Techzine Talks on Tour

The SOC of the future: what is it and is it for everyone?

Coen or Sander Season 1 Episode 18

During this year's edition of .conf, Splunk's annual conference, we sat down with James Hodge, Chief Strategic Advisor for #Splunk EMEA. One of the main themes of #splunkconf24 was 'The SOC of the future'. That message shone through in many topics of conversation during the show. So we thought it would be interesting to have a conversation with James about this, to try and get beyond the slick marketing messages and get some insights into what this SOC of the future actually is, and what that means for organizations.

In our chat, we talk about a variety of themes associated with the SOC of the future. Do we need to redefine the concept of a SOC? What are the technical prerequisites to move towards a new, more modern SOC. How should organizations prepare themselves for it? 

One of the key tenets in what James tells us is that a data-informed approach is the way forward. Without it, mitigating #risks and streamlining #compliance is and will always be a pipe dream. That in itself isn't very shocking, basically everybody says that nowadays. Splunk (and Cisco) claim they can actually deliver on that too. Obviously AI plays a part in this, but also the integrations between the two players. Integrating IT operations with security also bolsters digital resilience.

A SOC of the future enables #cybersecurity to transition from an insurance policy to a key business enabler. James shares his vision of how organizations can leverage data-driven strategies to not only enhance security but also drive innovation and maintain robust governance. We delve into practical ways CISOs can meet dual expectations and the significance of shared KPIs to measure the ROI of security investments, promoting a collaborative and flexible approach across all organizational levels.

Listen to this new episode of Techzine Talks on Tour to learn more about the SOC of the future, and the role it plays in innovation and security operations. Don't miss this insightful conversation on shaping the future of cybersecurity and operational resilience.

Speaker 1:

Welcome to this new episode of Tech Scene Talks on Tour. I'm Sander and I'm at splunkcom24 and I'm here with James Hodge. He's the Chief Strategic Advisor for Splunk EMEA. Did I say that right? You did Very good. Welcome to the show. Thank you, nice of you to make some time. I hear a lot from Splunk about the sock of the future and a lot of things that have been announced this week are basically geared towards that sock of the future. But maybe let's just take a step back. What is a sock in 2024 again?

Speaker 2:

I think a sock in 2024 is a very complicated place. We released this report State of Security last week. The cost of downtime this week, I think the thing that really struck me I think in the statistics it was $20 million worth of cost of downtime per company in the global 2000s average and some of the highest aspects of that really showed that SLA reporting and regulatory risk were some of the biggest things that came out of that really showed that SLA reporting and regulatory risk were some of the biggest things that came out of that as the total cost and where they were struggling and in the state of security. The thing that made me almost feel sorry for anyone that works in the SOC was a lot of people that sit inside of security operations were considering leaving the industry because of the increased pressure on regulatory environments, compliance and then also making sure you don't get breached and those sort of things.

Speaker 1:

I think what is a SOC 24,?

Speaker 2:

it's a pressure cooker of dealing with complexity and this promise of where technology is going and what it can do.

Speaker 1:

So it's a difficult place to be Because there are already so few people that actually do security to put it that way, and if they start leaving, then who's going to take over.

Speaker 2:

It's a niche skill set, because I'm trying to find you. Well, I'm not a CISO, but someone that works in a SOC. You're trying to find someone that understands technology, but really you need someone that understands infrastructure, networking, applications, connectivity, everything in between, plus security, plus a bit of psychology, plus how to do runbooks, plus a bit of compliance. You keep adding on to that list and that's almost looking for unicorns nowadays.

Speaker 1:

So when we talk about the sock of the future, we really need that right, If I hear you correctly.

Speaker 2:

Yeah, I think a couple of things in the sock of the future is. I think this is different. Coming from, I've worked for vendors a long time and normally when we talk about things we'll put ourselves in the center of the universe.

Speaker 2:

For everything, and everyone sits around us and that's not really true. We are a piece of the puzzle to go and help that digital resilience picture security being important and what I think sock of the future really means. What we believe is is a data informed and data-led approach to security operations and the recognition that data is going to be scattered everywhere and the analysts shouldn't have to worry where the data is. They think about what's the analytical task in hand, ultimately, and the promise of ai of where we think it's going to go is is I kind of like using a phone.

