The Winning Combination for Your SOC


Security operations centers (SOCs) are command central in the constant war to keep organizations safe from cybersecurity attacks. Their role has changed significantly as the threat environment become more sophisticated. In the past, an SOC was fundamentally a set of operators responding to alarms. That model no longer works. 

Adversaries are using automation to scale exponentially, and organizations can’t just scale linearly with more people responding to more alarms, unless the ultimate goal is to have SOCs be filled with thousands of workers working 24 hours a day.

Automation in cybersecurity can make life easier and reduce risk for SOC personnel in several key ways:

  1. Correlating data. With automation and machine learning, data sequencing can happen faster, more efficiently, and more accurately. In today’s environment, manual approaches no longer work in dealing with the volume, variety, and velocity of data.
  2. Generating protections faster than attacks can spread. Manually creating a set of protections for different security technologies and enforcement points is complicated and time consuming. Automation expedites the process of creating protections without straining resources—while also keeping pace with the attack.
  3. Implementing protections faster than attacks can progress. Using automation to distribute protections is the only way to move faster than and stop an automated and well-coordinated attack. Automated, big attack sequencing, and automated generation and distribution of protections, simplifies and accelerates the ability of SOC personnel to respond to an attack and predict the next step of an unknown attack.
  4. Detecting infections already in your network. Manually correlating and analyzing data across your networks, endpoints, and clouds is difficult to scale. Automation simplifies the process and allows for faster analysis, detection, and, if necessary, intervention.

While automation simplifies a wide number of processes for the SOC, it does not obviate, eliminate, or even mitigate the need for skilled people. In fact, it increases the pressure on organizations to hire and retain the best people. 

According to a study from the Ponemon Institute, 44% of IT and IT security practitioners said automation would increase the need to hire people with more advanced technical skills. Only 23% said automation would reduce the headcount of their IT security function. 

Automation helps the talented people in your SOCs do a better job by offloading time-consuming and risky manual functions. The three activities cited most often for automation in the Ponemon research were:

  • Log analysis
  • Threat hunting
  • Incident response

By taking on these important functions, automation helps SOC workers be more productive and strategic. Nearly 70% of companies said automation lets cybersecurity security staff “focus on more serious vulnerabilities and overall network security.” This is particularly critical at a time when 75% of organizations say their IT security functions are understaffed.

Finding and retaining talent

As important as automation is, it is still used in support of the people within your SOCs and not as a replacement for them. 

According to Ponemon, 67% of IT security leaders believe automation is not capable of performing tasks that IT security staff can do; 55% say automation will never replace intuition and hands-on experience; 51% say human intervention is necessary for network protection, and 46% say automation will add complexity to jobs.

In this environment, how do you ensure that your organization is attracting, training and retaining the right people? How do you find cybersecurity professionals who can leverage automation in a way that helps the organization discover threats before they can be unleashed to inflict harm? 

We asked Lucas Moody, vice president and chief information security officer at Palo Alto Networks, to identify some of the characteristics he looks for in individuals so his SOCs can maximize talent and automation. 

Among the first things Moody wants to know about individuals:

  • Are they highly technical, and do they have a fundamental interest and curiosity in keeping up with the latest technologies?
  • Are they the type of people who won’t let a problem go unsolved, who will keep pounding away until they have the right answer?

“Cybersecurity today is the story of the hunt,” Moody says. “The modus operandi of the most successful people is that they won’t let go once they are on the trail. They are also highly technical, with a strong breadth of knowledge across IT and cybersecurity.”

“The mindset, culture, and core competencies are different in the modern SOC,” Moody adds. “We want to be able to handle the easy stuff with automation and the difficult stuff with strong minds and strong people.”

We are a long way away from the science fiction of intelligent machines replacing humans, if indeed such a scenario ever comes to fruition. In the meantime, we need the best people on the front lines of cybersecurity, and we need to provide them with the tools to do their jobs and eliminate tasks that can be done more efficiently by machines. 

With the right amount of automation, we can fight machines with machines. With the right people, we can add intelligence, intuition, experience, knowledge, and grit. For many organizations looking ahead to the future, this will be a winning combination.

Al Perlman, cofounder of New Reality Media, is an award-winning technology journalist. For the past dozen years, he has focused on the intersection between business and technology, with an emphasis on digital transformation, cloud computing, cybersecurity, and IT infrastructure. 

End Points

  • While automation simplifies security operations, you still need smart people to quickly make accurate decisions.
  • Today’s security operations centers require individuals with different mindsets and capabilities than what was needed in the past.
  • One of the industry’s leading CISOs discusses what characteristics he looks for in people to lead and staff his organization’s SOCs.