top of page

The Modern SOC: A Cautionary Tale of Good Intentions

This guest post was contributed by Joe Schreiber, Co-Founder and Chief Executive Officer, appNovi

Joe Schreiber, Co-Founder and Chief Executive Officer, appNovi

"The road to hell is paved with good intentions." This time-worn adage aptly describes the current state of many Security Operations Centers (SOCs) across industries. Faced with a rapidly evolving threat landscape and complex network environments, security leaders and their teams have been busy selecting and deploying an array of tools aimed at tackling specialized challenges. Unfortunately, good intentions aside, these decisions have led to operational silos, interoperability nightmares, and automation challenges. For many, what was supposed to be a fortified bastion of cybersecurity has become a maze of loosely connected components. The outcomes of all these well-intended use case-specific decisions were selected without considering the holistic picture of security.

Network Changes and Playing Catch-Up

SOCs are faced with steady changes in network architecture, often prompted by business needs rather than security concerns. With the proliferation of cloud computing, IoT devices, and remote work, networks have become more complex than ever. A 2023 ISACA report highlights that “emerging technologies bring opportunities for innovation and efficiency, but also raise concerns about their potential impact on security, privacy and data integrity.”

To address the complexity, SOCs often invest in new tooling — each designed to monitor a specific part of the network to gain unique insights. While the intent is to gain lost visibility, the result is a patchwork quilt of tools that are difficult to manage and integrate. This piecemeal approach sacrifices the "big picture," leaving security teams without the information necessary to make security decisions, and obligates yet another manually compiled spreadsheet. Consider a common example when there are so many tools – an asset is discovered and has a high-risk vulnerability that makes the news cycle. The EDR solution is queried to identify if the asset has a compensating control. Firewall logs are queried to understand if the asset is connected. CMDB, IaaS, and tags are reviewed to understand the business significance of the asset. Ownership records are queried to identify stakeholders. These data points may be incomplete, leading to unintended consequences from making changes to the network. This example illustrates how security analysts spend significant time accessing tools, resulting in a partial or incomplete response in fear of impacting the business.

The sheer count of tools, volume of data, and varying data types inhibit the SOC from understanding their environment, putting the entire organization at risk.

Specialized Tools and Operational Silos

As organizations deploy unique solutions for cloud security, network security, and endpoint security, tooling has become specialized for each network environment. This has led to operational silos within the SOC with more tools requiring more resources to support them.

The result? Multiple layers of obstruction that prevent a unified understanding of the network's security posture. Each tool can see only a part of the ecosystem, and transferring information from one to the other for comprehensive analysis becomes an uphill task. When you consider the above example and include ticket creation and escalation, an already belabored task becomes more tedious and less likely to resolve efficiently.

This is particularly concerning when we consider that we have multiple tools detecting the same data point. Vulnerability scanners, for example, report on the same data – whether that be the CVE or a maintained vulnerability database. NetFlow is standardized yet stored in thousands of rows sourced from hundreds of devices. We are too often concerned about a specific vulnerability and the unique network connection required for exploitation, but often this is the needle in the haystack. When we have multiple overlapping data sets that are not converged, gaining this context is difficult and further impedes response.

The Limitations of Automated Outcomes

Ideally, automation is the silver bullet that enables SOCs to be more efficient and effective. However, the truth is far from this ideal, primarily because an authoritative data source cannot be achieved due to the challenges mentioned above. This challenge is well exemplified in Gartner research highlighting the resulting complexities of tooling and their lack of interoperability, leaving many security teams to seek out platforms or reassess security operations altogether.

This lack of a single, authoritative data source prevents automation adoption from reaching its full potential. The absence of reliable and comprehensive data limits the effectiveness of automated security measures, either slowing their adoption or stopping them altogether. For as long as there is not a high-fidelity data source, there is no premise on which to implement automation, with the outcome of partially automated processes still largely reliant on human review and judgment.

Towards a Unified Approach: The Need for Integration and High-Fidelity Data Sources

The solution to these problems isn't simply a matter of vendor consolidation, especially for those organizations that have invested heavily in a "best of breed" approach to their security tools. In many instances, removing these specialized tools isn't feasible from a financial or operational standpoint. This makes the emergence of concepts like Cyber Asset Attack Surface Management (CAASM) and Cybersecurity Mesh Architecture (CSMA) particularly relevant. These approaches aim at achieving a unified understanding across various security platforms, allowing for better decision-making and optimized operations. A unified data source can be the cornerstone of achieving this level of integration, paving the way for more effective automation and situational awareness.

With a high-fidelity source of data and the benefits, several things will move from idealistic to achievable.

A complete understanding of our environment is only gained through total visibility delivered by all monitoring and alerting tools. Trust in the accuracy of the converged data enables more effective implementation of automated outcomes. Meanwhile, the attack surface is measured and reduced through automated actions.

This complete network understanding means we can also understand asset criticality to the business, as well as the asset’s dependencies and indirect dependencies. Available choices become clearer when we understand whether disrupting access to the server will impact business.

Most importantly, few SOCs have the budget for all the people and tooling they would like – leveraging their existing investments to create an accessible (both in digital access and subject matter abstraction) means that junior analysts unfamiliar with the nuances of tools but well-versed in cybersecurity academically are better equipped to make decisions without escalation.

As we move forward, SOCs must evolve from a fragmented, tool-centric approach to a more integrated and holistic model. The successful SOC of the future ensures that their past good intentions can now amount to more effective security rather than a complicated, unmanageable environment. It’s time to pave a new path towards an integrated, efficient, and effective SOC using all the tools we already have and implementing them into a fully integrated SOC platform. As a SOC manager at AT&T it was a lofty goal I had. Now, many years later, I’m excited to see it become a reality.


About the author:

Joe started in IT and security in the days of dial-up, has led the SOC of the world’s largest MSSP, and worked at several notable cybersecurity software providers from startups to enterprises. Joe attended the Georgia Institute of Technology after applying over Telnet, but was self-taught from age of fifteen on both offensive and defensive IT security. His IT security experience only pales in comparison to his knowledge of single origin coffee and methods to brew.


bottom of page