Security operations are evolving from a purely technical capability to a key contributor to business resiliency, with cybersecurity becoming an imperative for organizations that have become keenly aware of the need to enable their digital future.
In this new SecOps environment, the CISO is a partner for the business, one who must establish the trust, confidence, and the cyber resiliency that will allow the business to quickly adopt the kinds of digital platform and services it needs to address the next crisis, whether it be a cyber threat, environmental disaster, or pandemic. That makes SecOps a partner in the business's growth strategy.
Here's what your team needs to know about the future of SecOps, and why extended detection and response (XDR) is the way forward.
A bit of history
Security operations have come a long way from the security operations centers of the 1990s. During their early years, SOCs were entrenched in IT operations. Today’s SOCs are integrated risk centers that address threats across physical, business, and electronic channels.
Over the years, SOCs have evolved through five distinct generations:
- 1G: First-generation SOCs were an arm of IT operations, providing and supporting network and server operations. Capability was centered on insider threats, Trojan malware, code injection, denial-of-service attacks, buffer overflows, and related threats.
- 2G: Stepped-up activity by regulators shaped the second generation of SOCs. The need for compliance with new laws such as Sarbanes-Oxley and Graham-Leach-Bliley transformed the SOC into a vehicle to maintain continuous compliance.
- 3G: An increase in global persistent threats during the first decade of the new century drove a third generation of SOCs to emerge with managed detection and response (MDR) capabilities.
- 4G: As MDR capabilities were expanded, a fourth generation of SOCs developed that used XDR, which extended MDR to include inspection and analysis across cloud, endpoint, network, and signals analysis. XDR SOCs use multi-inspection, automation, response, and extended schema to perform enhanced hunting, analysis, interpretation, and response.
- 5G: The latest generation of SOCs further extends XDR to turn SOCs into trusted digital operations centers (TDOCs), which bring advanced threat hunting capabilities to infrastructure, network signals, and the cloud.
TCOCs are the future
While older SOC models focused on the detection of and response to threats, the new models focus on protecting an organization's digital value chain—how the enterprise delivers value to its customers, stakeholders, shareholders, and others.
That's why new SOCs can provide the kind of cyber resiliency needed to support secure digital transformation. Some of the capabilities of the new TDOC are:
- Securing the digital value chain, reducing friction to the business, and enabling adoption of innovation to drive new markets and customer value
- Crossing over electronic capability to enable enterprise resiliency, such as the ability to combine fraud with cybercrime to provide a holistic view of digital risk
- Tying measurement to performance of business goals to evolve the SOC from a tech-oriented to a business-oriented capability
- Providing an anti-fragility platform where any systemic threats to the business help strengthen its cyber defense through machine-aided root-cause analysis, learning, and transformational metrics
- Ensuring self-healing and zero interruption to the business to limit disruption in delivery of value to the customer or stakeholder
- Moving beyond the reactionary methods of traditional SOCs and XDR centers to build greater sensing and interpretation methods
- Automating repeatable and expert tasks that are best done by machines so teams can focus on tasks best performed by wetware, such as creative threat hunting
- Collaborating with trust circles, peers, and other parties to be proactive about threats through tightly coupled and cross-functional intelligence sharing
The TDOC of the future should be a business partner that combines extended XDR and SOC to help the organization pivot and adjust to changes in its operational space. The TDOC should allow a business to drive agility, speed to market, and secure digital transformation.
No quick fixes here
A traditional SOC can't be transformed into a TDOC overnight. A good place to start is with an extended XDR advisory council comprising integrated cross-channel stakeholders. The goal of that group is to create a maturity journey to secure the digital value chain for the business.
Next, you need to develop a clearly defined plan to evolve the SOC to a TDOC. The plan should provide a coherent way to measure, assess, and provide a balanced scorecard for the business. It should also include the development of a Cyber Resiliency Assurance Level (CRAL) program to measure and report the progression of the extended XDR migration.
During the first phase of the plan's implementation, the business should establish the basis for the TDOC to accelerate digital transformation by clearly defining governance, capabilities, alignment with the business, and agile structure needed to do so.
During the second phase, the business should roll out the first generation of the TDOC with fully operational processes, automation, workflow, reporting, and measurements.
During the third phase, the TDOC should be in a state of continuous improvement, self-learning, performance-related monitoring, independent validation of capability, and other functions.
Toward resilience and trust
By aligning the strategic goals and mission of the business with cyber through the organization's new extended XDR strategy, a TDOC can accelerate the trust, confidence, and resiliency needed to drive business performance, customer value, and growth.
It can establish trust throughout the enterprise by classifying, assessing, and protecting it against the introduction of risk through the digital supply chain, regardless of where it comes from, whether it be applications, IoT devices, third-party vendors, or work-from-home employees.
Take a deeper dive into XDR with this guide by Mark Fernandes.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
