Blog post

Arriving at a Modern SOC Model

By Augusto Barros | August 08, 2016 | 4 Comments

threat intelligencesiem and log managementinsights and philosophicalincident response

While writing our new (and exciting) research on “how to build a SOC”, we came into a conclusion that a modern SOC has some interesting differences from the old vanilla SOC that most organizations have in place. In essence, the difference is related to the inclusion of Threat Intelligence and Hunting/Continuous IR activities. The way that a traditional SOC operates is more or less like this:

soc_1

While the “newer” model is something like:

soc2

So far, this is not surprising or particularly exciting. That’s just plain evolution. Now, this becomes more interesting when you start to work on guidance for organizations that right now are planning to build their (new) SOC. Should they plan to build it as a modern SOC, or should they build as a traditional SOC and then move it to the modern model as it matures?

So far we haven’t seen substantial evidence to back any of those two options. I can see how “building it the right way” would make sense, as you don’t want to waste resources planning and writing processes twice, and there is no point in building a less effective model when you know there is a better way to do things. But the modern model also requires more resources (people and tools). Some of those newer processes are also frequently seen as part of organizations with mature security operations. Can they be performed by those that are not as mature? Does those processes actually work on immature organizations? This is a “do it right the first time” versus a “walk, then run” discussion.

Do you happen to have experience with a mature modern SOC? If so, how did you arrive there? Was it built like that or did it evolve from the traditional model? It would be even more interesting to hear from people with FAIL stories from one of those two approaches. Don’t be shy, let us hear your stories 🙂

Leave a Comment

4 Comments

  • Endre says:

    This doesn’t seem to be a modern SOC model. The picture (when available) depicts only a modification and extension of the old model.
    A paradigm shift is needed, moving from a roll back model to a roll forward model.
    Another crucial detail is how the threat hunting is used and when. In your model it seems to be applied too late, therefore cementing in a reactive mode instead of enabling pro-activity.

    • Augusto Barros says:

      Endre, not sure if I understand what you mean by a “roll forward” model.

      Also, note that there is no “order” to the process in that model, so hunting wouldn’t be applied too late; you don’t need to wait for detection or TI to arrive in order to hunt. Most of the times it will be based on TI (not necessarily IOCs), but it doesn’t have to be like that. It is a continuous process that is fed by and feeds the others, as the arrows indicate.

  • Daniel says:

    Hi, the picture of newer model is not displayed. After clicking the link the file is not found.

  • Thom Mitchell says:

    A next generation CSOC has automated Tier 1 .

    Please read my forth coming book ” How to Build a Next Generation CSOC.