10 actionable lessons for modernizing security operations

The near-constant pings that ring in the ears of security teams around the world are no AI-induced hallucination. The volume and complexity of security data really is increasing, and managing it all can be even harder with the lack of skilled security professionals.

At Google Cloud’s Office of the CISO, we’ve heard from manufacturers who recognize the need to modernize their SOCs with a cloud-centered approach.

Leading manufacturers needed threat intelligence-driven, AI-powered security, and selected Google Security Operations. Their aim was to develop a cyber-governance system covering all activities and subsidiaries targeting IT, the industrial internet of things (IIOT), and operational technology (OT).

A modern SOC is a cybersecurity hub that uses cutting-edge technologies, automation, and artificial intelligence to proactively protect organizations from cyber threats. Automating the SOC’s work can have a measurable impact on its effectiveness.

We also believe that the human element remains crucial for an effective and modern SOC. As automation helps produce more reliable, standardized results, it can also free highly-trained SOC engineers to work on the thorniest security problems.

To support those organizations considering a similar transformation, we’ve collected guidance from our manufacturing customers who undertook the task of modernizing their SOCs, and distilled it into these 10 actionable lessons.

1. Agile methodology: Implement an agile framework (such as Scaled Agile Framework) to improve team communication, task visualization, and progress tracking. This structured approach can help SOC teams do less reactive "firefighting," and encourages more proactive security management.

   The process enables the SOC to adapt quickly to evolving threats and requirements. By breaking down the SOC transformation into smaller, manageable sprints, the SOC can iteratively improve its processes and technologies, and ensure that it remains responsive to the ever-changing threat landscape and organizational challenges.

2. Use case focus: Define comprehensive tactical use cases (TUC) that address specific threats completed by detection methods, response procedures, remediation steps, and potential exceptions, and then map these use cases to threat profiles.

   For many organizations, you will have to define a new process to streamline TUCs, starting from ideas, to design, to review, and finally implementing threat identification, security analytics, and detection and response. This process can help ensure a systematic and efficient approach to handling security events.

3. Detection and response as code: Achieve the business goal of continuous detection and continuous response (CD/CR) by adopting security operations practices of continuous integration and continuous deployment (CI/CD) for SIEM and SOAR management. Use infrastructure-as-code principles and implement robust change management workflows with automated validation checks, end-to-end testing, and approvals.

4. Automated IR playbooks: Use SOAR playbooks to reduce the operation toil by automating repetitive incident response (IR) tasks, standardizing IR workflows, and improving efficiency. Even playbooks with manual steps provided valuable workflow structure and facilitated metric collection using tags, phases, and close reasons. Starting fast, even with a very basic SOAR playbook, and then improving can help immensely — rather than waiting for a perfect playbook.
5. Dynamic threat profiles: Develop dynamic threat profiles based on Google Threat Intelligence, adapted to your industry and your organization's specific risks. These should be adapted to the current threat landscape and should be your coverage north star. Use frameworks such as MITRE ATT&CK (Enterprise and ICS) to structure and evolve your threat intelligence over time.
6. Meaningful metrics and visibility: Track relevant security metrics to measure progress and identify areas for improvement. It’s hard to improve what you can’t measure.
   
   Prioritize key indicators including coverage (use cases covering threat profiles), case handling metrics (such as mean times to contain, react, investigate, and triage), automation (measuring the percentage of tasks handled automatically), and development velocity (tracking the time required to design and implement detection and remediation tasks). Avoid relying on metrics that lack a direct impact on KPIs, or could not be reflected in their security value.
7. Use a unified data model: Use a unified data model (UDM) to leverage the same semantics across vendors to define clear field relationships and create detection rules. In order to fully take advantage of UDM, stable log-schemas and clear UDM parser data mapping are strongly recommended.
   
   This can be challenging in manufacturing because of frequent log format modification by the scattered ingestion infrastructure and niche vendor formats. Our advice is to reduce complexity and maintenance costs by adopting standard log schemas, preserving original messages in transit, and using standard UDM fields as much as possible.
8. Shift left: Establish collaborative working groups and tools to involve security early in the process, known as shifting left, in order to create effective use cases. Application teams possess specific knowledge of their applications, including signals and potential vulnerabilities, while the SOC team are the experts in security incident handling.
   
   Creating a triage partnership between these teams is essential for accurate threat modeling. These threat models help create SOC tactical use cases (TUC) covering the runtime environment and the development pipeline.
9. Rethinking the SOC organizational structure: The security transformation journey involves redefining roles, responsibilities, process, and governance. Automation of tasks, such as alert enrichment, triage, investigation, and remediation, can reduce the need for the traditional segmentation of SOC levels. SOC analysts can work in rotation on automation of tasks and SOC cases, which provides an objective view of what to automate and can help motivate them to reduce their daily toil.
10. Balance transformational leaps and incremental improvement: Be patient as you implement changes to your SOC. Some operational aspects can be improved on small, gradual, and iterative improvements, such as by introducing automation on specific workflow steps. On the other hand, transformational tasks such as overhauling your governance structure can be done only with significant leaps.
    
    Think of it like climbing a staircase: Leaps take you to a new level of maturity, while gradual incremental improvement refine your security posture at each level.

We hope that these guidelines can help you navigate the complexities of SOC modernization, and also build a security operation that effectively protects your organization in today's dynamic threat landscape.

To learn more, please see Google Cloud’s extended guidance on minding your SOC metrics and modernizing security operations.