top of page

Is the best of the SOC behind us

Writer's picture: Tyler WallTyler Wall

Updated: Dec 8, 2024

It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money? This is Is the best of the SOC behind us?


We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity and companies were throwing cash at cybersecurity so they didn’t end up in the news.


There weren’t many people who were trained in cybersecurity and the demand was high for talent, companies couldn’t hire the talent they needed so they threw cash at training people. The training business was booming.


It was a time to be in cybersecurity; it was the golden age.

Before we go further I want to say that this blog doesn’t end depressing it ends on a high note and not the high note that you might be thinking right now.


It is 2020, COVID is hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown for just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began on the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now.


Computing at its fundamental level is very basic. Its a combination of 1’s and 0’s, which a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations adding more complexity.


This is the same thing that we’ve done in cybersecurity.


The very basic cybersecurity tasks, or in this outline “building blocks”, can be organized into increasing complexity to accomplish all of our tasks meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining but presented to understand the idea.


There are actually very few tasks that we do in cybersecurity fundamentally.


And thats when I stopped.

We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people and I wasn’t prepared to take on what would be an internal struggle on what the right thing to do was.


I went back and forth with this for sometime.


Is the best of the soc behind us
Is the best of the soc behind us
Is the best of the soc behind us

What eventually happened was is that I couldn’t stomach being responsible for building the master matrix of tasks leaving everyone unemployed and I left automation all together.


Today, it is well known that automation, not AI, is replacing cybersecurity jobs and we are feeling the impact of it. Its like I am seeing this evolve before my eyes whether I was responsible for it or not. Someone is going to figure this out.


Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves leaving more to automate. Automation tools have become extremely more user friendly meaning that you don’t have to be a developer to use them. The SIEM that we used in the past as a single pane of glass is now automation tools. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end and the demand will shift for people with better and better automation skills. Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too.


I am writing about this only because it’s my belief that the net sum of labor from before and after will be near zero when its all said and done. I think companies are going through some changes right now where they are laying off people they will have to rehire when they re-skill. There are some unrealistic expectations of the cost savings of automation and the only real way they can save costs is by accepting more risk and thats something they could have just did from the beginning. It’s an ebb in the ebb and flow of an industry and that is where I have landed lately.


All those nights lying awake worried about the future just seemed to work itself out.


Is the best of the soc behind us

PART ONE: Understanding Automation

CHAPTER 1: Introduction

  • Why this book was written

  • What this book aims to accomplish

CHAPTER 2: The Demand for Automation

  • The evolving cybersecurity threat landscape

  • The cybersecurity workforce

  • The traditional security operations center

  • The solution of cybersecurity automation

  • Value Stream Map

CHAPTER 3: Mastering Cybersecurity Automation

  • Cybersecurity automation architecture

  • Cybersecurity automation processes

  • Cybersecurity automation technology

CHAPTER 4: Prerequisites and Assumptions

  • The similarities between SMB and Large Enterprises

  • International legal and data privacy considerations

  • Government regulations and certifications

  • Industry-related regulations and certifications

  • Organization policies/Asset policy

PART TWO: Building Blocks

CHAPTER 5: Sending Emails Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 6: Enrichment Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 7: Analyzing Malware Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 8: Actioning Endpoints Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 9: Firewall/web proxy Blocking Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 10: Escalate to Incident Response Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 11: SIEM Automation

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 12: Responding to Emails

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 13: Asset Discovery Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 14: Manual Exception Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

CHAPTER 15: Whitelist Playbook

  • Technical integration components

  • Process flowchart

  • Explanation of steps and decisions

PART THREE: Fully Automated

CHAPTER 16: Phishing Response Automation

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 17: Unusual Privileged Account Activity

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 18: Banned Programs

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 19: Threat Intelligence Response

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 21: Vulnerability Management

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 22: Emergency Vulnerability Management

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 23: Data Loss Prevention

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 24: Cloud Orchestration and Response

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 25: Insider Threat

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 26: Threat Hunting

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 27: User Account Provisioning/Termination

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation:

  • Potential response actions

  • How this automation is used

CHAPTER 28: Rogue Assets

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 29: Metrics

  • Building Blocks Required

  • Flowchart

  • Description of the phases of this automation

  • Potential response actions

  • How this automation is used

CHAPTER 30: Cybersecurity Automation Matrix

  • Building blocks and their components

  • Automations and their building blocks

  • Cybersecurity roles and their automation

Table of Illustrations

About the Authorship

About the Technical Review




Cyber NOW Education: How to get a job in cybersecurity

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.


You can connect with him on LinkedIn.


You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.


Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.


Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.


Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.



8 views0 comments

Recent Posts

See All

Comments


bottom of page