Dutch independent research firm TNO is working with the National Cyber Security Centre (NCSC) to investigate future topics and developments that are relevant for the NCSC and its constituency.
As part of that, it was asked to assess how security operations centres (SOCs) will develop in the near future and what trends will affect them. The result is a report that provides a blueprint for the SOC of the future.
Together with other colleagues, TNO researchers Reinder Wolthuis and Richard Kerkdijk conducted interviews with chief information security officers (CISOs), SOC managers and other stakeholders to ascertain what the SOC will look like in 2030. “One of the main conclusions is that there will probably be far fewer SOCs by then because it is going to be complicated and expensive to keep an SOC in operation,” said Wolthuis.
“We foresee that many organisations will outsource their SOC operations to managed security service providers [MSSPs] and that only organisations with a specific risk profile – for example, companies in vital industries or those with very specific technical infrastructure – will still be able to justify an in-house SOC,” he added.
Automation and sectoral SOCs
One of the trends the researchers foresee is the far-reaching automation of cyber security operations – for instance, by orchestrating incident response workflows with machine-readable security playbooks.
“National CERTs [computer emergency response teams] such as the Dutch NCSC could support this endeavour, for example, by making pre-defined playbooks, or playbook templates, available for known threats,” Kerkdijk suggested.
Cooperation and information sharing will become much more critical in the coming years, both from the government and within sectors. “That is another trend we see in the Netherlands, that sectoral SOCs are being set up,” said Wolthuis.
Reinder Wolthuis, TNO
“Such sectoral parties might establish framework agreements with managed security service providers that offer their constituency easy access to security operations services. That way, you bundle sector-specific knowledge with cyber security expertise.”
Whereas currently, many SOCs are still set up with first-line, second-line, and sometimes even third-line analysts, the researchers expect this setup to disappear moving forward. “That does not mean fewer people will be needed,” said Kerkdijk. “Increased automation will, however, relieve the present first-line analysts from routine, repetitive tasks and allow them to shift their attention to more complex duties.”
Far-reaching automation also means various automation solutions in the SOC need to be maintained, so “there will be a new engineering task to optimise all those solutions”, said Kerkdijk.
Another critical associated development is that SOCs will become more proactive and predictive in the coming years. Wolthuis said this, too, will require different roles in the SOC.
Focus on advanced attacks
The researchers pointed out that these changing roles of SOC staff should also be considered in light of the changing threat landscape.
“Also, given the geopolitical situation, there is an increasing focus on state-sponsored attacks, which are attacks initiated by governments of countries and are usually triggered by geopolitical ambitions,” warned Wolthuis.
“In addition, large criminal organisations that focus on gaining illicit profit are still active digitally. We expect the focus to be more on these types of threats and less on those from script kiddies or ethical hackers who are in it for the thrill and leverage standard tools and attack techniques. The future SOC will focus more on advanced attacks, as standard threats are captured and solved by robust IT and automation.”
Moreover, far-reaching automation may somewhat ease the pressure on the labour market. “The scarce workforce of cyber security experts will then be devoted to the things we cannot automate. That way, you get the maximum return from your people while also ensuring that they can do challenging work,” said Kerkdijk.
Another development the researchers see is that a lot of infrastructure is moving to the cloud. “That has consequences for what you can monitor and how you monitor because you depend on cloud providers,” said Wolthuis. “On the other hand, it also has advantages because you have a standardised infrastructure and a less diverse technology landscape. Monitoring, therefore, becomes easier, and such a standardised environment lends itself well to automated incident mitigation.”
Wolthuis believes other European countries can learn something from the Netherlands regarding the SOC setup and look to the future. “We lead the way reasonably well with this kind of development in Europe,” he said. “But it is more important that we cooperate more closely on security at the European level.”
He believes some of the current MSSPs in the market will be taken over by large IT service providers that can offer a managed SOC to their customers. “It is crucial that we ensure that in such constructions, European MSSPs do not all end up in US hands, for example. That makes us particularly vulnerable and dependent,” he said.
In this, the researchers see a task for governments and the European Union. “A lot of knowledge is already being exchanged at the European level, for example, by Enisa and the European Cyber Security Competence Centre,” said Kerkdijk. “But we must guard against the landscape becoming too fragmented. It is good that initiatives are being developed. Still, rationalisation is also desirable at the European level so that it remains clear who is responsible for what and what organisations can and should expect.”
Future SOC blueprint
The report prepared by the TNO researchers as a result of their research describes a blueprint for the SOC of the future. That blueprint is deliberately a bit provocative.
“We have taken some things to the extreme,” Wolthuis explained. “Perhaps developments will move slower than we currently expect, but we are convinced that the SOC as we know it today will eventually be very different. The staffing, the primary objective, is more proactive. It will be a substantially different organisation.”
He said present SOCs might not recognise themselves quite yet in this picture of the future. Nevertheless, according to TNO, CISOs and SOC managers will need to accept change because global developments demand it.
“If you want to achieve a meaningful (high) level of automation by 2030, that transition needs to be started now,” said Kerkdijk.
The researchers predict that organisations that insist on maintaining more traditional, human-driven, SOC processes will soon become less effective in managing security incidents and, thus, more likely to fall victim to cyber attacks. “Attackers are also automating – as defenders, you simply cannot be left behind,” they said.