We discuss the challenges faced by SOC teams, the technologies that support them (better or worse), and future outlooks with Michał Horubała, Director of the SOC360 Team and an expert with many years of experience in the IT security industry.

What is the biggest challenge SOC teams are facing today?

If we look for the answer online or ask ChatGPT, we will likely hear: “One of the biggest challenges in a SOC is the huge volume and complexity of security alerts.” That is indeed a challenge—but that is exactly what our job is about; complex alerts are its essence. If we deal with a large number of false alarms or events that do not contribute to detecting real threats, we analyze the data and look for ways to optimize detections or address the issues that generate those events.

In my view, the biggest challenge for a modern SOC is keeping up with the pace of the “Red Queen’s race.” Every day, every week, every month, and every year we face new challenges, because in cybersecurity nothing is constant. We have to “run as fast as we can just to stay in the same place, and if we want to get somewhere else, we must run twice as fast.” This leads us to the Red Queen hypothesis, which can be easily adapted to any SOC mission: we must constantly adapt and evolve to survive against continuously developing adversaries. What’s more, in cybersecurity, adaptation and evolution have to happen at an extremely fast pace. That means constant change. We can never say that our tools are perfectly tuned, our detections are effective, we know our adversaries and their techniques and tactics, our processes and procedures are finished, and our team structure and organization are perfect. The biggest challenge, therefore, is achieving the ability to change while maintaining the effectiveness of the SOC mission and the well-being of the team.

What are examples of challenges that force SOC experts to continuously adapt?

For example, the process of building detection rules (Detection Engineering). XDR/EDR tools are quite good—though far from perfect—at detecting malware. The problem is that ransomware groups, in most of their attacks, do not rely on malware, but on hundreds of tools and techniques that are difficult to detect because they are not malicious on their own. The best example is RMM (Remote Monitoring and Management) tools such as AnyDesk and TeamViewer, as well as applications like Advanced IP Scanner, Filezilla, Rclone, ADFind, etc., PowerShell scripts, and many LotL (Living off the Land) tools.

New RAT and InfoStealer tools also appear, available through MaaS (Malware as a Service) programs, which evade detection mechanisms. To detect them effectively, we need to know these tools and techniques are being used. That means maintaining a Threat Intelligence process—continuously collecting, analyzing, and selecting information about attack techniques.

I’m not talking about feeding IOCs (Indicators of Compromise) into systems—that is most often not enough. What is useful, however, is following 500+ accounts on Twitter and other platforms, reading reports, and above all analyzing data and drawing conclusions from our own investigations. In the next step, we share the filtered findings with the team—and, more importantly, we apply them operationally.

That brings us to Threat Hunting. At SOC360, we search through client data for new information, adjust queries to reduce false alarms, or simulate threats in a lab. We support more than 10 different EDR/XDR tools. Each has a different query language, datasets, and data fields. After validating the outcomes of the Threat Hunting process, we move on to creating detection rules (Detection Engineering). This is a dynamic process that must run continuously so that we are always on our adversaries’ heels—because they set the pace in the Red Queen’s race.

Another example is our clients’ rapid adoption of cloud solutions. We can no longer hide behind the “walls” of corporate network perimeters. We have to change our perspective, develop new ways of thinking about IT infrastructure, users, services, and where data resides. As a result, SOC teams must continuously evolve to keep up with constantly developing tools such as the Microsoft XDR environment (Defender for Endpoint, for CloudApp, for Identity, for Office365, for IoT, Sentinel), which we incorporated into our processes more than two years ago. So once again, we have to “run as fast as we can to stay in the same place.”

Can these challenges be solved with technology? If so, what would you like tool vendors to improve to make SOC specialists’ work easier?

The biggest challenge cannot be solved with technology, and likely will not be in the near future. Our adversaries are people, not technologies. People who use technology without constraints of law, compliance, place, or time. They are supported by a rapidly developing ecosystem of cybercriminal economics—driven by unlimited possibilities and opportunities to fulfill their ambitions and needs. That is why I agree with Bruce Schneier: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Of course, threat detection tools supported by AI and ML increase SOC teams’ capabilities. They allow us to run faster. But this is a race whose pace keeps increasing because capabilities grow for all participants.

I expect vendors to deliver better detection tools and effective response tooling that provides greater visibility and context for SOC analysts.

