A leading UK security agency has revealed several approaches that could reduce or eliminate the need for organizations to run a time- and resource-consuming Security Operations Center (SOC).
The SOC has become an increasingly important function for security operations (SecOps) teams tasked with detecting, hunting and responding to cyber-threats.
However, it can require a significant ongoing investment of time and resources, the National Cyber Security Centre (NCSC) admitted in a new blog.
Read more on SOCs: How to Build an Autonomic Security Operations Center (SOC)
Senior security architect, David S, explained that some organizations may not need a SOC at all. He shared the following approaches being used in government which could reduce the need for one:
- A 100% cloud-native/serverless architecture has the advantage of tightly integrated identity management controls and will limit the types of attack possible
- Zero-touch production (services where engineers never have direct access to production services) can reduce system risk and the need for security monitoring. When direct access is needed it can be provided in a time-limited manner
- Separate cloud accounts for segregated functions plus strict access controls can also reduce risk
- Cloud-native services offer their own logs and services to analyze and validate their integrity. This can replace the need for a dedicated SIEM
- Secure development practices will enable the operations team to gain responsibility for security, so no security team is needed. Service operations teams are also more likely to be able to identify suspicious behavior than a SOC analyst
- Alerts can be set up to warn if logging stops working for any reason
This is not to say that SOCs don’t still have a place in the modern enterprise, David S added.
“For some enterprise IT systems, such as endpoints, and traditional IaaS based architectures it remains a requirement to provide reactive monitoring of the system,” he concluded.
“There are also benefits to centralized SOCs where government departments can identify broader attacks that are probing multiple services used by the organization.”