driven by diverse teams of security professionals, actively combing through networks looking for signs of compromise. This model is more akin to that of a team of penetration testers, scanning networks in search of vulnerabilities. However, in this case it is a team of analysts, hunting in search of breached systems – with not a ‘threat-map’ in sight.


In order to investigate modern attacks thoroughly, these security teams require a wide range of skills and expertise across their members. This includes knowledge of the suspect threat actor, understanding of the compromised technology, and the ability to identify the capabilities and potentially the origin of the malware. These diverse areas of knowledge rarely exist across a handful of minds but rather across a wider team, each with specialist skills. This team of people (as opposed to automated machines) can work together with the owner of the network that is under investigation, who is naturally going to be looking for the answers to a number of critical questions.


With demand for security professionals significantly outweighing availability, it is increasingly essential to have a good geographic spread for bringing together a truly skilled and diverse team. Having this varied skillset across a range of team members requires an efficient, remote collaboration environment to be truly effective. The ideal condition is a secure room that can be used quickly to assemble all the minds – perhaps not physically, but virtually – required to investigate and handle an incident.


The increasing emphasis on detection capability, as opposed to prevention capability, is driving the industry forward. It is vital that modern organisations take this approach – with the assumption that a breach has or will occur, it will by-pass preventative controls, and it needs detecting quickly.


With security professionals looking  to subtly differentiate themselves from the older, ineffective and already tainted era of intrusion detection, it’s time for the ‘missioncontrolasaurus’ to assume it’s place in history and step aside for the new kid – the ‘threat hunter’.