Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

It’s Time to Implement SOC 2.0

To Make the Most of your SOC and to Truly Minimize Cyber Risk, it Requires All Hands on Deck—Making Security Everybody’s Business. 

To Make the Most of your SOC and to Truly Minimize Cyber Risk, it Requires All Hands on Deck—Making Security Everybody’s Business. 

Just a few years ago, enterprises started creating security operations centers (SOCs) to centralize monitoring and response of threats and vulnerabilities. The goal of these first generation SOCs was to centralize the management, analysis and response to alerts and incidents coming in from many different perimeter and endpoint tools.  The operators typically sat in front of tool-specific consoles, like DLP, and/or in front of a SIEM tool that aggregated all the logs into one place. Additional visuals and map type screens were also prominently displayed, especially for visiting executives.  

SOCs were created to consolidate response staff and enhance the collaboration between different security domains to more easily “catch the bad guys.” However, having staff manually analyzing mountains of data and connecting the dots between isolated incidents and indicators proved inefficient, unsustainable and overwhelming, especially given that the volume of data continues to surge and the pool of qualified analysts cannot grow fast enough to close the gap.  Additionally, attacks are getting increasingly complex and undetectable, especially without a more sophisticated mechanism for connecting the dots between disparate sensor and activity data. To keep up with the harmful actors, we need to arm operators with the ability to draw conclusions and take the most impactful actions as quickly as possible. 

Integration means more than just putting the data into one central location or even in one tool.  To extract real meaning from the mountains of data pumping through the SOC, it needs to be brought together into an integrated model that transforms the SOC’s perspective from isolated incidents to interacting entities. Crucial to integrating all this data in a meaningful way, is the addition of context.

Technical incident data lacks the business and risk context to effectively enable prioritized response. Ultimately, the goal is not about stopping every attack or responding to every incident from every sensor.  Just as business continuity planning does not (cannot) seek to prevent all possible business interruptions and manages risk by ensuring those processes that are critical to the business maintain suitable operability, the SOC’s goal is to mitigate those risks that pose the greatest business risk.  Layering organizational and information asset context into an integrated data model provides the necessary business context for analytics and human operators to prioritize their response based on what is most important from an operational and financial perspective.  

The human factor is the greatest challenge in a SOC operation.  While we all dream of solving the skills shortage by completely automating the entire detection and response process, it is simply unlikely to happen in the foreseeable future. Until then, the focus should be on using machine learning, artificial intelligence and automated analytics to minimize the knowledge and manual effort required by SOC operators to do their job. That includes behavioral and value-at- risk analytics that minimize false positives and provide the operator with their “next action” based on risk to the business, along with a mechanism for validating and making sense of the identified risks with the fewest clicks possible.

The logical extension for enabling SOC operators to do their jobs more efficiently is to automate response options for validated risks. Once the analyst has reviewed and verified the nature of the identified threat or vulnerability, they should be able to take automated action at the click of a button. 

Advertisement. Scroll to continue reading.

No matter how many SOC operators a company may have, they cannot be everywhere at once, nor will they have the full context of individuals in the business.  To make the most of your SOC and to truly minimize cyber risk, it requires all hands on deck—making security everybody’s business.  Whether it’s every email user flagging potential phishing emails or application owners validating unusual behavior on their application, every person in the company should be viewed as a channel of information for the SOC.  That does not mean everybody is part of the SOC, but everybody should be aware of cyber risks and have the ability to inform the SOC.

Just like every employee can provide intelligence for questionable events within the business, collaborating with other companies within your industry and with the government will increase the likelihood you will be able to stop an attack before it happens.  Increased sharing and implementing threat intelligence from commercial providers, ISACs and government NCICs are becoming increasingly critical to the good guys winning.

Early SOCs were a critical first step to taming the cyber security beast. Just like any other critical business operation, best practices molded by lessons learned and technical innovations will lead to greater effectiveness and efficiency in minimizing the impact of cyber risks to the business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...