EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond!

Guest:

• Erik Bloch,  Senior Director of Detection and Response at Sprinklr

Topics:

• You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
• Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
• You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? 
• What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
• Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
• The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?

Resources:

• “RIP SOC. Hello D-IR”
• “Kill your SOC with a D-IR model”
• “Security De-Engineering: Solving the Problems in Information Risk Management” book
• “A SOCless Detection Team at Netflix” 
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier” 
• “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book
• “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book
• “On “Output-driven” SIEM”
• “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)