Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The VC View: Incident Response and SOC Evolution

The evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends

The evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends

The unfortunate modern cybersecurity mindset is that security incidents are a matter of when not if. Not only are reports of high-profile breaches like the SolarWinds hack and Kaseya VSA ransomware attack becoming more common, breaches are so common now that many of them don’t make headlines anymore. 

Nowadays, companies still depend on the strength of its incident response talent, processes and security operation centers (SOCs) to respond to security incidents. No matter how much we want to automate, an overloaded IR team is still the state of the art. That’s why the evolution of cybersecurity incident response and the modern SOC continues to be one of the biggest post-pandemic security trends

Today, many enterprise SOCs have first-hand experience dealing with an active incident but are still hamstrung by manual processes and data silos. Metrics, logs, events, and traces (a.k.a. MELT telemetry data) are often available, but they’re spread across disparate systems and cloud platforms. This creates blind spots for security engineers and makes diagnosing root cause or correlating events to detect threats a tedious manual effort. As a result, malware dwell times continue to be measured in months (IBM pegged average dwell time at 287 days ), and malicious actors can carry out sophisticated attacks with time to spare. 

Security information and event management (SIEM) tooling and traditional log management platforms help centralize data and break down silos. However, there’s still progress that needs to be made. NIST’s incident response framework breaks incident response into four phases: 

1. Preparation 

2. Detection and analysis 

3. Containment, eradication, and recovery

4. Post-incident activity 

The biggest immediate challenges in the industry are improving the accuracy of phase two and the speed of phase three. For detection and analysis, enterprises need solutions that can rapidly identify threats without going overboard with false positives. Then, once threats are detected, remediation and recovery to a secure state must be as fast as possible. 

Strategically, this sounds simple enough. But, there is a very real technical challenge here. Modern network perimeters are fluid, and topologies are complex. SOCs must account for everything from corporate data centers to SaaS platforms to IoT sensors. The quality of telemetry from these devices varies greatly. So does what quantifies malicious behavior. 

Addressing the threat detection side of the equation requires aggregating telemetry within a single platform and analyzing it with automated intelligence via A.I. and M.L. Addressing the containment and recovery phases necessitates the integration of technologies comparable to existing anti-malware and IPS. 

Given these realities, I predict we’ll see two key trends become more pronounced through the mid-2020s. 

First, solutions will centralize insights and analysis for all endpoints within a single platform. CrowdStrike’s recent acquisition of the Humio log management platform is an excellent example. Coupling CrowdStrike’s threat detection and containment capabilities with Humio’s ability to ingest Terrabytes of log data can enable correlations and automated responses neither platform could achieve alone. The reality is that this is simply the next generation of SIEM/SOAR. Emerging players like Uptycs, and Hunters centralize insights from across platforms by leveraging APIs and integrations to supplement or replace SIEMs.

[ Read: Inside the Battle to Control Enterprise Security Data Lakes ]

Second, SOC-as-a-Service — cloud platforms that use A.I. and M.L. to automate existing manual SOC workflows — will grow in popularity as their precision and functionality improve. The logic here is simple: automated detection and containment are faster than manual action from an in-house SOC team. While software platforms can cover much more ground than human engineers parsing through logs. Telemetry is important, but alert fatigue and getting lost in all the data are real problems. The humans in the SOC need to understand the most important events and act on the high-level “stories” correlated data tells them. SOC-as-a-Service platforms like Cysiv, Expel and CheckPoint’s Infinity SOC will filter out the noise and automate much of phases two and three of the incident response framework. 

To summarize, I foresee a convergence of the tooling for telemetry aggregation, threat detection, managed services and remediation as a key milestone in the evolution of the modern SOC. As the incident response market matures, we’ll see technical progress iterations break down existing silos across platforms and automate manual SOC workflows. Existing log management solutions that add A.I. and M.L. to remove the process of manually correlating incidents are leading indicators of this trend.

Related: The VC View: Data Security – Deciphering a Misunderstood Category

Related: Elevate the Value of Threat Intelligence in the SOC

Written By

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption