Touring the modern SOC: where are the dials and blinking lights?

· 3 MIN READ · JONATHAN HENCINSKI · DEC 5, 2022 · TAGS: Tech tools

When you think about taking a tour of a security operations center (SOC), what vision comes to mind? Some may see rows of desks with analysts’ eyes glued to computer screens, racks of servers, and other computing equipment. Perhaps there’s a central hub, with lots of dials and blinking lights indicating security levels of the organization’s various tools and services. They picture themselves walking around, taking in the unfamiliar sights, and leaning in to get a closer look. Maybe they ask a few questions and eventually decide, “Yes, this is impressive. I feel secure.”

The reality of the modern Expel SOC tour is very different from this, mainly because SOC analysts are more likely to be remote and widely distributed geographically. While this means there’s less chance of an impressive room where analysts are physically next to one another, it doesn’t mean they’re any less effective. It simply means that our SOC tour takes a different form.

At Expel, the tour starts with a discussion about mission. A key ingredient to high-performing teams is a clear purpose, and ours is to protect our customers and help them improve. This centers around problem solving and serving as a strategic partner. We’re not just helping customers deal with incidents, we’re making recommendations on how to better prepare for future threats, how to improve processes and workflows, and where to make time and resource investments to boost overall security operations. Notice there are no mentions of trying to impress anybody with blinking lights. That’s intentional.

Next, we talk about culture and guiding principles — key ingredients for any SOC. We think about culture as the behaviors and beliefs that exist when management isn’t in the room. Culture isn’t platitudes or memes on a PPT slide; culture is about behavior and intent.

The key ingredients of our SOC culture are:

  • We lead with technology
  • Before we solve a problem, we own the problem
  • We’re a learning organization
  • “I don’t know” is always an acceptable answer

Once we set a clear mission and mindset, we look at how our team is organized to meet the customer’s goals. Our 24×7 SOC is made up of defenders with varying levels of experience, and less experienced analysts are backed by seasoned responders. If we have a runaway alert (it happens), our team of detection and response (D&R) engineers are ready to respond. And of course, our friendly bots, Josie™ and Ruxie™, are there to support us. Josie detects and classifies alerts and enables us to make decisions about customers’ security signals, while Ruxie gathers critical information about threats so analysts don’t have to.

The SOC tour then shifts to operations management and how we at Expel do this for a living. We must have intimate knowledge of what our customers’ systems look like to know when an issue needs attention. With solid operations management in place, we can constantly learn from our analysts and operations for the decision moment. We watch patterns and make changes and adjustments to reduce manual effort. This allows us to hand off repetitive tasks to our bots so automation can unlock fast and accurate insights to inform decision-making. This ongoing optimization is one of the things that sets Expel apart.

Next, our SOC tour focuses on how we think about investigations (which are really just narratives). When we identify an incident, we investigate to determine what happened, when it occurred, how it got there, and what we need to do about it. Investigations have all the elements of a great story, and we get to write the ending.

Next, we talk about quality control in the SOC. We emphasize a few key points:

  • We don’t trade quality for efficiency
  • We can measure quality in a SOC
  • Quality control checks run daily based on a set of manufacturing ISOs to spot failures, so we can drive improvements

What about results? We typically go from alert-to-fix in under 30 minutes, and we’re proud of that number. The result is driven by a high degree of automation and retention of SOC analysts. Some interesting statistics we recently gathered from our SOC team:

  • Alert-to-fix time for critical incidents was 28 minutes
  • 77% of alerts sent to the SOC were backed by automation
  • Auto-remediation actions were completed in seven minutes
  • The average tenure of SOC analysts is ~20 months

Before the tour ends, we share insights. The security incidents we detect become insights for every customer. And we don’t stop there; we curate these findings every three months for our Quarterly Threat Report, which surfaces the most significant data we’re seeing in our threat detection and response efforts. It buckets the data into trends that can affect your cybersecurity posture, and it offers resilience recommendations to protect your organization. (Have a free look at our Q3 Quarterly Threat Report here.)

We then spend some time looking at the Expel Workbench™, the platform where our SOC analysts work side-by-side with customers on investigations and remediation. This is where all that automation, SOC experience, operations management work, incident insight, and more comes together to detect, understand, and fix issues fast. Take a peak at the Expel Workbench here.

Finally, we stop by the actual, virtual SOC. Most of our analysts are remote, but as we noted earlier, a SOC tour is about so much more than seeing a room with monitors. We believe a great SOC tour highlights the people, culture, and mindset behind the technology and processes that help keep our customers’ environments secure. We introduce you to the folks behind the curtain so you can see for yourself we’re a dedicated team — not just a bunch of blinking lights.