Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The State of SecOps: It's time to think beyond the SOC

Mark Fernandes CTO, Security, CyberRes

In the age COVID-19, enterprises have had to pivot just to survive, but savvy organizations have seen the pandemic as an opportunity to thrive. They're assessing how they do business—how they manage their supply chains, their vendors, and their workforce. For those organizations, the barriers to digital transformation are dissolving, and they are striving to become more resilient and antifragile, described below.

  • Resilient. A resilient organization can detect, adapt, and proactively address crisis, adversity, and business volatility in an agile manner. Even though COVID-19 is a “black swan” event, it is likely that other global events that disrupt operations and business continuity will occur over the next four decades. A resilient organization is built to sense and adapt to these disruptive forces.
  • Antifragile. This describes an organization that, when faced with adversity, can pivot and come out stronger than before. (See Antifragile: Things That Gain From Disorder, Nassim Nicholas Taleb)

Organizations are responding to the pandemic by pivoting to new market opportunities, leapfrogging their competitors to deliver new digital channels to customers, expanding their business value chain, and engaging with customers in ways they never have before. This new normal, or operational reset, has fueled digital transformation and the use of artificial intelligence, automation, and robotics.

These new technologies bring about new business and growth opportunities but have also increased the operational cyber-attack surface and the risk of automated (and AI-based) exploitation. From a tactical perspective, the pandemic is also driving change in how organizations are approaching security. Adversaries are using the pandemic to advance their objectives—obtaining data, understanding strategy, spying on targets, and, in some cases, driving cybercrime.

Growing cyber threats created by the pandemic are accelerating new security technologies that were starting to grow before the pandemic. In the 2020/21 State of Security Operations Report, IT pros from 400 organizations said they were facing a significant increase in overall cyber threats and incidents due to COVID-19.

All of these forces are requiring enterprises to become resilient and antifragile. To do that, the security operations center (SOC) must evolve into a center of information risk—call it the "integrated threat operations center" (ITOC).

Here are key takeaways from the State of SecOps Report, as well as action items for your organization.

The State of SecOps: Scope out your risk

Four in 10 respondents to the report noted that they are at a higher risk of exposure to threats because of changes they've had to make in operations due to the coronavirus, such as increasing the number of remote workers, who are often using unmanaged devices.

But the cyber-resiliency of many organizations was already threatened, pre-pandemic, by an increasingly complex attack surface and the increased use of the cloud and hybrid IT.

Meanwhile, the cloud is where more and more organizations go to meet their security needs. According to the survey, 96% of organizations use the cloud for IT security operations. What is more, nearly two-thirds of their IT security operations software and services are deployed in the cloud.

The State of Security Operations Report also offers insights into the technologies being used to deal with the swelling complexity and adaptive nature of actors that are targeting enterprises. Here are the standouts.

Artificial intelligence and machine learning

AI and ML, for example, will be important to any organization for countering threats and building resiliency into its systems. The technologies offer key capabilities for dealing with advanced adversaries, as well as paving the way for digital transformation, according IT Ops pros participating in the survey; 93% of them say their organizations have deployed security products that use AI or ML.

The State of SecOps Report also found that, while vendors are hot to sell products that use AI and ML as false positive killers, that isn't among the top reason’s organizations are deploying products with the technologies. In order of importance, those reasons are: 

  • Improving detection of advanced threats
  • Improving detection of data loss or exfiltration
  • Accelerating security investigations
  • Improving detection of insider threats
  • Automating remediation tasks


This is another key technology for countering advanced threats. Of the more than 400 IT Ops pros surveyed, 91% said they plan to use automation in the next 12 months to help them drive efficiencies and boost capabilities in their security operations.

Other items in the SecOps toolbox

Organizations are depending more on tools that help them visualize threats and defend themselves based on the MITRE ATT&CK framework. Nine in 10 organizations in the survey said they use the ATT&CK framework. Many organizations are also using a set of common security tools. The 11 common tools mentioned in our survey—which include SCM, SIEM, NTA, SOAR, and UEBA—are being used by more than 50% of organizations. By 2021, that's expected to reach 80%.

5 steps to better security

For organizations that want to transform their SOCs into a counter-adversary operation capable of navigating today's complex threat landscape, I recommend an action plan grounded on these steps.

1. Know your adversary and build your capabilities around that

Focusing your capabilities is a departure from the SOC mindset, which attempts to foil all possible threats. You need to get into your adversaries' heads, think about what they want to do and how they want to do it, and proactively address those potential threats. The ATT&CK framework is a good starting point for that kind of thinking.

2. View your cyber defense through a strategic prism

Ask yourself, "What do I have that an adversary would want?" That could be more than just data. It could be processes, structure, or even your users, such as senior executives, whose identities, if compromised, could be leveraged to raise havoc within an organization.

3. Build a more resilient enterprise

Build your SecOps based on adaptive, intelligent, and performance-driven capabilities that can be measured and optimized.

4. Embrace the need to innovate

Through the use of technologies such as AI, ML, and automation, your team can focus on what matters.

5. Improve operational efficiency

If there is one thing we learned from our survey, it's that there is a real need for greater operational efficiency. That is likely to become even more acute, because the shortage of skilled security operations workers isn't going to be solved anytime soon.

Meanwhile, you can take some basic steps to improve your operational efficiency. For example, you can increase your use of automation. Those tools can help relieve the workload on your security team by farming out repetitive, mind-numbing tasks to machines.

Outsourcing is another way to increase efficiency. More and more, organizations are sending their security services to the cloud, where security team members can access them from anywhere and at any time. Another alternative is to have a managed software service provider pick up some or all of your security load.

Once you've lightened the load on your security team through automation and outsourcing, it will be able to concentrate on more important work, such as threat and attack detection, mitigation, and analysis.

Go beyond the SOC

The bigger takeaway here is the need to think beyond the SOC to cyber resilience. Your SOC should evolve to an ITOC, complete with a 360-degree view for sensing, predicting, detecting, and recovering from strategic, operational, financial, and information/cyber risk. That would become the heart of a 360-degree business resiliency center.

Read more articles about: SecurityInformation Security