The traditional SOC is essentially controlled, in most cases, by a SIEM, e.g., Splunk. The language and inner workings of the SIEM are of paramount importance to the SOC team, and often, hiring decisions are made based on proficiency with the existing SIEM and other SOC tools. In other words, SOC teams are often forced to hire programmers rather than security professionals because of the dependencies with underlying SOC tools.
How would it be if SOC professionals are magically provided the capability to build detection logic without ever needing to write a single line of code? Wouldn’t SOC managers rather hire security experts instead of programmers? Yes, they absolutely would. That’s exactly how the new, future SOC is going to have to transform if it aims to protect enterprises from threats rather than just keep up with complex tools that suffer from poor detection capability and noisy alert generation. SOC managers must demand this of security vendors.
Introducing the concepts of low-code and no-code.
These self-explanatory terms define the relatively low coding effort needed and absolutely no coding effort needed in building business apps/logic, respectively. We believe in total disruption of app/logic building, particularly in the SOC, as there is enough complex work to be done in keeping up, let alone moving ahead, of the threat landscape, and building algorithms (logic) to detect complex threats, often moving fast through an enterprise. Therefore, a no-code approach to the SOC is desperately needed to not only make SOCs efficient but also empower the security experts to take charge of the reins of security threat detection and response, rather than the programmer/developer.
According to Gartner, by 2024, low-code/no-code application development will be responsible for more than two-thirds of application development activity across the industry. This is a 165% growth from today, according to Salesforce’s Enterprise Technology Trends Report, 2020.
What might this look like?
A no-code environment in a SOC would allow a threat analyst to model detection scenarios vis-à-vis actual threat attack patterns, for e.g., as those described in the MITRE ATT&CK framework, instead of modeling detection based on what the underlying tool can or cannot do. The result would be the development of a complex attack pattern detection model by a security expert, not a programmer, by moving atomic blocks of logic and associating operands with/between them, resulting in a detection model that could span days — all without writing a single line of code. Imagine the world of Lego blocks in the SOC — all the blocks, with the right colors, shapes, sizes and functional value, are there — the artist simply needs to put them together, no manufacturing or fabrication needed. They automatically interlock with one another — the expert may define the kind of interlocking needed.
A no-code implementation within a security threat detection builder aimed at a threat/intel analyst in the SOC would render a not-too-complex logic for detecting lateral movement like this, and would take a security domain expert minutes to compose:
Whereas the code written in SPL (Splunk’s underlying language) might start to look like this, and stretch well over 200 lines of code, and likely nowhere as readable as the below:
Not to mention the significantly long time it takes to write such code, the hard-to-find proficient programmer, the complexity of testing, as well as the lack of reusability (and modularity) of the code.
The example pretty much nails the importance of no-code in the SOC in order to be able to focus on the task at hand — threat detection and response — and not getting bogged down by security tools. Threat detection not only becomes easier but also much more efficient because of reusability, and introduces the ability to cascade improvements in one technique to all scenario detections that use this technique — 100’s of detections could get upgraded with a few clicks, thus massively improving scalability and currency of a SOC organization. Imagine the significant boost this can provide SOC teams with respect to preparedness in threat detection as well as efficiency.
No-code is soon going to shatter the monolithic, slow detection (and thus, response) process of the SOC!