The SOC of the Future

Lumu’s recently appointed Field CTO Jeffrey Wheat looks at the future of the SOC and how incremental improvement leads to proficient operations. Beginning his cybersecurity career at the department of defense, Jeffrey Wheat is a proven leader and CISSP with 30 years of experience spanning SOC management at international firms as well as cybersecurity architecture design and implementation.
soc of the future jeffrey wheat

Table of Contents

Cybersecurity can be a complex operation, but at its core, it’s made up of two components: people and technology. Although we’ve seen incredible advances in the technology side of things, we need to ensure that that technology acquisition doesn’t amount to another ‘shiny thing’ but empowers the people that operate it. For the SOC of the future, cybersecurity architectures aren’t static, they need to be able to adapt to changes in the threat landscape, new technological advances, and lessons learned. This is the vision that I share with Lumu Technologies, and it’s one of the principal reasons why I chose to join Lumu as their new Field Chief Technology Officer.

Orchestration and Operation

While I’m as excited by all the new information security tools and technologies as the next guy, it’s important to focus on their underlying value to the SOC team. A key to doing so is understanding that you can’t automate away the entire SOC team. AI and machine learning can be a great boon with certain tasks, but the human operator will always be the ultimate arbiter and decision-maker.

For the SOC of the future, that means that more menial tasks can be automated. For example, if a threat is detected, the firewall should be able to automatically block and mitigate those contacts. Doing so shortens the threat actor’s window of opportunity to mere seconds. It also allows the SOC team to use their time more efficiently and focus on tasks that require their brainpower.

But technology also needs to be designed to enable those human tasks. When the SOC team moves on to remediation, their investigation, prioritization, and decision-making need to be assisted by technology. When the team has the internal information on how, when, and where the compromise has spread as well as external information such as the guides and playbooks on that particular threat, eradicating and remediating the threat becomes a lot easier.

Automating Threat Hunting

For the SOC of the future, lateral visibility will be far more automated than it is now. Currently, it can be tough to achieve, requiring a threat hunting solution and the highest skill level to use it effectively. Here, Lumu is way ahead of the curve with our ‘playback’ feature. Playback stores network metadata for up to 2 years so that when a new IoC is discovered, it gets retrospectively applied. This identifies the assets that were in contact with the adversary, so the threat hunters can identify ‘patient zero’ of the compromise as well as the lateral movements the compromise made. 

Incremental Improvement

Just like the threat landscape continuously evolves, so your cybersecurity architecture needs to continuously adapt. Matthew Syed gives some valuable insight into this idea in his book Black Box Thinking. Syed gives the example of improvements in racing cars: “The secret to modern F1 is not really to do with big-ticket items; it is about hundreds of thousands of small items, optimized to the nth degree.” The same could be said for the achievements of the aviation industry, as Jeff Skiles mentioned at a recent talk hosted by Lumu. It’s equally important at some of the most proficient cybersecurity operations the world has ever seen—those operated by the Department of Defense.

Adopting this philosophy firstly requires admitting to mistakes (your own and those of others) and learning from them. Post-incident investigation and forensic analysis need to point out failures and opportunities for improvement.

Additionally, incremental improvement means treating your ideas as hypotheses to be tested. We are all liable to biases that adversely affect our decision making. For example, sticking with a legacy tool just because that’s the one you are comfortable with can impede continuous improvement. It’s vital, therefore, to collect objective data that measures the cybersecurity system’s proficiency as a whole. At Lumu, we call this indicator the system’s ‘Level of Compromise’, an abstraction created from the aggregate compromises detected across the entire system. By tracking this metric, it becomes possible to identify tools and processes that are underperforming or that can be improved upon.

Lumu and the SOC of the Future

Lumu understands and shares my vision of how the SOC of the future needs to operate. While Lumu’s Continuous Compromise Assessment at its core finds compromises in real time, it offers SOC teams a whole lot more. Firstly, Lumu empowers security analysts by letting them orchestrate their operations alongside technology to be more efficient. Secondly, Lumu is positioned to enable cybersecurity operations to continually improve towards ever-more proficient and simpler operations. The future is bright—illuminated, even.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post