How to Banish Heroes from Your SOC? – Security Boulevard

How to Banish Heroes from Your SOC? – Security Boulevard>
– Anton Chuvakin
This blog was born from two parents: my never-finished blog on why relying on heroism in a Security Operations Center (SOC) is bad and [Phil Venables](https://www.philvenables.com/about) “superb+” blog titles [“Delivering Security at Scale: From Artisanal to Industrial.”](https://www.philvenables.com/post/delivering-security-at-scale-from-artisanal-to-industrial) BTW, what is heroism?Isn’t that [a good thing](https://cloudonair.withgoogle.com/events/summit-it-heroes-2023)?Well, an ancient [SRE](https://sre.google/books/) deck defines “IT heroism” as relying on “individuals taking upon themselves to make up for a systemic problem.” As those who have seen the inside of a SOC can attest, this is, ahem, not entirely uncommon in many Security Operations Centers.If you recall our [Autonomic Security Operations (ASO) vision](https://services.google.com/fh/files/misc/googlecloud_autonomicsecurityoperations_soc10x.pdf), we advocate for automation, consistent processes and systematic, and [engineering-led](https://cloud.withgoogle.com/cloudsecurity/podcast/ep117-can-a-small-team-adopt-an-engineering-centric-approach-to-cybersecurity/) approach to problems.Here is a great quote from another domain that explains this even better: “The need for heroism is revealing the fact that you haven’t scaled your organization’s processes to effectively withstand the brunt of the unexpected, leaving it on individuals to bear.” ( [source]) Is your SOC such a system?- Heroic alert triage where analysts stay late, extend their shifts, accept escalations at all hours, etc (likely the most common example, frankly) – Heroic rule writing where rules and content gets created, instead of a [detection engineering practice](https://medium.com/anton-on-security/build-for-detection-engineering-and-alerting-will-improve-part-3-dbd433516f95)you have a detection firefighting crew… – Heroic remediation is the classic “wait, wait, I can fix it” syndrome that, statistically speaking, very rarely leads to a good solution.Well, you want [an industrial system](https://www.philvenables.com/post/delivering-security-at-scale-from-artisanal-to-industrial)!Now for the painful, painful truth: “It’s better to let a process break and uncover a systemic issue (like the need for better tooling or an adjustment of priorities), than to have individuals try to make up for the problem.“ You want more?Related blogs: [SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence](https://medium.com/anton-on-security/soc-is-not-dead-yet-it-may-be-reborn-as-security-operations-center-of-excellence-30fc48b52116) [New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)](https://medium.com/anton-on-security/new-paper-future-of-the-soc-process-consistency-and-creativity-a-delicate-balance-paper-3-of-f73fe653c04d)
Link: https://securityboulevard.com/2023/10/how-to-banish-heroes-from-your-soc/


Categories:

Tags: