The Future of Security Operations Centers

Earlier this year, Splunk sponsored the report, "SOC 2025: The Future of Security Operations Centers" from Securosis, which is based on previously published blogs by analyst and president Mike Rothman (now with Techstrong Research). Mike recently sat down with Patrick Coughlin, Splunk VP of Go To Market Strategy & Specialization and former CEO of TruSTAR, for a fireside chat on the current state of the security landscape, the evolution of the security operations center (SOC), the benefit that data can bring to the SOC, and their predictions on the state of SOCs over the next five years. This blog provides some of the highlights from both the report and the discussion.

Current State of the Security Landscape 

It’s no secret that organizations are struggling with challenges and constraints related to people, processes, and technology when it comes to security. Between the expanding attack surface and stealthy adversaries, security has been thrust into the spotlight. More visibility comes with more scrutiny, and security teams are struggling with talent shortages and attrition to get the work done. And many organizations haven’t made significant investments in tooling over the last 5 years. Security teams are often dealing with complex, siloed tools and operations that hinder threat detection, investigation, and response.

The Evolution of the SOC  

As the visibility of security operations continues to grow, questions and expectations around resilience and cybersecurity arise. Security is making its way into the boardroom, and security leaders now have to define and articulate security outcomes and the value their teams deliver to the business. This means that security has more responsibility to speak the language of the business to convey the ROI that security teams are driving. 

Another area of evolution is in security tooling. Advanced analytics and security automation have improved over the last few years and can help drive better outcomes for the SOC, but only if used. Automation should be used where possible, but typically requires coordination with other teams. This means security is becoming more of a team sport. While the SOC handles detection and investigation, remediation is often a cross-functional effort. And data is the connective tissue to bring teams and processes together and enables the SOC to continue to evolve. 

Additionally, data and telemetry around infrastructure services and applications are coming into the span of influence, and in some cases the span of control, of the SOC. Security and observability are coming together because the data layer between systems is colliding.

A Data-centric Approach to Security 

We’re seeing a revolution with data storage and the capacity of data that is available for security teams to leverage. This allows teams to create more advanced use cases by being able to selectively apply the necessary data from all organizational data; but only through the continued evolution of tooling.

Splunk’s cloud platform with advanced analytics helps organizations achieve their security outcomes both within the SOC and across teams. By investing in new ways to detect, security teams can generate higher fidelity alerts by aggregating low-level signals into a single alert that is worthy of investigation and accelerate speed to detection without overtaxing the limited human resources available. 

The use of data and analytics can only result in positive security outcomes when you do something with them. This is where orchestration and automation comes in to further enable the SOC. Security teams should automate wherever possible, and playbooks should be developed iteratively starting with situations seen most frequently. 

Predictions for the Next 5 Years: Where Do We Go From Here? 

The future looks promising for SOCs. Here are a few predictions on what to expect from Mike and Patrick: 

• The continued evolution of data collection and security tooling will lower the barrier to entry for more sophisticated detection, orchestration and automation.
• Access to data will continue to improve so that businesses can derive analytics from their data regardless of where it lives.
• Data enrichment, through internal and external intelligence sources, will provide context to help SOCs answer very specific questions and hopefully provide confidence for further automation.
• The SOC will evolve to become less about the physical room, and organizations will embrace the SOC as an extended team (adopting lessons learned from the SRE model in DevOps). The focus will be on the “full stack” ability to write, test, and deploy detections, automate, and ultimately reduce manual toil. As the data layers continue to bring Security, IT, and DevOps together, we’ll see a blending in the culture and working styles of the roles within these teams to help increase productivity.    

To learn more, download the full report or watch the recording of Mike and Patrick’s discussion, which includes some great Q&A covering the future of SIEM tools, how organizations should leverage MITRE ATT&CK, if security teams can operate within a virtual SOC, and use cases that are converging across security, IT, and DevOps.

^{In-text images from "SOC 2025: The Future of Security Operations Centers" report.}