Evolution of SOC Services

- By -

Robert Wilson

The Security Operations Centre (SOC) market, according to Emergen Research, was worth $4.9 billion in 2021, with a forecast CAGR of close to 20% through to 2030.  The evolution of this security service has accelerated considerably over the past ten years.  In this article, we examine the biggest changes in offerings and the features which have turned the art of security operations into being more proactive in identifying threats and pushing the boundaries around prevention and remediation of threats identified.

Services have evolved significantly over the years due to the requirement for tooling and techniques to combat the increasing complexity and sophistication of cyber threats.

In the late 90s, SOCs were operated by governments and defence organisations.  At the turn of the century, banks and large organisations with high risk, high threat profiles, began investing in on-premise SOCs – the key purposes being monitoring and response.  By 2005, Compliance services were added to the core activities.  The following ten years saw Advanced Persistent Threats (APT), Data Loss Prevention (DLP) and Security Incident Event Management (SIEM) added to the profile of SOC outputs.

The biggest strides seen in the past ten years have arguably been in pooling outside threats to the monitoring and response activity of a SOC i.e. through Dark Web and Open Source Intelligence (OSINT) monitoring.

The automation of services, reaching answers and outcomes faster than ever before, has been an important step change seen in recent years. This has helped IT, Operations and Senior Leadership teams of organisations with a SOC understand technical, financial and reputational threats to themselves based on the output provided by those managing the SOC technology.  Extended Detection and Response (XDR) and Security Orchestration, Automation and Response (SOAR) are more commonly used terms when considering a SOC which is more proactive in threat hunting and providing a more automated response to suspicious activity.

The final area to see big change is the hosting of SOCs.  Earlier this century, many businesses remained concerned about the efficacy of cloud services to the extent they would host their own SOC within their own physical estate, providing true ownership, but at enormous costs.  The transition to cloud hosting, though, for SOC services has become more compelling in the past couple of years due to the elasticity and speed of scalability that comes with it, bolstered more recently with improved security evidenced by the development of key principles and standards (see https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles).  As a result, there is now no limit (other than budgetary constraints) to the visibility and analysis achievable across the attack surfaces being monitored, with far greater cost control.

With Artificial Intelligence (AI) and Machine Learning already playing their parts in the automation and velocity of delivered SOC services, their influence and output will only continue to grow, not only in helping SOC teams triage and conclude on issues faster, but in potentially identifying trends in unknown signatures to decipher true threat activity.

ZeroTrust has some way to go but will be crucial for those looking to bring true prevention into their strategy against unknown signatures.

Compliance monitoring and remediation of identified threats and vulnerabilities will have a significant impact in the value security teams bring to their organisations.  By leveraging the SOC to monitor and maintain compliance across their digital estate, businesses will reduce their risk profile whilst enhancing their own commercial acumen and business opportunity.  A business which can demonstrate a mature approach to its cyber risk posture to its existing and potential customers by proactively monitoring and detecting threats will be a profitable one.

To learn more about the approach you should take in establishing visibility of and protection against threats facing your business, please contact Amicis.  If you wish to access our dashboard and have visibility of threats to your environment within 15 minutes of agent deployment, click here or alternatively email hello@amicisgroup.co.uk or visit www.amicisgroup.co.uk for further information.

Ready to get started?