Speaker 2:

I don't care how it works, I have a task in mind. I don't think of the phone as a barrier or tool. I need to learn, I just do.

Speaker 1:

Do you see the boundaries of the SOC being moved as well? Because obviously this week at conf there was these. What was it? The pipeline builders that were announced.

Speaker 2:

Yeah, part of our data management experience.

Speaker 1:

Yeah, which basically does stuff to data on the edge before you actually ingest it into your SOC. Does that mean that we're moving towards sort of a distributed SOC?

Speaker 2:

I think there's two things that are really changing in security. One is where we go and apply analytics. Think of businesses. Nowadays it's super easy to become a multinational business with the invention of cloud computing. If I do anything with kind of real devices, I've got kind of edge. I have lots of connectivity inside of it. So I don't want to back all that data all the time, maybe to central SOC. I also might be working with highly regulated environments and have constraints, so I think we believe in a distributed environment will remain hybrid and complexity. I think the other key part about it is security operations actually needs to work really well with IT operations.

Speaker 1:

They should have done that a long time ago. You and I were talking before we started this.

Speaker 2:

We've been talking about this in the industry for a long time, but I think, as digital is your business, now the imperative for security operations to be a revenue enabler is more than ever before. I think we have to accept risk and I'm a massive fan to rethink this, even to the point where KPIs are shared between IT operations and security. So I think both should own breach detection, keep the business secure, and both should own a number on generating revenue, Because I think that then gets harmonization On paper.

Speaker 1:

That looks great right.

Speaker 2:

On paper, yeah, and it has looked great for about.

Speaker 1:

I've been doing this for a long time and I've been talking with people and with vendors and with customers of vendors, about bridging gaps between what have you and, at the end of the day, it didn't really happen. Why. Why will it happen this time?

Speaker 2:

then. So I think one of the reasons it doesn't happen is because you have multiple different types of tools with inside of your environment. So you know one tool, what you basically one tool may spit out one answer, one tool might spit out another answer. It becomes very difficult to collaborate. So I'm going to be a bit geeky here. But what you really want is a tool putting out the answer let's say it's 42, and then kind of work back to kind of the question. But what we're really saying is you may sit and work in IT operations, I may sit in security operations.

Speaker 2:

The kind of machine has said something doesn't look right. Here Now you and I can collaborate to say what type of incident to the business is. Is it security, is it IT? And actually we now have a common way of looking for it. I think that's the advantage of taking data-orientated approach is data is a common language and how you see things differently and that hasn't really happened in the industry much They've all been isolated toolings, different types of answers coming isolated toolings, different types of answers coming to different conclusions with the same data.

Speaker 1:

So I think that's a big step change in the industry. So let's use a security term. So the indicators oh, yes, the indicators are there that we are actually moving in the right direction.

Speaker 2:

I think massively. I'm going to be slightly biased because you know here.

Speaker 1:

I wouldn't expect anything else.

Speaker 2:

No, I think it's as a technologist. A few weeks ago I was super excited because I sat at the launch of Cisco Hypershield.

Speaker 1:

I covered that as well.

Speaker 2:

Kernel-level monitoring and it was very security-orientated at launch. But for me, what they're doing with eBPF and iSurveillance was, from an IT monitoring point of view, really exciting. So I think for the first time ever we've got a new category, especially what they're doing with eBPF, to be able to go and observe everything that's happening with inside of your infrastructure. Because at the kernel level you can do it, at the switch, you can do it at the software layer, because now I can go and see everything that's happening and I can now decide how do I want to go and look at that and so, ignoring kind of I work for Splunk, cisco. It is, I think, in the industry and we'll see other people follow this and make utilization of it. We're starting to get to the point where it's becoming possible to observe everything with technology. So I think that opens up possibilities. That's what I'm excited about.

Speaker 1:

Yeah, and now that you mentioned it like this, there is also, I mean, the acquisition and the integration makes more sense as well, right? Because if you want to have IT people, talk to security people. I mean there are lots of IT people working with Cisco, obviously A lot of security people also working with Cisco, but also working with Splunk. So then you start to see the big picture, right?

