Preface
Here I'll explore the concepts of the Next-Gen Security Operations Centre, in parts, based on my journey in building one out. I found great joy and fulfilment in building the service, training the team, and watching the business grow. It was both a humbling and enlightening experience. Since then, I have discovered a passion for developing, innovating, and uplifting not only Security Operations Centres, but security services across various domains, and I hope to continue doing so for most of my career. This is my monomyth, and I'm only somewhere between "meeting the mentor" and "crossing the threshold" part of my journey.
The Next-Gen Analyst
The two biggest problems with the traditional Security Operations Centres that I have come across is the lack of critical thinking and a disconnect between the analyst and the tools available to them. Analysts are taught to follow the playbooks word for word and any situation that is not documented in the playbook is outside of their remit. The incident is then passed on to other teams, contractors, or simply back to the client. This greatly increases the time to remediation and the risks of poorly triaged incidents, compromise of the organisation, and client dissatisfaction. Playbooks should be a guide on how to approach a situation that you have never come across before and not a set of directions written in stone.
My idea of the analyst role within the SOC is someone who is able to, in a sense, analyse the incident. That is to say, break it down in to its basic components, interpret and communicate the data, and identify a solution. If an analyst could do that, they could then leverage the technology available to them to improve the process, mitigate the risk, and, where possible, automate a solution. So that, if a similar incident was to occur, the mundane tasks, if not the full incident, have already been completed.
This, of course, is easier said than done. When hiring a Next-Gen Analyst you are essentially looking for a unicorn. Someone who has the analytical capacity to break down complex problems into simple solutions, as well as someone who has the technical aptitude to communicate the solution and implement it themselves. In addition, these sorts of people don't come cheap, and organisations are reluctant to spend that kind of money on security solutions and personnel unless they are forced to.
Building out a Next-Gen SOC, I discovered a compromise can be achieved, to an extent. You can have a team that consists of a small number of highly capable individuals that have a broad understanding of technology and an analytical mindset, combined with a number of analysts that have some experience in either the technology or analytics and are eager to develop their skills in to the Next-Gen Analyst role, combining the best of both the security engineer and security analyst capabilities. These kinds of people will not only provide the highest quality of service for clients and organisations, but continuously innovate and improve the industry.
To the benefit of the junior analysts this deep understanding across both the technical and analytical domains brings career opportunities that they may never have achieved through a traditional "pass the ticket" kind of SOC. For the senior individuals, the opportunity for mentoring and uplifting those around them reinforces their own knowledge, confidence, and capability, as well as building strong relationships within the team. From personal experience, inspiring people to do better and mentoring them to achieve their goals is a great feeling.
Looking to the future of Security Operations, I truly hope that this sort of innovation of the analyst role continues as we move away from the mundane "follow the steps, copy and paste the questions and responses, pass the ticket, repeat" mentality and towards roles that inspire, excite, and encourage people to pursue careers in the security industry.
This article was written by Ivan Sadovoy - Cyber Security Consultant at AC3