When we talk about a SOC (Cybersecurity Operations Center), we are talking about very complex “ecosystems” that must operate 24x7x365 and that mainly require adequate and highly trained “People, Processes and Technology”, all perfectly coordinated and orchestrated.
I always like everything that is very complex compared to aviation, which in my view and as a private pilot is also a complex discipline that requires the same attributes as a SOC, requires highly trained people, requires following processes in rigorously given that in aviation everything is perfectly tabulated in terms of procedures to follow in each expected and defined situation, last but not least it also requires Technology, a lot of technology that must operate in real time and perfectly orchestrated and with global reach, for all this I believe that both disciplines have many comparable attributes.
In line with what has been said, I wanted to share my “analogy” of SOCs in front of old and new aircraft when we talk about two very relevant attributes for a SOC such as “Events and Alarms”, through the following two images.
In an airplane, as in a SOC, computers, sensors and instruments send and record thousands of events that occur per minute, but these events do not necessarily set alarms, rather they must be analyzed and correlated in real time to understand and be able to contextualize each event. thing that is happening, using defined intelligence (use cases) to effectively identify a relevant situation that could mean an alarm to present them to security analysts and commanders in an orderly and prioritized manner. 😉
“Companies that do not have a SOC or have one incorrectly implemented are more like a Cockpit of an old plane (first image where 2 beautiful planes are seen, a DC9 and the first version of “The Queen of the Skies” the Jumbo 747 )
on the other hand, companies that have a well-implemented SOC are more like the cockpit of a modern airplane. !!! (second image where you can see 2 spectacular modern airplanes such as an Airbus 350-900 fresh out of France or a spectacular Boeing 787 Dreamliner).”
What do you think?
For a moment think about this situation, an airplane flying at 36,000 feet, 930 km/hour, with adverse weather and at night, an alarm sounds and the commanders have to begin to understand what is happening (triage) to identify the occurrence of a relevant event in the “instrument clocks” of an old plane or try to solve this same situation of identifying a relevant event in the cockpit of a modern plane. 🙂 Well, that’s exactly the same thing that would happen to SOC analysts when faced with an alarm situation and/or a potential attack on the security infrastructure they are responsible for guarding.
To be continued….