Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Incident Response

As You Modernize Your SOC, Remember the Human Element

As Security Operations Centers (SOCs) mature, they need to tackle some tough challenges with respect to data, systems and people

As Security Operations Centers (SOCs) mature, they need to tackle some tough challenges with respect to data, systems and people

As Security Operations Centers (SOCs) mature and transition to become detection and response organizations, they need to tackle some tough challenges with respect to data, systems and people. To begin with, many SOCs are dealing with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. So, the first step is to capture the right data to create a single source of truth, continuously updated with new data and observations, and curated to ensure relevance.

Utilizing that data also presents challenges because systems are disconnected and disparate, workflows are not orchestrated nor automated, and each system uses its own specific language which makes it difficult, if not impossible, to get them to interoperate. Passive collaboration, sharing curated threat intelligence with teams and tools as part of existing workflows, improves data utilization and is a major step towards enterprise-wide risk management. 

But there remains yet another significant challenge SOCs face as they modernize – the lack of skilled resources to get things done and ineffective use of the staff they do have who are bogged down by repetitive, manual tasks and operate in silos. 

How to unleash the power of the human element.  

Detection and response is predicated on having the right intelligence. This encompasses all the internal threat and event data created by each layer in your security architecture, augmented and enriched with external threat data from the multiple sources you subscribe to. But one of the most important sources to also bring into the process is human intelligence – intuition, memory, learning and experience. What better way is there for organizations to validate data and findings and then determine the right action to take within their own environment than through their own people? Empowering the human element is vital to effective and efficient detection and response.  

This is where active collaboration comes in – engaging with another person to accomplish a shared goal through tasking and coordination. It’s what typically comes to mind when we think of collaboration, but traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead end or key information just falls through the cracks. 

Advertisement. Scroll to continue reading.

Having a single collaborative environment that fuses together threat data, evidence and users breaks down these barriers. Team members can automatically see how the work of others impacts and further benefits their own work and, importantly, they can share and benefit from all sources of intelligence, including the human intelligence they each bring to the table. Embedding collaboration into operations, validating data and sharing their collective insights and understanding, breeds confidence in the intelligence that is being used and drives detection and response effectiveness.

This confidence in the data and the decisions made based on that data should lead to automation. Working together, teams know what needs to get done and start to understand how to do it better and take the right actions faster. Over time and with multiple successes, confidence builds. Teams realize they don’t have to continue to do processes manually that they have recognized to be repetitive and low risk. They have the confidence they need to move forward with automation – either automating an entire process or just select aspects – for efficient detection and response.  

Back in 2013, Neil McDonald of Gartner projected this SOC metamorphosis in his paper, Prevention is Futile in 2020: Protect information Via Pervasive Monitoring and Collective Intelligence. Today, we’re seeing real and measurable progress towards this transformation. As new concepts have emerged, security organizations and teams have demonstrated an eagerness to embrace them quickly. In the SANS 2020 Threat Hunting Survey, 85% of organizations reported they had adopted some level of threat hunting. And, increasingly, the vulnerability management function is moving from Governance, Risk and Compliance (GRC) to security operations where teams have the skills and tools for proactive risk mitigation. 

But there is still much work to be done. A case in point, months after the SolarWinds Orion security breach, 63% of organizations surveyed by DomainTools remain highly concerned, 60% of those directly impacted are still trying to determine if they were breached, and 16% of organizations are still wondering if they were even impacted. Fortunately, with the wave of new product categories and services aimed at delivering the capabilities SOCs need to address the data, systems and people challenges, organizations have what it takes to make SOC modernization happen.

Learn More at SecurityWeek’s Threat Intelligence Virtual Summit

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.