Managing change in the SOC

How to turn change into opportunity

Change will never be this slow again.

This succinctly describes the modern Security Operations Center (SOC). Our customers tell us that the nature of threats, the systems that need to be integrated, the compliance rules that need to be followed, the list of assets that need to be protected, are all changing and growing everyday. Long gone are the days when they simply issued badges and monitored CCTV cameras at busy office entryways.

The challenge today is building an organization that is flexible enough to embrace this change while maintaining the operational discipline to improve security outcomes.

Our customers see this change coming from two different directions; operationally in the SOC and in systems managed by security technology.

Change-2000_2-1

Change in the SOC
Let’s look at the SOC first. SOC operators are being presented with more and more data. IOT devices, are one example of a new wave of alerts that are quickly becoming part of the response and triage plans for SOC operators. In fact, SOCs are becoming almost a general purpose triage center for any type of event that impacts an organization. These operators may not be able to fix the problem but they do have the tools to assess, dispatch, and notify teams that can take action. Security executives see this change as an opportunity to put their SOC at the heart of organization, protecting the people, assets and brand from threats. To scale this operationally many elect to standardize the operational response using a single-pane-of-glass application, like Immix CC. Regardless of the type of system, the format of the data, or how it’s transmitted the Immix CC response interface remains the same. Immix CC’s consistency ensures that operators can respond immediately and more effectively.

Change impacts the Security Technology teams too
Meanwhile the security technology team tell us the number of systems generating alerts is also accelerating. More cameras and doors are being deployed, there are new buildings to monitor, new alerts detecting outside risk to the organization, more data about the geospatial location is being shared, monitoring of social media posts has to be included, there’s more data from more sources and the tide is only rising. For the operators in the SOC data is good as it helps provide valuable situational awareness. Conversely too much data can be overwhelming and slow down response. Our customers consistently tell us they that the key to improving security outcomes is to focus on the most critical events and automate out the noise. We have spent over 15 years building integrations that standardize systems so that operators are free to focus on the events that require human decision making. The rest, the noise, needs to be automated and logged keeping the operators  focussed on what's important. The breadth of integrations in the library (500+ and counting) gives security technology professionals the confidence to embrace new systems and alerts, knowing that even though there is more data the operational impact on the SOC remains unchanged.

We are all living in a period of constant and accelerating change. Having a response platform that is designed to support this change provides organizations with the opportunity to monitor everything from one central screen and get all their systems speaking the same language.