Going Socless:: The Next Leap in Enterprise Cybersecurity

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5
At a glance
Powered by AI
The key takeaways are that SOCless is a rejection of the traditional SOC model and embraces automation, proactivity, and high-fidelity alerts. It aims to have security teams spend more time on building detections and responses rather than triaging alerts.

SOCless is an approach that aims for very few alerts requiring human review through rigorous automation and noise reduction. It means security teams can focus on writing context and tuning detections rather than reactive triage.

A detection and response platform for SOCless should ship with out-of-the-box detections, enable custom detection management, automatically correlate and contextualize alerts, directly respond to events, and be simple to use.

WHITE PAPER

Going SOCless:
The Next Leap in
Enterprise Cybersecurity
The enterprise SOC (Security Operations Center) SOC-as-a-Service offerings from trusted
concept is often glamorized – big monitors, flashy partners (in fact it is the opposite).
visualizations and tiers of analysts somehow SOCless is a rejection of the status quo – alert
consuming all this information. With the threat fatigue, unhappy analysts – through rigorous
landscape increasing and attacks becoming
security operations principles supported by
more commonplace, there is no time to focus
scalable, automated systems. Or as Alex Maestretti
on anything except security results. That’s why
(current CISO at Remitly, former Engineering
the future of enterprise cybersecurity is not the
Manager at Netflix) put it, the last thing you
SOC, it’s SOCless.
want “is a bunch of lame alerts creating busy
SOCless applies to enterprises of all sizes work for a large standing SOC.” SOCless solves
and security maturity. Whether you want to that problem.
supercharge your mature security operations,
or get the security ROI you know you’re capable What is SOCless and why is it important?
of, or get started on your security journey –
SOCless is for you. If you run a security services Similar to Zero Trust, SOCless is an approach
provider, SOCless is still highly relevant, but to security that embodies many concepts and
in the sense that your organization is part principles. Aspirationally, SOCless means that
of a SOCless solution for enterprises. Before every security alert requiring a human analyst
unpacking what SOCless is, why it’s important, wakes someone up. That means there is very
and how to go SOCless – it’s important to be little noise and every alert with a human in the
clear on what SOCless is not. SOCless is not loop goes to the right person, is of the highest
about trimming your already lean security team fidelity, and has a clear response action menu.
where many may work in the “SOC.” Additionally, Otherwise, the security team would be burnt
for enterprises, SOCless is not about abandoning out after a week.

SOC-Based Approach SOCless-Based Approach

Significant number of alerts to triage Very few alerts seen by analysts every day
every day, requiring large teams because of automation and noise reduction

Tiered analysts triage alerts and bring in Alerts are routed directly to security
infrastructure owners when needing escalation or infrastructure owner
Security operations team spends most of
Security operations team spends its time writing context into their detection
most of its time triggering alerts and response platform and implementing
fundamentals that improve fidelity

Does this all sound too good to be true? Or possibly even


so simple that it doesn’t sound revolutionary? The reality is,
SOCless isn’t that complicated. What’s challenging is sticking
to the commitment of proactive security and finding the right
systems and partners that support the outcome of SOCless.

www.stellarcyber.ai [email protected]
The results from being in this aspirational • Implement Zero Trust – Why? Shrinks
state are clear – better detection and response the data problem through verification,
performance, happier security team. Importantly, making many risky attack vectors impossible,
there is no alert fatigue. It is impossible to keep thereby significantly reducing alert noise.
up with the current threat landscape with a • Contextualize all alerts – Why? If someone
traditional enterprise SOC approach, that is is going to be woken up, it should be the
why SOCless is so important – because it is right person, and they need to know exactly
necessary for survival. what to do.
To realize a state of low noise, decentralized
triage, high fidelity and actionable responses How to go SOCless
within security operations, there are several
Here is a quick summary on going SOCless.
security principles an enterprise has to put
First, it’s for all enterprises. Even the biggest,
into place:
most technically competent ones – as noted
• Automate everything trivial – Why? earlier Netflix is SOCless, FOX Corporation
Keeps your analysts happier, shrinks the is too. If you are a lower security maturity
problem space humans have to deal with, enterprise, partner with a leading MSSP
improves MTTR. (Managed Security Service Provider) or MDR
• Aggressive alert tuning – Why? (Managed Detection and Response) provider.
Lowers noise and improves fidelity. If your security maturity is in the middle or on

Is SOCless How to
Relevant? Get There

In House
Team
Higher Through in
Maturity House Team
with MSSP / MDR
Co-Management
Enterprise
Option
Security Mid Maturity
Maturity

