Frankly Speaking 7/26/22 - Let's get rid of security operation centers (SOCs)!

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Every week, I wonder if I will have an interesting topic to write on, but throughout the week, some interesting security engineering topic comes up, and I feel the need to collect my thoughts. The original purpose of this Substack was that in my career, I’ve always felt that writing has always allowed me to refine my opinions and be more coherent, especially in critical strategic decisions. So, with any topics where I am asked to share my opinion, I find it extremely helpful to write it out. It’s a good exercise to formulate more coherent and precise opinions as well as good documentation to understand what I considered when I made a decision at a time.

Anyway, enough of my advocating for writing. The fact that I’m able to come up with an interesting topic every week attests to the fact that security and the concept of security engineering are evolving almost as rapidly as software development principles. There’s a lot of change, and we haven’t definitively converged on best practices for everything. Even when we have, some change in tech will force security engineering to change their thoughts. To be clear, I feel like security engineering should be enabling rather than restricting software development efforts. In an ideal world, software engineers should actively seek security engineers’ input.

Enough of that, moving on to “Let’s Be Frank.”

LET’S BE FRANK

I’ve talked about how datacenter security is dead. I do think one aspect that should die with it is the notion of security operations centers (SOCs). Sorry old-school CISOs and RSA with your fancy SOC display every year at RSAC. No one cares about those anymore, despite looking them cool. Unfortunately, coolness doesn’t usually result in practical solutions.

I’ve mentioned in the past how I believe incidents should be handled in the cloud, and how traditional SOCs are going to disappear. As I spend more time as both a security practitioner and an employee at a company in the center of the modern data stack (yes plug for dbt Labs!), I’ve gotten more clarity on what the next evolution of SOCs/incident response will look like.

In this newsletter, I will talk about the following:

• Summarize and refine my previous thoughts on SOCs and incident response

  • Why SOCs are disappearing

  • How we should be handling incident response in the cloud

• How modern tech companies should model their incident response and properly resource them (especially in a world where good security practitioners are hard to find)

To clarify, I am advocating for the elimination of SOCs where analysts sit in a room with a lot of screens and stare at dashboards and talk to each other randomly about weird anomalies in the dashboard. I am not advocating for the elimination of incident response. I still believe that we need incident detection and response (IR) teams, but those teams will not need or want a SOC.

SOCs are going to disappear!