Speaker 2:

Well, the big picture is everything needs connectivity. So I want to go and do something. The birth of the internet, arpanet starts off. It was connectivity at its purest Two computers connected together to go and do that the beginning of the internet and kind of the world we know it. What's really interesting on the state of the cost of downtime report was the biggest reasons for incidents wasn't things like AI, it wasn't things like ransomware attacks, it was misconfigurations of cybersecurity-related type things and misconfiguration of IT infrastructure. Human factors come in. Now I think about building a business. I need a connectivity, I need to go and be able to collaborate and I need to then be able to observe everything that's happening. Because it's inevitable we'll misconfigure things.

Speaker 1:

We'll always be there.

Speaker 2:

Even if AI is involved, someone will get it wrong AI is never going to fix that. Maybe, especially when AI is involved, you never know, but now we can go and see everything inside of that. We've got a chance to be able to spot things faster and be able to go and remediate it, and I think that's a big step change that we're starting to see with the integration between the two companies, right yeah, then it all makes, it's starting to make sense.

Speaker 1:

I mean, I'm not entirely convinced yet that we will be here next year and say, well, all the IT ops and SecOps people are talking to each other now. But I mean because it's a people thing, right? Some of them are very protective of what they do and they don't want anyone else to bother them with other stuff that they feel they don't want anyone else to to. To bother them with other stuff that they feel you don't have anything, it's not your, your different languages I think, and they see things differently.

Speaker 2:

So I'm a technologist by by background, but my, my role now tends to be almost like therapy, you know, talking to different teams on actually people, change, management change like transformation, change to bring in the technology to go and enable it. And I think technology change is really important. You know we're talking about. We're here at the annual conference for Splunk. We had Chuck Robbins on stage at the keynote. One of the things we are committed to I think is really important for a security point of view in a SOC is not having to say the answer is Splunk and Cisco. You have to have those things.

Speaker 2:

Those are the only first-class citizens From a Splunk perspective. We will make sure that if you use other products, say SOAR or anything else, they're still first-class citizens. Of course, if you've got Cisco, yes, it should be gold standard out of the box, but it doesn't mean anything else is doing it as a detriment, because I don't believe that security operations, the IT operations, will ever have complete standardization from a single vendor. You're always going to be picking best of breed of. What you want is interoperability, which goes back to my first opening statement, which is it's actually about the data underneath it and how you go and leverage it.

Speaker 1:

I think that's a very, very good point. I think we need to dig into that a little bit more, because, at the end of the day, it's a data and, like ai is a data game, security is a data game as well, right? If you don't have the correct data management and other stuff in place, you're not going to be able to secure it properly, data management and use case prioritization um. And what do you mean by?

Speaker 2:

that. So, looking against your risk profile, um, there are so many new vulnerabilities coming out. Um, hopefully, tools and kind of this class of product the hyper shield is starting is going to just say, hey, you've got vulnerabilities and things out of patch, which is, I would say, a potential for someone to go and use a technique against you. But, you've still got to look at what is my actual threat. Do I get APTs as a risk?

Speaker 1:

against me If I don't.

Speaker 2:

let's not waste time on building those use cases. Let's focus on different types of risks waste time on building those use cases.

Speaker 1:

Let's focus on different types of risks. Waste time is maybe not the right word. Not prioritized would be better. I think that makes because I mean I've also heard lots of stuff about going on about risk-based security right, and I mean that's been a buzzword for about four or five years, maybe already. Well, it's almost like insurance, right?

Speaker 2:

So you know companies traditionally look at cyber security as an insurance policy. Why do you have insurance? You're mitigating against risk because something will happen, it's inevitable or might happen. You hope it doesn't happen, but you're going to protect yourself against it. So, just like buying a car insurance policy, a house insurance policy how much risk do you think you're going to have and how much kind of investment do you want to go and make on it? I don't think that will ever change. What will change, though, is using that data. The more you can think about it from a data point of view. What else can I use for that, so you can actually think of cybersecurity as a business enabler rather than an insurance policy? That, I think, when you're talking about the future of SOC, that's one of the things that will start to change.