Partner
Lower Maturity Security with MSSP
Services or MDR

www.stellarcyber.ai [email protected]
the higher end, make the proactive commitment, commitment to integration testing) to realize.
implement the right systems, and consider a Modern DevOps is what allows lean software
security partner for co-management. teams to compete with the world’s largest
Security maturity can be difficult to define, software teams – most time is spent on building
but ultimately is a measure of focus, investment, the software, not on fixing bugs and figuring out
and core competency. So any enterprise in the infrastructure. SOCless is what allows a lean
“lower maturity” bucket likely has no dedicated security team to protect the complex enterprises
security personnel and does not focus heavily in today’s threat environment.
on security itself even though it now knows it is In DevOps, developers put continuous testing
increasingly important. Fortunately for SMBs upstream into the process in the form of unit
and other lower security maturity enterprises, tests, integration tests, and full system tests.
MSSPs and MDRs have been rapidly advancing These tests run automatically as new code
their services in recent years and effectively checks in. No new feature goes out the door
are the solution to go SOCless for this security without the appropriate testing being written
bucket. Many of these security partners will and deployed. Does this require extra effort up
sell “SOC-as-a-Service.” Don’t be alarmed; this front? Yes, but the ROI is huge because there
service is what is helping your enterprise go are so many bugs and issues that this prevents.
SOCless. The security partners have invested In security, this equates to a shift from triage to
in the systems and processes to deliver that writing, managing, and tuning detections and
aspirational SOCless goal. What you receive their associated responses. This shift may seem
from them is high fidelity, actionable information impossible if your team is underwater with alerts,
only. They have the expertise to set up automation, but the pain is worth it if the foundations are set
tune alerting through ML (Machine Learning), and your team can turn that corner.
and contextualize alerts so you don’t have to.
This shift is impossible to do without the right
As an analogy, purchasing “SOC-as-a-Service”
systems in place. First, and most obvious, you
or an equivalent offering so you can go SOCless
need the right telemetry and tools that allow for
is like a software company using IaaS
automated response. Second, and still hopefully
(Infrastructure-as-a-Service) from a cloud
obvious, you need a SOAR (Security Orchestration,
provider so they can focus on software.
Automation, and Response) that can power
For more security-mature organizations, significant levels of automation. Finally, you need
there should be some internal element to a detection and response platform that allows
your approach to going SOCless, likely because your team to focus its time on managing high
of the complexity of your operations. That does fidelity detections and not dealing with noise.
not, however, rule out a security partner co- The characteristics to look for in this platform
management arrangement, which can be very is that it ships with detections out-of-the-box
effective to reach SOCless. More on that later. (so your team doesn’t have to manage so many
An internal security team’s journey to SOCless detections and can more easily leverage ML),
is similar to a software development team’s enables robust custom detection management,
journey to modern DevOps. DevOps is a contextualizes and correlates alerts automatically,
combination of principles just like SOCless – responds directly to events, and is simple to use.
it takes the right systems (e.g., GitLab, CircleCI, If those conditions aren’t met, your team won’t
Kubernetes) and the right processes (e.g., make the shift from reactive to proactive.

www.stellarcyber.ai [email protected]
As mentioned previously, for the more mature In summary, the future approach to enterprise
enterprise, co-management with an MSSP or security operations is not the SOC. It is not
MDR can make a lot of sense. This can help with about triaging thousands of alerts every day
making the transition to SOCless less painful and or somehow being NASA for security. It’s about
going SOCless. SOCless is a rejection of the
sustaining this proactive approach to security
security operations status quo and a rigorous
overall. Huge bonus points if this partner can
commitment to best practice security principles,
provide real purple team testing so that your automation, and a fully proactive detection
coverage can always be assessed and you know and response mindset that results in high
what telemetry and detection gaps there are fidelity information and ultimately protection
so they can be fixed. for the enterprise.

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by ingesting data from all tools, automatically
correlating alerts into incidents across the entire attack surface, delivering fewer and higher-fidelity incidents, and responding
to threats automatically through AI and machine learning. Our XDR Kill Chain™, fully compatible with the MITRE ATT&CK
framework, is designed to characterize every aspect of modern attacks while remaining intuitive to understand. This reduces
enterprise risk through early and precise identification and remediation of all attack activities while slashing costs, retaining
investments in existing tools and accelerating analyst productivity. Typically, our platform delivers an 8X improvement in
MTTD and a 20X improvement in MTTR.

www.stellarcyber.ai | [email protected]
www.stellarcyber.ai [email protected]

You might also like