Security Experts:

The VC View: Incident Response and SOC Evolution

The evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends

The unfortunate modern cybersecurity mindset is that security incidents are a matter of when not if. Not only are reports of high-profile breaches like the SolarWinds hack and Kaseya VSA ransomware attack becoming more common, breaches are so common now that many of them don’t make headlines anymore. 

Nowadays, companies still depend on the strength of its incident response talent, processes and security operation centers (SOCs) to respond to security incidents. No matter how much we want to automate, an overloaded IR team is still the state of the art. That’s why the evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends

Today, many enterprise SOCs have first-hand experience dealing with an active incident but are still hamstrung by manual processes and data silos. Metrics, logs, events, and traces (a.k.a. MELT telemetry data) are often available, but they’re spread across disparate systems and cloud platforms. This creates blind spots for security engineers and makes diagnosing root cause or correlating events to detect threats a tedious manual effort. As a result, malware dwell times continue to be measured in months (IBM pegged average dwell time at 287 days ), and malicious actors can carry out sophisticated attacks with time to spare. 

Security information and event management (SIEM) tooling and traditional log management platforms help centralize data and break down silos. However, there’s still progress that needs to be made. NIST’s incident response framework breaks incident response into four phases: 

1. Preparation 

2. Detection and analysis 

3. Containment, eradication, and recovery

4. Post-incident activity 

The biggest immediate challenges in the industry are improving the accuracy of phase two and the speed of phase three. For detection and analysis, enterprises need solutions that can rapidly identify threats without going overboard with false positives. Then, once threats are detected, remediation and recovery to a secure state must be as fast as possible. 

Strategically, this sounds simple enough. But, there is a very real technical challenge here. Modern network perimeters are fluid, and topologies are complex. SOCs must account for everything from corporate data centers to SaaS platforms to IoT sensors. The quality of telemetry from these devices varies greatly. So does what quantifies malicious behavior. 

Addressing the threat detection side of the equation requires aggregating telemetry within a single platform and analyzing it with automated intelligence via A.I. and M.L. Addressing the containment and recovery phases necessitates the integration of technologies comparable to existing anti-malware and IPS. 

Given these realities, I predict we’ll see two key trends become more pronounced through the mid-2020s. 

First, solutions will centralize insights and analysis for all endpoints within a single platform. CrowdStrike’s recent acquisition of the Humio log management platform is an excellent example. Coupling CrowdStrike’s threat detection and containment capabilities with Humio’s ability to ingest Terrabytes of log data can enable correlations and automated responses neither platform could achieve alone. The reality is that this is simply the next generation of SIEM/SOAR. Emerging players like Uptycs, Query.ai and Hunters centralize insights from across platforms by leveraging APIs and integrations to supplement or replace SIEMs.

[ Read: Inside the Battle to Control Enterprise Security Data Lakes ]

Second, SOC-as-a-Service -- cloud platforms that use A.I. and M.L. to automate existing manual SOC workflows -- will grow in popularity as their precision and functionality improve. The logic here is simple: automated detection and containment are faster than manual action from an in-house SOC team. While software platforms can cover much more ground than human engineers parsing through logs. Telemetry is important, but alert fatigue and getting lost in all the data are real problems. The humans in the SOC need to understand the most important events and act on the high-level “stories” correlated data tells them. SOC-as-a-Service platforms like Cysiv, Expel and CheckPoint’s Infinity SOC will filter out the noise and automate much of phases two and three of the incident response framework. 

To summarize, I foresee a convergence of the tooling for telemetry aggregation, threat detection, managed services and remediation as a key milestone in the evolution of the modern SOC. As the incident response market matures, we’ll see technical progress iterations break down existing silos across platforms and automate manual SOC workflows. Existing log management solutions that add A.I. and M.L. to remove the process of manually correlating incidents are leading indicators of this trend.

Related: The VC View: Data Security - Deciphering a Misunderstood Category

Related: Elevate the Value of Threat Intelligence in the SOC

view counter
Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.