I recently received an email from one of DXC’s top security operations consultants in the Middle East with a unique client question: What would a Security Operations Center (SOC) look like in 2030? And how could we architect one today?

As strategists, we focus on the knowable future, perhaps better expressed as the future we assess most likely to manifest. There’s always a danger of planning for one of myriad, ever-morphing futures — one that might never materialize — so we have to consider all available data on the technology, society, business, geopolitics and threat trends to assess what’s likely to happen.

In its most simplistic reading the relationship between strategists and the future is simple: We guess. There are some questions we just can’t answer or even hypothesize today, and further questions we can’t yet formulate. As chemist Aryeh Frimer once said, “I would rather live with a good question than a bad answer.” For security strategists, familiarity with unfamiliarity is a prerequisite for wise decision making.

So, what does this mean for SOCs? We know today that most enterprises are undergoing digital transformation, and it’s leading to a fundamental redesign of services, products and business value. As digital transformation drives business change, client expectations will also continue to change and affect the forecast for 2030. Given those caveats, here are some of the implications:

1. DevSecOps will disrupt enterprise security architectures.

The age of monolithic security functions divorced from the wider business is over. To meet accelerated speed-to-market demands, development efforts are being ramped up through adoption of DevOps. To keep pace, security must be integrated with DevOps teams — giving us DevSecOps — to enable security to be baked-in rather than bolted-on after the fact.

Enterprise-wide security functions, such as governance and specialized functions, will remain with a dedicated security team, but risk will mostly be devolved to the DevSecOps teams. DevSecOps teams will need to conduct their own secure code revisions, testing and vulnerability management.

Yet DevSecOps practitioners will never have specialized security skills that rival those of dedicated InfoSec practitioners. Therefore, the central security team will need to provide tools, training and mentoring services to the DevSecOps teams. We also need to secure the DevSecOps pipeline as part of enterprise security. SecOps teams will need to create new relationships with DevSecOps groups, move quickly and ensure appropriate enterprise-wide monitoring and response.

2. Automation will shorten remediation time from months to seconds.

The average time from breach discovery to remediation is 69 days, according to the most recent Ponemon survey. This is a gift to an adversary that can pillage and destroy for months after discovery. We will reduce this to seconds rather than months. Automated remediation (AR) is vastly complex, but we have most of the security components we need; we are just missing much of the connective tissue — the conductor that can turn talented solo artists into a glorious orchestra.

SOCs should aspire to use automated remediation (AR) in at least 95 percent of cases within the next 3 years.

We also must accept that AR carries risk. With AR, there is a chance something could go wrong, in the same way a bad patch that’s hastily applied can cause production issues. AR poses risk in applying complex logic to destroy code or remove accounts. A slower, more manual approach can reduce this risk but gives adversaries a bigger window

AR may not be ready at an enterprise level today, but we can’t win this battle without AR. SOCs should aspire to use AR in at least 95 percent of cases within the next 3 years.

3. Machines will fight machines; soldiers will become generals.

While the application of artificial intelligence and machine learning (AI/ML) to security is still in its relative infancy, the field is quickly developing. By the early 2020s, AI/ML will manage key security functions in isolation. Adversaries are already using AI/ML to build and test malware. They will have the capabilities for acting autonomously inside victim networks as we enter the 2020s.

Today, SOC operators spend much of their time on manual activities, but they will increasingly be responsible for programming defensive and responsive logic. They will become generals rather than soldiers, controlling vast capabilities to prevent breaches and eradicate adversarial code.

In the 1990s, most security professionals were high-caliber coders, but today with so many vendors providing rich portals and configuration of solutions, coding isn’t as common a skill in security. In 2030, the ability to code to APIs with data science methods will be critical.

The real-time battles will be machines fighting machines, or more accurately, code fighting code. Logic will often decide who emerges as the victor. SOCs of the future will be staffed with SMEs capable of operating in this new world.

4. Warfare will be digital-first. SOCs will need a permanent war footing.

Some 30 countries are believed to be developing cyber warfare capabilities. Geopolitics and cyber security are inextricably intertwined.

Some 30 countries are believed to be developing cyber warfare capabilities. Geopolitics and cyber security are inextricably intertwined.

