Doing More with Less: The Case for SOC Consolidation

By Niall Browne, CISO

The traditional security operations center (SOC) is based on a model that has persisted for decades, yet it’s no longer effective. Too much has shifted in organizations and in the threat landscape for the “old ways” to work.

Now is the time for a change to enable a modern SOC—taking on SOC consolidation to achieve better outcomes, with faster remediation, reduced risk and an overall stronger security posture.

So, what exactly has changed for SOCs?

In legacy SOCs, IT security staff are seated shoulder-to-shoulder in close proximity, looking at screens loaded with myriad details, providing views and data from dozens of security tools delivering a never-ending stream of alerts. This traditional SOC model was always about trying to keep up in a race against alerts and resource constraints that could never really be won.

The pandemic exacerbated multiple challenges with the traditional SOC model. Resources have become more strained than ever, and it’s often no longer possible to have everyone physically present within the SOC. At the same time, the threat landscape is exploding, with significant cyber incidents increasing at a record pace.

Answering these new realities means that modern SOCs must consolidate, do more with less, and optimize their practices for the reality and demands of today and tomorrow.

3 issues that cause challenges in legacy SOCs

Within legacy SOCs, we see three primary issues that lead to poor outcomes and a weakened security posture.

1. Too Many Alerts
   Simply put, legacy SOCs are attempting to manage an unmanageable volume of alerts which leads to alert fatigue, slowing organizations down. With too many alerts, it’s easier to miss potentially significant issues that could be buried in the high volume of noise. The solution to the challenge of too many alerts is to improve fidelity, so that alerts are only generated on the issues that matter.
2. Too Many Security Products
   A key challenge we see time and again is that SOCs use a lot of security products. In fact, the average company may have dozens of cybersecurity products deployed. The amount of effort needed to manage all the tools adds needless complexity to an already overburdened operation. SOCs need to define what results they want to achieve and then identify the platforms and solutions needed for the desired result.
3. Too Many Manual Processes
   Many legacy SOCs rely on manual processes for day-to-day operations as well as for incidents, burning out SOC analysts, because they can’t keep up with the high volume of activity. What’s needed is intelligent machine learning and automation for the high-volume processes, freeing up the human resources to focus on critical tasks.

SOC consolidation is an opportunity for digital transformation

IT as an industry is moving towards more homogeneous environments and more consolidation. Now is the time to do a reset, as companies are moving to the cloud and making the digital transformation journey. This is the right time to look at security products and tools used in the SOC and determine what the return on investment (ROI) is for each of them, consolidating those security investments into a core set of capabilities that you can define in a platform.

SOC consolidation helps with prevention and protection

Sprawl is the archenemy of security in any organization. Take the Log4j security incident that overcame SOCs at the end of December 2021. That was a security flaw in an application library found in many different locations. In a legacy SOC running 75 to 80 different tools, identifying, remediating, and protecting all vulnerable assets is not a trivial affair.

SOC consolidation supports security teams

Even more importantly, SOC consolidation can be a tremendously positive thing for an organization’s staff. The traditional SOC is often seen as a steppingstone to get into cybersecurity and not as a career. The reason for that is individuals in the SOC are typically inundated with events, under a tremendous amount of pressure, and have to deal with things in a manual and typically chaotic model.

When the SOC is just a transitory means to get into security as a career, that’s a terrible model. It means you don’t have people invested in building an incredibly effective SOC. Rather, you have people that “do their time” in the SOC and then move on to other more promising roles.

As you consolidate your SOC, you’re changing the way the SOC and the people within it work. So instead of SOC staff doing the same repetitive, boring tasks, they’re now focused on high-value projects continuously improving the technology and being more effective at threat hunting. The result of all of these changes is that they’re much happier because they’re working on projects where they can have a meaningful impact and can reach their full promise. It’s no longer the “hamster on a wheel” mentality. And happy, fulfilled people stay longer and work to make systems even better.

No organization has the time or resources to waste on sifting through endless alerts with manual processes spread across disparate tools that don’t work well together. The time for SOC consolidation—to create a SOC that is modern and able to manage today’s complex threats—is here and now.

Consolidate. Simplify. Orchestrate. Automate.

To learn more, visit us here.

About Niall Browne:

Niall is the Senior Vice President and Chief Information Security Officer (CISO) at Palo Alto Networks. Niall is passionate about helping secure businesses in the cloud. Virtually every company is going through a digital transformation journey to be able to compete and thrive, e.g. cloud, mobile, IoT, machine learning. At Palo Alto Networks, Niall leads the security team that is responsible for helping secure our services. Before joining Palo Alto Networks, Niall was the CSO of cloud platforms for the past sixteen years, including as the Chief Security Officer (CSO) and Chief Trust Officer at Workday.