In recent weeks, coincidentally, I’ve had several conversations that reminded me about the confusion related to “modern SOC.” Some of them were public (example and example), while others private. One particular person went on a quest through several “leading” companies’ security operations to see how they have implemented a “modern” SOC. However, what she found was a lot of companies improving on the classic model, with visible elements of NOC and help desk “DNA” showing (bye-bye 1990s, hi 1980s!)
Brief History
Back in 2016 when I was a Gartner analyst, I was obsessed with the same question. As I said in my now-dead Gartner blog, a lot of security operation centers looked like they were built on a blueprint of a classic paper written by somebody from ArcSight around 2003 (don’t get me wrong, that was an epic SOC paper … for 2003!). As a result, the original “modern SOC” Gartner paper that we wrote in 2016 (“How to Plan, Design, Operate and Evolve a SOC”) focused on what the differences between a modern and a classic SOC may be (later we evolved this a bit in the updated 2018 version and there is a current version too, but of course without me…). However the conversations I mention above imply that we collectively still lack clarity on the modern SOC concept …
Autonomic Security Operations or “SOCless ‘SOC’”?
Note that there is another element to this discussion. Those who read the original Netflix 2018 SOCless paper would be very familiar with an engineering-led model for D&R operations (a more recent example). It is tempting to point at that approach, as we did in This article has been indexed from Security Boulevard