Our Blog | ActZero

The Traditional SOC Is Dead, Long Live the Remote SOC | ActZero

Written by Jennifer Mitchell | Feb 26, 2021 5:00:00 AM

If you haven't read our 2021 Cybersecurity predictions whitepaper, I recommend that you do. In it, you'll find one prediction that might be somewhat controversial—the death of the Security Operations Center (SOC).

I wanted to delve a little deeper into this particular prediction, as it is pretty close to my heart. I run ActZero's Threat Hunting team and what would historically have been called our SOC.

The concept of the traditional SOC is dying off, and in 2021 we will see the broader acceptance and adoption of the idea of a remote SOC driven by the realities of technological development and the necessities imposed by the pandemic. 

This change has implications for what makes up the SOC as well as the capabilities of threat hunters. And it's a change that ActZero is uniquely prepared not just to embrace but to lead, given the unique situation we found ourselves in with adopting early disparate geographic distribution of our SOC.

The Death of Our SOC

Our big plan for 2020 was the rapid reformation of ActZero's SOC. This change was due to a unique combination of factors, including the integration with IntelliGO, which meant that we now had security experts working quite far apart from one another. Our collaborative culture meant we needed to find and optimize the best ways to work together. As the head of Operations, I was tasked with coming up with a DRecovery (DR) strategy that allowed our threat hunters to service their clients from anywhere.

Then came the pandemic.

And, as with so many companies, the necessities of the pandemic accelerated what we were already moving towards. So, in some sense, we were lucky that we'd already been laying the groundwork for these changes. But luck also favors the prepared. While we might have been working on solutions to other problems, the answers we had come up with matched the needs of the situation in which we suddenly found ourselves.

Remote Work Proving Our Point

Last March, overnight, the new reality became widespread work-from-home for countless businesses and their workers. Suddenly, the traditional SOC—those big, NASA-style control centers full of walls of screens—disbanded. Out of necessity, SOCs are now run from people's home offices, a spare bedroom, or their kitchen table.

And as we had hoped, a remote SOC model leads to better performance and efficiency than the traditional in-house SOC model. We now see that all those people packed into SOC control rooms might actually have been hindering their ability to perform. Cybersecurity requires deep work and concentration, which can be difficult in a room full of 50 other analysts.

AI and Machine Learning Make a Remote SOC More Efficient

Unlike the pandemic, the increasing use of artificial intelligence (AI) and machine learning (ML) was a foreseen change that would kill the traditional SOC. 

Incorporating AI and ML into SOC operations gives you the capability to have more intelligent output and to automate away the need for human threat hunters to look after endless low-level alerts all day. These alerts (which tend to  be mostly false positives) can now be vetted automatically by assigning AI and ML.

Given that most known threats and alerts can be taken care of with ML and automated detection and response, you don't need so many people on 24/7 shifts. People on-call now only get called to deal with the most serious, real alerts that ML can't handle by itself. Having a human threat hunter workforce distributed across different geographic regions and time zones likewise makes it easier to ensure someone is always available to address our customers' needs without the need for as many people on call 24/7. Instead, people can be redeployed within the company to where their skills are most valuable.

Be Output Focused

Being output focused also disrupts the traditional, inefficient structure of a SOC, which often has various service tiers. This is mainly due to Information Technology Infrastructure Library (ITIL) service management structures being applied to cybersecurity at some point in the past. The result is, as mentioned, highly skilled cyber professionals dealing with what are essentially low-level alerts. This leads to low morale and a revolving door amongst analysts, which is undesirable during a skills shortage in the industry.

Automation, AI, and ML also disrupt this traditional structure. Increased automation means that those highly skilled cybersecurity professionals can be set to work on real problems. They will be at their peak performance when focused on the most complex work to solve issues and protect customers. Being output focused in another way that analysts, engineers, and customers benefit from moving to a remote SOC.

Prioritize investment in People

With the remote SOC's success putting the lie to the idea that you need to run a traditional SOC to be successful, it allows you to invest in what your real priority should be—people.

You need to hire the best security professionals and invest in them, not more screens. Freeing up your best and brightest from responding to low-level alerts by automating it away with AI and ML means your team can spend their time investigating unknown threats, doing R&D, and managing/practicing for incidents.

We've found that this switch has meant analyst morale is better. They're working on more engaging projects and, with work-from-home, their work-life balance is better. A remote SOC also affords more opportunity to hire people who work and live where they are happiest and draw from a broader, more diverse pool of candidates in a hiring process where geography is not a barrier.

Customers should look to companies that are focusing their investments where it will be most impactful—their people. Customers should look for partners investing in training their staff and in R&D instead of multi-million-dollar control rooms. And they should look for security companies to pass those savings along to the customer.

How ActZero Can Help

ActZero.ai was uniquely prepared to embrace and lead the move to a remote SOC, given our unique situation preparing for a geographically distributed SOC. But, as I mentioned at the start of this blog, 2021 will see the idea of the traditional SOC dying off more broadly across the industry. The expanded role of AI and ML in threat response and the conditions imposed by the pandemic are working together to usher in the remote SOC era.


To find out how our remote SOC can help your company with its managed detection and response needs, request a demo today!