Speaker 1:

Yeah, I think that makes sense. Sense because then IT will also be more enthusiastic about security, right, if you say, well, if you're more secure, you're going to be happier. Basically, then yeah, I see that. So just going back to the organizations what do they need to do to actually prepare for this, apart from obviously calling you and saying I want Splunk, no, I'm just kidding. I mean, they definitely can do that. You won't say no, probably.

Speaker 2:

I think one of the hardest things about let's just take the role of a CISO is I'm asking you to do two things. I'm saying don't ever let this organization get breached.

Speaker 2:

So, it's also really saying I'm saying to you, you must have a steady run book, you must have consistency, almost like air traffic control, really solid governance procedures, no deviation, get it right. At the same time. I'm asking the same individual hey, the world is evolving so fast. I need to be innovative, creative, break things, do things differently, and that's a really difficult thing. You would not normally ask a leader in any organization to do business as usual and innovation, but we're asking the c-set to do that. So I think actually what they really need to think about is a separation of roles and being much clearer and cleaner inside of that organization on who's kind of doing the innovation side, who's doing the business as usual, how do you interoperate them and how? How do you bring in networks, how do you bring in IT SRE early into that process to add to the innovation? Because they're innovating as well, they're thinking new things and so starting to build that partnership up together and almost realize security is a team sport.

Speaker 1:

You need to set up some sort of a vertical kind of approach inside your organization to get this right. Yeah, I think Across all levels and all domains of your company.

Speaker 2:

Yeah, I think classic organizations where you have the big triangle and silos in there is never going to work. As we move to kind of multi-generational working, as we start to look at what skills can we bring into the workplace, the organizations that are going to succeed are the ones that can go and bring natural teams together rather than having to force that through a management chain, and that I think, especially from a security operations point of view, means leaders have to be more humble and realize that what leaders are doing they're connectors, they're enablers, they're creating free innovation spaces. They're not running a metric, they're not making sure someone's at their desk between certain hours.

Speaker 2:

It's a very different shift that will enable the stock of the future.

Speaker 1:

That's one of the things I wanted to pick up on again, because how do you measure success in this sense? I mean, ideally you would consider security an investment, not necessarily an insurance, right, yeah. But then if you invest, you need. Consider security an investment, not necessarily an insurance, right yeah. But then, if you invest, you need to have an ROI for somewhere, right? So you have the cost of downtime, obviously, that we talked about. But are there any more tools or KPIs that you can actually and you talked about shared KPIs as well that you can actually think of or organizations should think of when they go about doing this?

Speaker 2:

so the two of us live in in Europe? Well, I live in the UK, so it's always debatable depending on who you ask in the UK, whether we live in Europe or not.

Speaker 2:

We tolerate you, but we like a good bit of regulation and you think about security, operation and these regulations as an example of where you can actually look at ROI Regulation can be consuming to go and meet compliance mandates, to audits, those type of things. What we find is when people take a data approach to that, they're much faster, like hey, I don't fear an audit, just tell me when you want to turn up because I've got everything ready, and just to kind of finish. That point is when that gets right is actually working with IT to say, as you want to bring in change, let's understand it. Let me start to work with you on what we need for the regulation so the regulation never becomes a burden. It becomes a collaborative effort and that starts to bring people together. Then I can actually go and say how much of by implementing security and kind of compliance reporting, how we'll be able to reduce that time to go and allow me to go and free up time to go and do something that's value add.

Speaker 1:

It's not the right words, because you know compliance is important, but maybe top line generating rather than kind of bau yeah, but also maybe go beyond, because go beyond compliance and all, because I'm not, I mean, I know, I know we need it, compliance and iso 27001 or whatever there's lots of them yeah, lots of them.

Speaker 1:

I know we need it, but it also hinders kind of progress or insecurity as well, because you tend to oh, I've got the check marks, so fine, I don't do anything more. But do you see that if you take a data-driven approach, you will also go beyond compliance when it comes to security?

Speaker 2:

100%, I think. Actually, one of the things we've been talking about is resilience and digital resilience a big theme of the conference this year, and a lot of that work for us started with work around DORA, the Digital Operational Resilience Act.

Speaker 1:

It's only for financial institutions.

