The Evolution of the SOC and the CSIRT

We’re starting to see significant debate around the terms SOC vs. CSIRT, and which one companies should have.

As with most such debates in tech—which is moving almost as fast as we can lock down definitions—the issue is largely one of semantics.

To start, Wikipedia says a SOC is a centralized unit that deals with security issues on an organizational and technical level, and that a CSIRT is an expert group that handles computer security incidents.

Richard Bejtlich comes out with a strong position on Twitter, responding to this post by Gartner analyst Augusto Barros’ essay on the topic.

Heard new Gartner research suggests “a CIRT should be part of a SOC.” No! The traditional “SOC” should ultimately disappear. The CIRT does detect/respond/inform/improve. A SOC is a stopgap until automation/orchestration and #secdevops flourish. CC @dinodaizovi @TryPhantom @splunk https://t.co/c2DWDBtkmx

So Richard’s position is that the idea of a SOC is outdated, and that CSIRT is the real thing. I agree with this, but I think we need to look at the history and some first principles to get the context.

The military had some of these capabilities much earlier than industry.

  • The only thing that matters—and that’s ever mattered—is preventing, detecting, and responding to bad things happening to your organization. That was the reason for the SOC in the past, and it’s the reason for the CSIRT now. It’s the foundation this entire conversation sits upon.

  • In the beginning, there was nothing. Enterprises didn’t have prevention, they didn’t have detection, and they definitely didn’t have response.

  • Given how bad things were, the first step in the 90’s was installing an IDS on the perimeter and watching incoming attacks. And since all the monitors were in one place, and the people they hired to do the job had similar backgrounds, titles, pay, and reported to the same management, why not put them all in one room so they could communicate better? That synergy of visualization, human resources, and communication lead to the first SOCs.

  • Within the last five years or so it has started becoming obvious that detection by itself is like one hand clapping. It’s useless unless you’re responding as well.

  • Because response involves so many other parts of the organization, it became more common for the extended security team to not all work in the same room.

  • Then add the idea of proactive security to the mix, where we can actually automate a lot of this work, and do a lot of the testing while we’re building and deploying, and suddenly the majority of security is happening outside the SOC.

So we went from security being detection based, using IDs’s and manual follow-up within the security department, to security being response-based, using dozens of tools and leveraging multiple groups within the organization, including development, operations, legal, HR, and management.

SOCs didn’t become unfashionable because everyone needed to be in the same room. They are dying because the focus shifted from reactive to proactive, and from detection to response. Detection and response became a function done by teams, rather than a team performing a function.

Being proactive means involving development. And doing response correctly requires the involvement of many departments. Ultimately the only thing that killed the SOC is progress.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

But we shouldn’t make fun of the Blackberry because the iPhone exists. Or look down on ESX when we compare it to AWS. These things had their time, and they performed the important role of bringing us to where we are now.

The SOC didn’t really die. Its soul was absorbed into the bigger picture of business resilience. Like the arm of an ancient Gundam.

And it’s not as if we’ve reached our full evolution—not by far.

Before too long we’ll be talking about how the CSIRT team is an outmoded idea because it implies that it’s a separate function from business resilience and business goals. In that world there’s no difference between quality and security, and automated testing is ubiquitous and continuous in every part of the organization.

We always look condescendingly at the past, not realizing we’re living it now as well. The SOC lives on in the CSIRT team. And the CSIRT team will live on in AI-powered automation and orchestration-based DEVSECOPS.

We are but a stone on the path. Respect the past, and look to the future.

Ultimately we’re just trying to make sure the business doesn’t stop making money under any circumstances. And both the SOC and CSIRT team have played—and are playing—their evolutionary roles in getting us to that point.

Related posts: