The Challenge

From the perspective of a SOC manager, a primary challenge always is developing and implementing the right content (= logic in the form of rules or more advanced code) that the organization needs. An average enterprise doesn't always have the luxury of threat researchers, content authors/developers and analysts to triage/investigate/remediate. Therefore, having quick access to the best content that is suited for your enterprise needs is key to a SOC's success. Such content must also be of the highest efficacy such that downstream actions such as automation/orchestration can be performed more predictably and with simpler playbooks.

The Solution

Imagine if your SOC had access to a streaming content service from which an analyst can pull desired content, vis-a-vis threat priority frameworks such as MITRE ATT&CK, as well as receives recommendations for content that you must implement based on current industry trends, peer activity, available data sources and other influencing attributes of the cyber-security world. And imagine if this content is readily deployable, in SIEM format of choice, in your SIEM with minimal to no coding or scripting necessary. Wouldn't that fundamentally shift the SOC into higher gear and enable better detection and hence better rates of automation downstream? Not to mention the problem of not having to deal with "skills shortage", and dramatic reduction in costs.This is how SOC tools, especially SIEMs, must evolve. They cannot continue to remain data collectors and run-time engines for simple rules with heavy dependence and onus on humans. That world is coming, and it will be cloud-powered.