So my colleague’s assertion seems pretty spot on. But it surely wasn’t always the case that operational support in a SOC was as essential as it is today. That brings me to a bigger question. What has changed? Have the threats become so technically capable that they’re beating us, or have our support vendors evolved their services to the point that we’d be fools to not make use of them?
We hear a lot about advanced persistent threats these days. Although I’m not a fan of that term, it’s doubtless that the attacks, techniques and tools used by our adversaries today have kept pretty close pace with Moore’s Law. Compare the earliest rootkits we saw in the 1990s with today’s malware, and it’s clear that things have advanced in a huge way. For example, analyzing the attackers’ tools requires a skill set that very few can muster.
To try to meet that level of threat, innovative and enterprising vendors have built services that can be huge time-savers. These include appliances that largely automate much of the labor needed to reverse engineer all but the most stubborn of malware. This allows SOCs to answer some of the most pressing questions accurately and rapidly — questions such as whether a piece of malware is targeted at them or if it’s just a general piece of malware. These are the things that can make a tremendous difference in deciding on the most appropriate course of action to take during a crisis.
So, what has changed? I’d say that, collectively, both the malware-writing and -analyzing communities have advanced in a seemingly never-ending arms race of sorts. I see those two as more or less in parallel with one another.
And from those advances, a new generation of product and service vendors has been standing up to fill in voids and meet customer demands.
Lastly, you have to credit some of these capabilities to general advances in our computing and networking systems. A modern SIEM can consume and analyze oceans of data thanks to faster processing, cheap and fast storage, and so forth. The good guys and the bad guys alike benefit from that.
If you run a SOC today, you’d be well advised to seek an array of vendors that can help you when you need it most. Waiting until an emergency could well be too late to be helpful.
Sign up for CIO Asia eNewsletters.