Nation-states are attempting to amplify their propaganda via the internet and to influence events in other countries. For SOCs responsible for protecting critical infrastructure, from stock trading platforms to power companies, the danger is real and potentially life-threatening.

The 2017 WannaCry attacks on the UK National Health Service hospital networks almost certainly resulted in physical suffering of patients whose diagnoses were delayed or whose operations were suspended. Nation-states will seek to target many countries, not only to cause such damage and disruption, but also for intelligence gain.

Destructive attacks designed to meet strategic geopolitical aims typically require significant pre- and post-breach preparation. Therefore, military cyber forces must “prepare the battlefield” by breaching networks and learning how to carry out specific objectives.

SOCs need to be on a permanent war footing. There is no more peacetime, and the stakes in many cases will be life or death.

5. Cloud will deliver nimble technology transference. Contracts will need equal flexibility.

The most prominent advantages cloud delivers to the SOC are the storage and computing of exponentially more data. The lesser-discussed advantage is the ability to switch rapidly between technology providers. The security business today is built around 3-year contracts. But the cloud is making it possible to rapidly adopt the latest security technologies, meaning that future SOCs will be able to push vendors to offer more flexible contracts.

That will, in turn, encourage vendors to continually respond to clients to ensure they are satisfied. Vendors must constantly demonstrate additional value, as well as help SOCs swiftly adopt new technologies.

6. SOC to ROC: The Security Operations Center (SOC) will become the Risk Operations Center (ROC) in the near future.

Cyber security, digital risk operations and fraud investigations will form part of the ROC. Many of the methodologies are the same and interlinked. For instance, user behavior analytics technologies designed to detect external actors inside the network also can be used to detect abnormal insider activity indicative of employee fraud.

Top executives also expect a converged view of, and response to, digital risk. Building ROCs will involve more complex cultural transformation than technological change. The ultimate realization of this vision will be the ROC that offers dynamic risk views and “levers” executives can pull to adjust risk based on changing appetites. SOCs must evolve if they are to continue to be relevant to the executive suite in the 2020s.

How do we architect our SOCs for the future?

The only constant is change. We can plan for the above trends or know that a future without them is not sustainable, but what other variables exist? This is ultimately where we have to live with a good question rather than a bad answer, but there are some key principles I can offer.

First, we know that talent has to be at the heart of security operations. Despite this being said by many a chief information security officer, it remains the top mistake I see in industry. In the face of the vast security talent shortage, we must inculcate a greater sense of institutional loyalty to a core cadre of our SMEs. This means identifying them while they are still studying, continually investing in and challenging them, and providing above-satisfactory compensation. Consequently, enterprises should expect great things of their SMEs and elite SOCs. Too often, we invest in expensive “blinky boxes” but not the expertise to turn that hulk of silicon and aluminum into tangible capability. We must change this. People will always be the SOC’s greatest asset.

People will always be the SOC’s greatest asset.

Second, the question must be asked, can enterprises go it alone in the next decade? For me, the answer is probably not, or at least not without inordinate expense. While I acknowledge my bias as a chief technology officer for a global managed security services provider (MSSP), this is also my assessment as a technologist and academic. I believe the optimum SOC model is a small elite cell within an enterprise, bringing bespoke knowledge of the enterprise, supported by an MSSP.

Third, acknowledging that the only constant is change, how do we design for 2030? Charles Darwin wrote about the evolution of the species as survival of the fittest. This statement is often misinterpreted. Darwin did not mean those species that could run the fastest, climb the highest or win heavyweight boxing belts. He meant those most able to adapt to ever-changing environments. Adaptive-velocity is the only persistent advantage. This is the core design principle of the SOC of the future. We must architect for the rapid evolution of threat and defensive capabilities, cultivate a culture of comfort with uncertainty, and expect transience in all aspects of SOC design.

I’ll end with a quote by Peter Drucker that I regularly regurgitate to security technologists: “The best way to predict the future is to create it.”

 

More information on the future of security and the DXC Cyber Reference Architecture can be found on DXC Labs | Security, which provides thought leadership and technology prototypes to help secure enterprises in the digital age. Subscribe to receive updates.