Like most organizations around the world, COVID-19 necessitated the move from our physical offices to work from our collective home offices. Traditionally, a security operations center (SOC) is a physical room, much like NASA mission control, where experts share the load of investigations, incident response, threat hunting, intel and research. Tied together through processes, procedures and shift handoffs, the SOC is a place of both formal and informal learning. Valuable conversations occur between analysts working on different investigations with these interactions have intangible benefits.
But what happens when the SOC is no longer a "place"?
Back in 2015 at the World Economic Forum, Amit Chatterjee posited that work isn’t likely to be a “place” in the future, it will become more like an “experience” mediated and delivered by software. True, many of us have moved to home offices part-time or full-time over the past 20 years. This has been driven by software tools like SaaS, VPN connections, and communication tools. But it's also been driven by socio-economic factors like longer commute times, global business travel and expensive office space in some regions.
Until COVID-19, a SOC had been somewhat immune to these trends.
Recently, a group of experts posted their Best Practices for Managing a Remote SOC. It includes keeping up policies and procedures, hardening analysts’ machines, maintaining secure remote access to tools required and stepping up documentation. At Cysiv, our own SOC has taken this a step further and re-enabled the collective learning by leaving open a 24/7 video conference channel for all analysts on shift. Not only does this help cooperation and informal learning, but it also assists in shift handovers and maintaining the social aspects of working with co-workers.
Our shift from SOC being a place to an experience was literally overnight. Althoug aided by a robust compliance program with business continuity in mind, Cysiv's shift was more fundamentally aided by our proprietary SOC platform, which is designed for remote use and is already used remotely by customers and partners. Being a SaaS, Cysiv Command is uniquely well suited to having distributed analysts working across multiple organizations. While other SOCs have scrambled to add VPN capacity, or even enable remote work (as some used terminals that were fixed in the SOC), our approach enabled an easy transition.
The model for how SOC services are delivered, from an external provider’s perspective, has evolved over the years. In the diagram below, the traditional MSSP staffing model has analysts located at the customer’s site, managing a SIEM (top left of diagram).
As more MSSPs developed a capability in remote locations, remote staffing on a per-customer basis became popular. The next evolution was for MSSPs to roll up multiple customers into a single tool and share resources and knowledge, while still at the MSSP’s same physical site. The progression to SOC-as-Service, in which a cloud-native technology platform, such as Cysiv Command, enables analysts to be distributed and co-ordinated through a single SaaS experience, completes the evolution.
Like many of you, we are looking forward to a return to the real water cooler with friends and colleagues, but we will continue to rely on a SOC experience mediated and delivered by software.
For regular updates on cybersecurity news and best practices, subscribe to Cysiv’s Weekly Security Bulletin.