Modern SOCs must consolidate, do more with less, and maximize their practices for the reality and demands of today and tomorrow. Credit: Getty Images By Niall Browne, CISO The traditional security operations center (SOC) is based on a model that has persisted for decades, yet it’s no longer effective. Too much has shifted in organizations and in the threat landscape for the “old ways” to work. Now is the time for a change to enable a modern SOC—taking on SOC consolidation to achieve better outcomes, with faster remediation, reduced risk and an overall stronger security posture. So, what exactly has changed for SOCs? In legacy SOCs, IT security staff are seated shoulder-to-shoulder in close proximity, looking at screens loaded with myriad details, providing views and data from dozens of security tools delivering a never-ending stream of alerts. This traditional SOC model was always about trying to keep up in a race against alerts and resource constraints that could never really be won. The pandemic exacerbated multiple challenges with the traditional SOC model. Resources have become more strained than ever, and it’s often no longer possible to have everyone physically present within the SOC. At the same time, the threat landscape is exploding, with significant cyber incidents increasing at a record pace. Answering these new realities means that modern SOCs must consolidate, do more with less, and optimize their practices for the reality and demands of today and tomorrow. 3 issues that cause challenges in legacy SOCs Within legacy SOCs, we see three primary issues that lead to poor outcomes and a weakened security posture. Too Many AlertsSimply put, legacy SOCs are attempting to manage an unmanageable volume of alerts which leads to alert fatigue, slowing organizations down. With too many alerts, it’s easier to miss potentially significant issues that could be buried in the high volume of noise. The solution to the challenge of too many alerts is to improve fidelity, so that alerts are only generated on the issues that matter.Too Many Security ProductsA key challenge we see time and again is that SOCs use a lot of security products. In fact, the average company may have dozens of cybersecurity products deployed. The amount of effort needed to manage all the tools adds needless complexity to an already overburdened operation. SOCs need to define what results they want to achieve and then identify the platforms and solutions needed for the desired result.Too Many Manual ProcessesMany legacy SOCs rely on manual processes for day-to-day operations as well as for incidents, burning out SOC analysts, because they can’t keep up with the high volume of activity. What’s needed is intelligent machine learning and automation for the high-volume processes, freeing up the human resources to focus on critical tasks. SOC consolidation is an opportunity for digital transformation IT as an industry is moving towards more homogeneous environments and more consolidation. Now is the time to do a reset, as companies are moving to the cloud and making the digital transformation journey. This is the right time to look at security products and tools used in the SOC and determine what the return on investment (ROI) is for each of them, consolidating those security investments into a core set of capabilities that you can define in a platform. SOC consolidation helps with prevention and protection Sprawl is the archenemy of security in any organization. Take the Log4j security incident that overcame SOCs at the end of December 2021. That was a security flaw in an application library found in many different locations. In a legacy SOC running 75 to 80 different tools, identifying, remediating, and protecting all vulnerable assets is not a trivial affair. SOC consolidation supports security teams Even more importantly, SOC consolidation can be a tremendously positive thing for an organization’s staff. The traditional SOC is often seen as a steppingstone to get into cybersecurity and not as a career. The reason for that is individuals in the SOC are typically inundated with events, under a tremendous amount of pressure, and have to deal with things in a manual and typically chaotic model. When the SOC is just a transitory means to get into security as a career, that’s a terrible model. It means you don’t have people invested in building an incredibly effective SOC. Rather, you have people that “do their time” in the SOC and then move on to other more promising roles. As you consolidate your SOC, you’re changing the way the SOC and the people within it work. So instead of SOC staff doing the same repetitive, boring tasks, they’re now focused on high-value projects continuously improving the technology and being more effective at threat hunting. The result of all of these changes is that they’re much happier because they’re working on projects where they can have a meaningful impact and can reach their full promise. It’s no longer the “hamster on a wheel” mentality. And happy, fulfilled people stay longer and work to make systems even better. No organization has the time or resources to waste on sifting through endless alerts with manual processes spread across disparate tools that don’t work well together. The time for SOC consolidation—to create a SOC that is modern and able to manage today’s complex threats—is here and now. Consolidate. Simplify. Orchestrate. Automate. To learn more, visit us here. About Niall Browne: Niall is the Senior Vice President and Chief Information Security Officer (CISO) at Palo Alto Networks. Niall is passionate about helping secure businesses in the cloud. Virtually every company is going through a digital transformation journey to be able to compete and thrive, e.g. cloud, mobile, IoT, machine learning. At Palo Alto Networks, Niall leads the security team that is responsible for helping secure our services. Before joining Palo Alto Networks, Niall was the CSO of cloud platforms for the past sixteen years, including as the Chief Security Officer (CSO) and Chief Trust Officer at Workday. Related content brandpost Sponsored by Palo Alto Networks What CIOs need to know about the newly proposed Critical Infrastructure Cyber Incident Reporting Rule The current cybersecurity regulatory landscape continues to evolve, and CIRCIA’s incident reporting requirements are just one of the many emerging regulations organizations will need to observe. By Anand Oswal, Senior Vice President, and GM of Network Security at Palo Alto Networks May 15, 2024 5 mins Security brandpost Sponsored by Palo Alto Networks M&A action is gaining momentum, are your cloud security leaders prepared? Direct visibility is critical in M&A, and cloud-native application protection platforms (CNAPP) are ideal to provide this capability. By Amol Mathur, SVP & GM of Prisma Cloud, Palo Alto Networks Apr 25, 2024 4 mins Cloud Management brandpost Sponsored by Palo Alto Networks Web browsers: Reimagining remote work needs at the enterprise level What sets enterprise browsers apart? They are designed from the ground up as a security product with productivity in mind. Learn more today. By Ofer Ben-Noon, SASE CTO, Palo Alto Networks Apr 19, 2024 4 mins Cloud Computing brandpost Sponsored by Palo Alto Networks Robust remote access security for the utilities sector advances with Zero Trust Infrastructure, specifically the utilities sector, must adopt a Zero Trust approach as ongoing cyberattacks by remote actors become more and more prevalent—threatening to disrupt everyday life. By Anand Oswal, senior vice president of product, network security, Palo Alto Networks Mar 28, 2024 5 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe