blog に戻る

2021年08月03日 Sumo Logic

Legacy vs. modern cloud SOAR-powered SOC

Those who don’t move forward are moving backward. This saying particularly holds true in the cyber security world, as the constantly evolving threat landscape puts enormous pressure on traditional SOC teams.

Most traditional SOC teams are understaffed, lack specific skills and are overworked. The information they have at hand is usually insufficient to keep up with the growing number of alerts, and without the backing of forward-thinking solutions, CISOs and analysts can’t successfully mitigate sophisticated cyber attacks.

In this article, we’ll shine a light on the difference between traditional and modern SOCs, and what the future of the next-gen cyber security teams looks like.

The demise of the traditional SOC

The traditional SOC model is obsolete. It’s expensive, slow, inflexible, and fails to meet common expectations such as o combating sophisticated cyber attacks. Some of the main reasons behind the downfall of the traditional SOC are:

  • Relying on old-fashioned technology

  • Slow to adapt to the evolving threat landscape

  • An inordinate amount of time wasted on manual tasks

  • Inability to retain skilled security analysts

  • Spending more time maintaining the SOC rather than providing cyber security services

  • Technology-focused architecture leads to a lack of flexibility

While the excessive reliance on technology is understandable, this is where most traditional SOCs go wrong. Even the most advanced piece of technology in the world still needs to be guided, instructed, and monitored by expert minds. This is why investing proportionally in both technologies and people is of the essence.

It’s not only about detecting indicators of compromise (IOCs) and remediating incidents, but it’s also about optimizing the mean time to detect (MTTD) and mean time to respond (MTTR). And, according to a study by Bitdefender, while 82% of SOC operators are confident in their ability to successfully detect cyber threats, only about 22% of SOC operators are actually tracking and benchmarking their MTTD.

Ultimately, when you consider that traditional SOCs are set in their own “olden” ways, it is the illusion that their way of working is sufficient which creates their own pitfall. In reality, the degree of sophistication cyber threats have has reached such a high level that they don’t even leave footprints of ever being infiltrated within your organization, leading you to think that no harm has been done until it’s too late and the damage is already done.

Traditional SOCs fail to retain quality security professionals

The ongoing skill gap problem has made it hard for SOCs to find skilled security analysts, but what’s even worse is the fact that for every four analysts they hire, traditional SOCs lose approximately three analysts due to the high-pressure environment. These are some of the biggest pain points that contribute to the inability of traditional SOCs to keep skilled analysts:

  • Increasing workloads

  • Lack of network visibility

  • Alert fatigue

  • Being on-call 24/7

  • Information overload

Mainly, this is why traditional SOCs are incapable of retaining skilled security professionals in the long run. The overbearing pressure of too many alerts and the lack of support they receive leads to an inevitable burnout that -- at the current pace at which threats are evolving -- is bound to happen sooner rather than later.

The evolution of the modern SOC

Legacy vs Modern Cloud SOAR-Powered SOC

Proactiveness. This is the first and most important differentiating factor that sets apart modern from traditional SOCs. SOCs can no longer enjoy the luxury of taking a reactive approach and wait for an alert to pop before they make an action. In fact, some of the biggest cyber attacks in the recent past have been infiltrated within the organization for months before being detected by the SOC, causing irreparable, irreversible damage.

This is why SOCs should no longer wait for alerts to kick-start their incident investigation processes. And this is the cornerstone around which the modern SOC revolves. To help them take a more proactive stance toward incident investigation and remediation, modern SOCs rely on the following:

  • Automation: Security automation helps modern SOCs cope with the growing skill gap as it allows analysts to have more free time to focus on challenging initiatives rather than drowning in manual and repetitive tasks.

  • Machine learning: Machine learning-powered technologies, such as Cloud SOAR, learn from the characteristics of incoming threats and use their growing knowledge base to tell apart false positives from real threats.

  • Advanced and flexible technologies: Forward-thinking security solutions improve the communication within SOC teams, allowing them to save critical moments necessary to respond to incoming threats.

The machine learning element included in threat investigation eases the job for analysts. Without the help of security technologies that bring machine learning and automation to the table, analysts can’t possibly cope with the huge volumes of data and alerts coming their way.

Ultimately, modern SOCs take threat investigation to the next level with real-time analytics, progressive automation, and increased visibility across all endpoints. In modern SOCs, analysts are able to make faster and more accurate decisions thanks to optimized workflows driven by automation and machine learning.

Cloud SIEM and Cloud SOAR are leading the way

With the shift to cloud taking a more aggressive approach, security leaders need to have the same visibility on cloud applications and endpoints as they have over on-premises systems. This is why technologies such as Sumo Logic Cloud SIEM and Cloud SOAR are necessary additions for every modern SOC.

Moreover, combining the advanced, real-time analytics provided by SIEM with SOAR’s progressive automation capabilities leads to increased speed and accuracy of threat investigation. Automating key but repetitive SecOps frees up the time for analysts to focus on remediating actual threat hunting instead of wasting their time on false positives. Plus, given the open integration nature Cloud SOAR adopts, it can easily integrate with SIEM and leverage its real-time analytics capabilities, ultimately enhancing the productivity of SOC teams.

Modern SOCs are people-centric

Bottom line is, modern SOCs lay their foundation around cloud-native security solutions, leveraging progressive automation and real-time analytics. However, despite all the advanced capabilities these security solutions offer, modern SOCs will continue to be people-centric. Analysts will always be the ones behind the wheel, which is why it is important to invest in a high-caliber security team as well as investing in advanced security tools.

The goal of forward-thinking security solutions, such as Cloud SOAR and Cloud SIEM, is only to augment security professionals, not replace them. Even though humans rely more on the advanced capabilities of machines to track down stealthy cyber attacks, their expertise is still an unequivocal part of threat hunting. The difference now is that analysts no longer have to spend their valuable time on time-consuming and menial tasks such as alert logs and false positives. That “ugly” part of security operations will be taken care of by SOAR and SIEM, allowing analysts to take a more proactive threat hunting approach.


Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Sumo Logic

More posts by Sumo Logic.

これを読んだ人も楽しんでいます