Speaker 2:

It's only financial services, but what it really started to set out we're starting to see more and more pieces of legislation or consultations around resilience is you need to be secure, you need to think about your infrastructure and you also need to provide a good consumer experience. So when I think about actually compliance reporting uh, regulatory reporting and bringing data into that what I'm building is the foundations to become resilient, because it's inevitable something's going wrong. You know the cost of downtime. We're going to misconfigure something AI will as well and you know it'll be fallible, but what that allows me to do is quickly understand what has gone wrong and builds confidence.

Speaker 2:

The executive leaders don't drive transformation. They stand on stage I'm guilty of this as well and saying here's my 2030 vision, here's my vision for the future. We'll pat ourselves on the back and job well done. No, it's actually people on the front line making micro decisions every single day. That has a macro impact. Do I, because I've seen this threat? Do I block the firewall? Yes, no. Do I roll back this bit of software? Do I give people permission to do something? I've seen someone log in at the wrong time.

Speaker 2:

These are trivial examples, well, but but happen a lot they happen a lot, but every time I need to go and answer one of those, I'm having to escalate that decision because I don't have the right data in context and I'm actually slowing down transformation. The more I can go and get data and context the front line for any use case, I'm building up momentum to go and build innovation, build that transformation, build trust and confidence. That's really the soccer of the future and data and context is the only way to go and drive that.

Speaker 1:

And obviously we shouldn't overlook the cost aspect, not necessarily the cost of downtime, but also the cost of living for want of a better word for companies. Right, because that's what I quite like about these pipeline builders that you say well, we only move the data that we actually need to move and not all the other stuff, because that's very expensive if you have to do it continuously. Right?

Speaker 2:

Yeah.

Speaker 1:

So you could think of an ROI in that sense as well. So if you do the stock of the future correctly and you distribute your data management well and all that stuff, then you will also actually be cheaper than it is now.

Speaker 2:

So I think this comes back to the concept of right time analytics. What use case do I want to go and solve? What time frame do I need to solve it? Where is the data at the moment and do I need to move that data? So for a vendor to say, actually you don't always have to go and store that data in Splunk is quite a big shift for us and we spoke a lot this week around federated search. Some use cases let's take proxy logs, DNS, those huge, voluminous logs. Is there value in storing it? Yes, because I might need it. But do I need to store that in a fast online data store? Probably not. So store it in S3. And what we'll give from a Splunk persona point of view is you have the ability to say actually I need to use that now, Write my search, it will go off to S3. Go and run that query. Is it going to be as fast?

Speaker 1:

No, but does it need to be? And that's where you can start to really start to think about where do I need the data, where do I want to move it and how do I? Yeah, that should be partly automated, right, otherwise you're not gonna, or or maybe not. I mean, I'm just assuming here, but or do you need to to take stock of all your processes and all that things and saying, well, is this, what's the right time to do this?

Speaker 2:

well, ultimately, the vision would be, and that's why data management and d DMX that we've been talking about this week is so important, because I can start to say what feeds am I going in. I can also say what use cases are being utilized for those feeds. How often do I search and start to build that intelligence around? And one day and I'm very sorry for what I'm about to say, but AI, but no, we can have smarter systems to say actually we barely touched this data source, let's automatically start just dumping that in S3. Actually we use this a lot, but we typically only search 15 days worth of data, so let's send that to Splunk and then let's roll that off after 15 days to long term storage to be much smarter around that data and self governing maybe is a better way of putting it.

Speaker 1:

Well, and just as a little disclaimer, I think you worked on the federated kind of stuff.

Speaker 2:

Yes, so we started this quite a while ago.

Speaker 1:

You're quite keen on the subject, I think.

Speaker 2:

I am, although I'm slightly. The thing I got the patent for never made it to the light of day, but it was our early research.

Speaker 1:

But you have a patent that nobody uses.

Speaker 2:

But still I can claim I'm an inventor.

Speaker 1:

and when I'm older I can say I was an inventor, maybe somebody will use it one day, or is it that dated that you can't use it anymore now?

Speaker 2:

It has some really interesting techniques and theories, because actually federated search is really complicated, because you've got to think about the user experience, you've got to think about the semantic mapping of the way Splunk would look at that data or the application and the end user, which is why, from a community point of view, we put a lot of investment in the open source cyber security framework. I can never get the acronyms the letters in the right order.

