Here at MSSP Alert, we’ve been thinking about the evolution of the security operations center (SOC), which is essential to MSSP/MSP operations. What is “the SOC of the future”? We wanted to hear from the experts about essential technologies, the adoption of AI, the concept of human-driven security versus hyperautomation and more.
SOCs drive how organizations detect, respond to and mitigate cyber threats, and their evolution will impact the entire realm of managed security services. The composition, operations and efficacy of future SOCs may be as varied as threat actors themselves. But the one thing we can be sure of, according to Andrew Douthwaite, chief technology officer for VirtualArmour, is that cybersecurity will never stop because bad actors are consistently trying to breach anyone and everything.
The Convergence of Tools, Techniques and Tactics
Douthwaite sees the cybersecurity industry experiencing “kind of land grabs with tools” in developing their vision of the SOC.
“Look at Cisco buying Splunk and we've got Palo Alto buying QRadar,” he said. “Some of the newer players haven't gotten to that level yet, but are up and coming, like Stellar Cyber, because they haven't got any influence from any of the big players at the moment.”
Today, eXtended detection and response (XDR) tools are claiming to be able to do everything in a security environment, according to Douthwaite. So, he sees SOC tools are seemingly converging into one holistic solution.
“Ultimately, I believe a SOC is going to have layers of AI and ML in there, either through vendor tools or something that they've built for themselves, and then have a human element,” he said. “You can then take any alert or input from any system and react to it if it seems to be a potential issue. Then, you can eventually pass it on to a human, build kind of the back end of what that would be. The pieces already in place, the playbooks and the remediation and response pieces, would all come into play off the back end of that.”
John Anthony Smith, founder and chief technology officer of Chattanooga. Tennessee-based Conversant Group, a ransomware recovery and managed services provider, believes that the SOC of the future “must be in the kill chain” — with the authority and technical capability to disrupt potentially malicious behavior on the endpoint, e-mail, cloud IaaS/PaaS changes, and network/firewall.
“The SOC process of ingest, analyze, alert, research and ‘maybe’ respond does not work,” Smith said. “In practice, threat actor dwell time is too short for this method of ‘potential’ response to work. From the point of initial access to the moment of destructive act, defenders have 2-72 hours to detect and stop trusted agent behavior. This situation is particularly aggravated by most organization’s lack of adequate lateral movement defenses.”
In the modern context, says Smith, SOCs must behave sequentially to: detect, confirm, block, alert, research and “maybe” relieve the block.
Not the SOC You Knew
Trevor Smith, executive vice president of MSSP Brite, believes that within five years we may not really have to concept of a SOC. Given the number of attacks, the cost of recovery and the cost of the tools necessary has steadily increased for such a long time that cybersecurity “will be unstainable if it doesn’t dramatically change.”
“New ways to obfuscate the attack surface will protect workloads from attack.” he said. “User identification must tie into a ‘true zero trust’ (“new term to come”) environment. Access will be limited not to a system or file, but the specific information needed. The information needed will mostly like be generated by AI reading, analyzing data in real-time from multiple systems. It hopefully will be impossible to steal the data because it exists in part on so many different systems.”
In addition to incorporating all inputs — cloud, end point, communications, user actions — the SOC of the future will also tie in social media and personal actions to create additional awareness, according to Trevor Smith. Accordingly, the security will capture changes in behavior and sentiment to predict action and prevent incidents.
He advocates that AI should immediately replace “redundant mundane tactics.” Brite, he adds, already done this achieve more than 70% automation through the use of AI.
“Hopefully, it rises 90% autonomous. relying only on the analysts to review and discuss the strange oddities that extend beyond computational understanding,” he said. “The recent use of AI as a communication tool is here for tomorrow’s use. It is improving customer communications while cutting down analyst time by accurately creating detailed reports and alert notifications. Today, these are analyst initiated, but very shortly they will be come just analyst reviewed and eventually automated.
Trevor Smith also anticipates cyber “self-healing” in a way that is more proactive preventative maintenance, such as automated system patching, remediation and immediate identification of configuration or vulnerability appearance. However, he’s not leaving out the human factor, anticipating that security teams will still generate a response action to attacks… almost launch an attack back at the bad actor.
AI vs. the Human Factor
Fred Langston, chief product officer at MSSP Critical Insight, believes that AI assistance will be needed for rapid, efficient use and automation of current Tier 1 SOC analyst workflows. In addition, specialized use cases, such as phishing email analysis, data exfiltration detection, pentest detection and custom summary reporting, should also receive the AI treatment. However, humans shouldn’t give way to hyperautomation and thus be hands-off to SOC functions, although AI lessens the need for as many Tier 2-3 SOC analysts.
“AI has clear, proven areas where failures are common or likely, so humans will be needed with expertise to monitor, tune and retrain AI models to avoid overtraining, bias, malicious adversarial training and hallucinations,” Langston said. “I’ve got over 30 years in information security and nothing tells me this is happening in my lifetime. Who designs, build, runs and manages all that hyperautomation? Cybersecurity personnel will, just like they do now.”
Brian Stoner, senior vice president of Growth at Judy Security, a cybersecurity company that partners with MSSPs and MSPs, sees XDR and security orchestration, automation, and response (SOAR) technologies rapidly converging to provide automated remediation to cyber threats.
“This is the only way SOCs will be able to keep up with the volume of threats we see in our SMB customers which have been escalating this year,” Stoner said. “The key to this is an open architecture that lets us meet the partner and their customers by taking telemetry from their existing tools.”
Stoner believes that there will always be humans inside the SOC because there are more than 4,000 cybersecurity companies in business with unique niche solutions.
“It will be impossible to train AI to do all of that correlation and response for quite some time,” he said. “We are seeing the technology significantly simplify the level one analyst responsibilities today. SOCs will never be fully autonomous because of the nature of all of the false positives most cybersecurity solutions generate. There need to be checks and balances until we can fully trust the technology.”
Aimei Wei, founder and chief technology officer of Open XDR specialist Stellar Cyber, said “we’re still in a crawling phase” with respect to generative AI and hyperautomation. So, it will take time to build confidence and refine these technologies to deliver value while ensuring accuracy. She sees the future of the “automated SOC lying in the synergy between advanced AI and human expertise.”
“While automation will undoubtedly enhance efficiency, it's crucial that IT and cybersecurity professionals remain deeply involved in evaluating and refining these technologies,” Wei said. “Only through careful human oversight can we ensure these solutions truly work, particularly in complex corner cases that could otherwise expose vulnerabilities. In this ever-evolving landscape, the key is to crawl, walk and then run — embracing innovation while maintaining rigorous standards of security."