Security Operations Centers (SOCs) can no longer function as reactive, one-way collectors of security-centric information. They must adapt to the changing threat landscape and learn to contribute to the organization’s fiscal, personnel, operational, and environmental strategies.
SOCs were developed to centralize an organization’s awareness of, and responses to, physical security threats against its people, property, ideas, and customers. SOC’s accomplish several tasks very well:
SOCs, however, were created to address specific issues that existed at a specific time in the organization’s history. Most SOCs have simply grown to handle the volume of the alarms they monitor, rather than in response to changes in the threat landscape. This has resulted in several deficiencies in the SOC’s ability to address modern security challenges:
One deficiency is that SOCs, by nature, are reactive. Most, if not all workflows, don’t begin until an alarm has been triggered or an incident is detected. The operators and systems have become efficient at handling those events, but there are almost no workflows or capabilities in place that are proactive, predictive, or preventative.
A second deficiency is that almost all systems and data sources that the SOC has access to are in siloes and are not integrated with each other. A typical SOC operator works with a minimum of 10 different systems and data sources for alerting, device navigation, dispatch, response, notification, documentation and reporting. The processes for gathering the event context from the above systems, distilling it into actionable intelligence and identifying trends are all manual processes which are completely dependent on the operator’s skill set, experience, job description, and bandwidth. That is an overwhelmingly manual and inefficient workflow that relies exclusively on human operators to identify the unwanted event or behavior and take the right actions in the right order at the right time and potentially under circumstances they have never trained for.
The third, and perhaps most important deficiency is that the SOC is security-centric. The primary focus of an SOC is the security of the organization’s people, assets, and ideas. The people that have been hired to work in the SOC, the processes that have been developed and the technologies that have been adopted are well suited to their mission, but that mission is rigid and inflexible and cannot easily adapt to new security scenarios and situations such as COVID19, mass casualty events or localized political unrest. SOC’s are not tightly integrated with Facilities, Crisis Response, HR, Operations, Cybersecurity Operations, or other departments that either identify additional threats to the organization or are impacted by those threats.
The result of these deficiencies is that most security operations are not equipped to:
· Scale to the current level of threat volume or types
· Adapt to emerging threats
· Contribute to the organization’s overall strategy, growth efforts, or specific initiatives
Convergint believes that the next stage in the evolution of security operations is the Fusion Center. Simply put, a Fusion Center leverages the benefits we identified earlier of centralized management, visibility and communications, and expanded capabilities to create an SOC that is:
The evolution from a SOC to a Fusion Center does not require a complete or immediate overhaul of the SOC. The components and capabilities that will be presented can be phased in at the most appropriate time to address the organization’s unique challenges and do not have to be implemented in linear order. Contact Convergint today to find out how to efficiently and successfully begin your transition to a fusion center, and stay tuned for the next installment in our Fusion Center series diving deep into the benefits and capabilities of fusion centers.