Fortunately, many vendors already do. We work with high-quality EDR, XDR, and NDR tools that help us do our job. If only we could convince all our clients to use the tools we trust… But often we have to work with the clients’ existing systems and extract the best we can from them.

What does our SOC team truly need? An incident management system that lets us tag and annotate every object, link objects together, and support analysts by suggesting the right questions based on properties and relationships between objects. We need questions, not answers. Unfortunately, no vendor offers such a system—so we built it ourselves.

As for artificial intelligence, I believe we should use AI cautiously to support SOC work. We observe how SOC analysts use LMM chat tools and draw alarming conclusions. We compared skill development between SOC analysts who could use LMM chats at work and those who could not. What did we find? When you simply ask and get an answer, it is easy to skip the cognitive process that occurs when you look for a solution yourself. AI can be wrong (and often is). Its answers and suggestions can be shallow and generic. That is why you need to understand the topic to assess the AI’s output and ask the right questions.

From our observations, an AI assistant can be a helpful tool for an experienced analyst and can save time. But over-reliance on this technology may lead to a situation where we lack experienced analysts capable of evaluating the quality of AI-provided outputs. We continue experimenting, but we are cautious.

Is the skills shortage a real problem you face? If so, how do you address it at SOC360?

As a company providing MDR/SOC as a Service, we have turned the famous skills and talent shortage to our advantage. There are many talented, creative, and motivated people trying to enter cybersecurity. We hire them and provide conditions for growth. We do not expect candidates to have cybersecurity experience. In many cases, such experience can even be counterproductive.

Our recruitment process is simplified and happens quite often because the team keeps growing. We do not use recruitment agencies—our employees recommend SOC360 to their friends, and we look for talent at technical universities and industry conferences.

To ensure a high level of competency among our analysts, we developed a training program called SOC360 Academy. Every new team member goes through an education and training program, and after initial onboarding they start working under the supervision of experienced colleagues. Thanks to the scale of our services, we have unique conditions for growth and gaining experience.

To reduce mistakes, we also implemented a quality control process with a feedback loop that enables anonymous peer review of random tickets by other team members. We built a culture of asking questions without fear of judgment (after all, everyone started the same way) and sharing knowledge. The SOC360 team works without tier lines, so analysts can go as deep as they want on any case and ask for help or involve colleagues when they encounter difficulties.

Our ticketing system has already accumulated more than 300,000 incident analyses that can serve as a starting point for less experienced employees. Each new case in the system is enriched with references to similar cases. We support dozens of organizations, protect hundreds of thousands of endpoints and users, work with XDR, EDR, NDR, and cloud security systems from several vendors. It is an excellent environment for honing skills—the best I have seen.

An important aspect of team development is also offensive and defensive security certifications that each team member must earn. We provide our people with time to learn and funding for courses.

We also ensure analysts engage in projects and activities that support SOC operations (Threat Intelligence, Threat Hunting, Detection Engineering, tool development, testing and deployments, etc.). Everyone can take part. Of course, all of this must be tied to an appropriate compensation system. Our people’s salaries grow as their competencies and market value increase.

What opportunities do you see for SOC teams?

We observe growing interest in SOC services due to new legal regulations such as NIS2 and DORA. According to Business Insider, NIS2 expands the scope of cybersecurity obligations from 400 to 39,000 companies and institutions in Poland. De facto, that means several thousand companies need SOC services.

We also see increased awareness of the need to invest in cybersecurity among our current and potential clients, especially in the context of the growing number of ransomware attacks.

A challenge—and at the same time an opportunity—is also the growing use of public cloud.

IT is becoming increasingly difficult to control from a cybersecurity perspective. In this fast-moving world, I see tremendous opportunities for SOC organizations and professionals who can adapt to new conditions. Cybersecurity is extremely dynamic. It is precisely in that dynamism that the biggest opportunities for our industry lie. But we must run as fast as we can—often twice as fast—to keep up with the race and fully seize those opportunities.

The SOC360 team monitors cybersecurity systems 24/7, analyzes events, detects and responds to incidents so organizations can safely carry out their missions. Our client base includes the largest Polish commercial companies from various sectors. We secure distributed environments across 10 countries in Europe and Asia. We work with EDR/XDR, NDR, and SIEM systems from leading vendors and monitor cloud environments as well. If you would like to implement a SOC service in your organization, contact us.

This article was prepared by a 4Prime expert and subsequently edited with the support of artificial intelligence tools.