Speaker 2:

So thank you for saying it for me but the open security cyber security framework is really important. So Splunk, amazon, microsoft, chronicle a whole bunch of like 14, 17 vendors are part of that, because what I can now do, we can expose this, is the data that's available for security use cases and actually that make that semantic mapping much simpler, because that's where a lot of the complexity starts.

Speaker 1:

Yeah, but that's on that, that's. That's also potentially a an issue, right? Because as a company or as a technology issue, think, maybe think differently when it comes to the semantic map and then when you would as a company or as a technologist, you maybe think differently when it comes to the semantic map than you would as a user, right? So that's also on the vendors to actually interpret that, right?

Speaker 2:

Yeah, it is, but I think we've seen a huge shift in the industry to be much more collaborative across vendors and actually to recognize actually the more we work together, the better it is for our end customers. Then what is beholden to us is not about kind of controlling the data. It's providing the best experience to go and get that task in hand. I think it's no longer about ownership of data, having it in your data store. It's moving up a bit in the stack into who can provide the best analytics, the best user experience, the fastest time to value and ultimately I should. I want someone to be able to have an experience where they don't think about using splunk as a tool. They just interact with some software that's going to go and help them on the task in hand. Yeah, the more we can get away from having to learn a tool, the better it is for the security.

Speaker 1:

That's a nice segue into sort of the final topic that I would like to uh, because we have about a couple of minutes left.

Speaker 2:

So we should be able to do it. We can be brief. I'll take a big breath in Well there you go.

Speaker 1:

You're a fast talker so I think you can get a lot of words in if I shut up now. No, because you talked about. So. What you said just before I interrupted you was about the different components, or that you shouldn't be having to learn a tool anymore, or Splunk, or you should just be able to work with whatever you as Splunk or somebody else offers that. What does that mean for the interoperability of all the different components, for example, that Splunk has? Because I get the impression that they're all merging to a certain extent. So observability gets into security, gets into data management and it's all one big cloud.

Speaker 2:

One of the beauties of Splunk is we're underpinned by that core data platform and everything then sits on top of that, so we have a common underbelly for the product suite. Then we went a long time adding user-based analytics, soar.

Speaker 2:

we've got ARRI for like risk exposure a whole bunch of different areas and they kind of almost were standalone, with some interoperability. What we've been doing over the last couple of years is unifying those experiences and what becomes really important is then what we're announcing this week around the AI side, we power, you know, a lot of ML, a lot of AI and like detection of things, but from a usability point of view, be able to use natural language to go and interact with the tool. Why is that important? Because then, as an organization, I can put effort into training you about cybersecurity, not training you about a tool, and the more we can move to that, the more important. But and to maybe finish that point is, when you find that cybersecurity incident, being able to hand that over to someone in the observability world to go and maybe do the remediation, the retrospective, those type of things, having that common language. The faster you can do that, the better.

Speaker 1:

So you still need the different pillars, so observability, security, these things but for most users in organizations it should just merge into one.

Speaker 2:

No, I think they're different mindsets. What we want is interoperability between teams so they see each other as partners different sides of the same coin but not kind of like the same thing.

Speaker 1:

And just a final question is is it, is it the stock of the future for everybody? Can any, can anyone use it? Because obviously, if you, if you're talking distributed, then you also talk about regulated environments that may not be allowed to do this processing at the edge or whatever.

Speaker 2:

No, we we can actually work with. We have lots to take. Financial services you might have uh deployment in switzerland, one in germany, one in the uk, one in singapore. You know regulated environments. We're going to enable hybrid search between them. You know, is that quick to do? No, that it's complex. You've got lots of regulation to go and work through and check. But I think Sock of the Future is a concept of around taking a data-first approach and so, almost like the Oli movement, it is a philosophy on how you want to approach that and you mature through it, rather than it's utopia. That's really complicated to do. No, it's a starting point for you to go and build on.

Speaker 1:

That's a nice point to end this conversation because I always think as long as it doesn't become the next-gen firewall, which has been the next-gen firewall for about 15 years already.

Speaker 2:

Yeah, exactly, we don't want that.

Speaker 1:

No, not at all, this is not going to be that right. No, okay, that's good to hear. Thanks for joining me. Thank you very much.