What will define the security operations center of 2020?

Nov. 9, 2017
Examining the architecture of today's SOCs and the capabilities they will need in the future

We are under attack. In fact, we are experiencing the first skirmishes of an all-out cyberwar. Look at the headlines over the past several years and you will see the pattern. Hackers aren’t just the teenaged, hooded menaces consuming copious amounts of Jolt Cola any longer.

They are now made up of nation state-backed cyber-espionage programs, terror cells, and cyber activist groups. The enemy is getting organized, so why on Earth aren’t we? Enter the security operations center (SOC).

You have heard of it, but what is it really? What can it do for your organization and how does one get started with creating one that will stand firm against the daily onslaught of cyber attacks, both internal and external? Given the shortfall of cybersecurity professionals, what should the security operation center of 2020 look like?

The main purpose of the security operations center is to detect, alert, investigate, protect, and provide visibility into threats an organization faces. Building your own SOC takes time.

Look at it like developing software. Take, for instance, the agile approach to designing and developing software. The goal is to provide a minimally viable solution that addresses the big problems first, and then iteratively enhances the product or solution over time. The most important concepts when planning to construct a SOC is understanding where people, process and technology play. You will be unable to plan an effective response without first understanding how each role contributes to the overall architecture of your SOC.


People are the foundation of your security operations center. You are looking for a good mix of analysts, incident responders, researchers, and management.

Analysts are your first line of defense. They will monitor and evaluate alerts, make sure your systems are online, and provide information for second-line defenders as needed. Incident responders are your second line of defense. They perform the deep dive analysis of potential incidents and utilize unique tools and skillsets to detect and remediate threats. The researchers are your subject matter experts. They understand forensics and threat hunting on a deep level. Researchers will often find threats before they become incidents by hunting them proactively in the environment. Management is the glue that holds all the people together and makes sure they everyone has the direction and air cover they need.

Plan on staffing your SOC 24/7 as hackers rarely, if ever, sleep.


Process, at its core, is rudimentary automation. The goal is to establish workflows that enable repeatable standardized responses to incidents, investigations and remediations. Without process, your analysts would have to reinvent the wheel every time a new alert came in. It would take a long time to then pass the incident to the responders, who would spend even more time evaluating if they can remediate the incident of pass it up to the researchers.

Imagine a clearly defined process for each alert type, a playbook if you will. The playbook can be followed to the letter to quickly analyze and remediate alerts coming out of the queue. There are many different process models that a SOC can utilize. Creating your own is an option, but with all the resources at your disposal, it often makes sense to follow one that has already been created. Chances are you don’t have the resources in the first place to develop your own process. NIST has a good process example of identify, protect, detect, respond, and recover. This high-level process will get you started.


Technology is the center of any security operations center. The main tenants of a SOC are collecting data, storing data, analyzing data, detecting anomalies within the data, and acting against potential threats.

Data collection is essential to understand the threat landscape of your organization. Sensors are needed throughout the enterprise in networks, systems, endpoints, software, and cloud. The data must be stored for a length of time to conduct forensics and identify patterns and behavior. Analyzing the data is often a difficult task and can be time-consuming. Analysis requires people, process, and technology working together to be successful. Anomaly detection is easier when a baseline has been established. Baselining comes through observing behavior over a period of time. The longer the baseline, the more accurate the data.

Crowdsourced threat intelligence is also a compelling technology that is emerging. The idea is that as others experience incidents, they share the incident data with a third party that then shares it with other organizations to help combat future attacks. Think of it like antivirus signatures for threat intelligence.

The SOC of 2020

The security operations center of 2020 is our last best hope to survive the coming cyber battles. Based on where the capabilities are today, our next generation SOC needs to be based on automation, DevOps, behavior analytics, security isolation, and machine learning. Automation allows us to do more with less. With the predicted global shortage of qualified security professionals to total two million by 2020, automation is the only way we can keep pace with cyber attacks.

DevOps is where development, quality assurance, and operations meet in unified software development. Workloads in the future will take advantage of collaboration and integration between developers and security professionals. Behavior analytics must be rolled out and enhance in all facets of our businesses to understand who has access to what, what they are doing with that access, and if they should still have access.

Most breaches of tomorrow will continue to share a common thread with those of today: over provisioned access. Setting aside malicious intent, many breaches are caused simply by someone inadvertently exposing sensitive information to those that would capitalize on it.

Phishing will become a thing of the past as our SOC will leverage security isolation to interrogate and detonate malicious packages inside a platform that is kept totally separate from endpoints. Our Security Operations Centers of 2020 will learn and self-evaluate resources and entitlements through enhanced machine learning. Imagine an automated SOC stopping breaches before they happen by scanning your customer-facing website, detecting a critical vulnerability in something like Apache Struts, and patching the web server for you. I am sure by now you are thinking, “Is it 2020 yet?”

About the Author:

Brad Bussie, MBA, CISSP is the Principal Security Strategist for Trace3. Bussie has also served in lead technology roles at STEALTHbits Technologies, Quest Software and NCI Information Systems.