VoIP Benefits Summarized

Some of the reasons why VoIP changed the IT marketspace can be summarized as follows:

• Combined Internet bill and phone bill, leading to savings

• Offered bleeding-edge technology:

  • New IP phones

  • Centralized management

  • Bleeding-edge features such as customized ring tones and Music on Hold

  • Better performance monitoring to understand return on investment

  • More options for security

• Became a trend everybody else was investing in

• Perceived as providing a competitive advantage

SD-WAN Benefits

SD WAN offers much better management technology than MPLS, including options to measure performance and improve response time when there are potential issues with connectivity between sites. Having more visibility means IT has a much better understanding of the problem. Looking back at my example, if a connection issue occurs, IT can identify whether the issue is a problem at the application layer, a problem on the branch side of the connection, a problem with the traffic traveling over a WAN connection, or a user problem, whereas in the real-world MPLS scenario I described I had to be physically onsite to figure out the problem. As stated earlier, SD-WAN reduces the likelihood that an on-call engineer will be engaged because the technology is able to better understand the problem and offer automated corrections when a problem occurs. Figure 11-5 shows an example of the Cisco vManage SD-WAN management dashboard summarizing various WAN performance statistics. SD-WAN dashboards such as this provide a ton more information than traditional WAN management platforms.

To summarize the value of SD-WAN, the following are five core values gained by investing in SD-WAN:

• Software intelligence exists within a network virtual environment providing agility and flexibility using a web portal configuration, versus managing routers and traffic monitoring taps.

• SD-WAN leverages an Internet connection, which is much cheaper than an MPLS service line; however, MPLS can be used when dedicated lines are needed.

• SD-WAN is an agnostic technology, allowing you to select the right connection for your business, whether it is using the Internet, MPLS, or other service.

• SD-WAN is able to terminate any connection from any source and apply security, load balancing, and local traffic shaping depending on network conditions.

• SD-WAN builds on the traditional WAN router and is revolutionizing the telecoms market.

If you compare why organizations have invested or will invest in VoIP technology and SD-WAN technology, you will find that both technologies offer similar value points and both are considered major disruptions to how they have impacted IT services. Both technologies provide huge cost savings by reducing what organizations must pay to an external service provider and both offer modern technology as part of the migration plan, which includes better management, troubleshooting, and an overall better experience for end users and IT managers. Unlike VoIP, however, a major catch to operationalizing SD-WAN is causing many organizations to hold back from making a full SD-WAN investment. That major roadblock to the success of SD-WAN is security!

Gartner Shoots the SASE Flare Gun!

Gartner’s SASE predictions represent a warning to the IT industry of a major disruption that will occur. Cloud adoption is going to happen at a pace that hasn’t previously happened. SD-WAN will become as common as VoIP is today in most organizations. Solving the security challenges that SASE solves will be a normal expectation from IT providers. Those that don’t see the warning flare from Gartner will miss a huge market shift and likely not survive. Gartner is throwing huge numbers behind its SASE prediction with the following statements:

• By 2023, 20% of enterprises will have adopted secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), and branch Firewall as a Service (FWaaS) capabilities from the same vendor, up from less than 5% in 2019.

• By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.

• By 2025, at least one of the leading IaaS providers will offer a competitive suite of SASE capabilities.

To be clear on the numbers, 40% of enterprises represents billions of dollars of potential business for IT vendors. On top of that, these predictions show customers investing more with a single vendor, meaning the vendor with the best SASE offering has the potential to claim many areas of security and network business from firewall and branch service providers. This is why many experts are warning that if an IT company does not adapt to the SASE model, it will become obsolete and locked out of future business. As a result, multiple SASE-focused acquisitions occurred in 2020, including the following:

• Palo Alto Networks acquired CloudGenix

• Fortinet acquired OPAQ

• VMware acquired Nyansa

• McAfee acquired Light Point Security

• Zscaler acquired Edgewise Networks

• Cloudflare acquired S2 Systems

What are all of these organizations trying to achieve through their acquisitions? Read on to find out.

Prediction: Integrated Network and Security

Organizations will look to acquire SD-WAN with security included versus keeping security as a dedicated expense and technology to manage. Organizations are already recognizing SD-WAN as a way to reduce the cost of services, but they will not want to spend more to secure it than they can save by switching to a SD-WAN architecture. Organizations are more likely to invest in SD-WAN if it is secure (as described as SASE) and still provides cost savings after everything is acquired and deployed. Referring again to the example of VoIP adoption, migration to VoIP accelerated rapidly after the industry realized switching to VoIP had an extremely short return on investment, meaning the entire system would pay for itself within three to five years. If a SASE offering can demonstrate a similar quick return on investment with security included, organizations will rapidly jump on the offering. Organizations also will not want to spend more to secure an SD-WAN offering than they can save by switching to an SD-WAN architecture.

Prediction: SaaS Is the Future of Security

Software as a Service (SaaS) will continue to grow and it needs to be secured with technologies like cloud access security broker (CASB) and access control. Although SaaS means you are outsourcing most of the responsibilities to a service provider, you are still responsible for your data. I point out the concept of securing data in a SaaS environment because you must secure your data with the limited technologies that are available, while other aspects of security are covered by the SaaS provider. The future of SaaS will include security such as CASB capabilities as part of the offering, representing a flavor of SASE by combining a service with security for a single cost or as an option in a SaaS service-level agreement. This makes sense as CASB is a security tool that acts as an intermediary between the users and cloud service provider, allowing the users’ organization to enforce desired security policies and monitor how SaaS is used. I predict CASB offerings will become part of other services and will no longer be a dedicated solution, as it just makes sense to combine this with many SaaS services.

Prediction: Dynamic User/Device Fingerprint

Identifying a user and/or device is and will continue to be based on multiple factors, which includes where the user/device is located, what type of system the user is on, and what applications the user/device is permitted to access. Results of how a user/device is fingerprinted can dynamically determine what access rights they will be provisioned, regardless of where they are located, meaning the place of work can be anywhere in the world at any time. This type of technology exists today; however, it will continue to get better. Areas of improvement include the accuracy and details associated with a user/device, the potential risk, relating the user/device to historical data, comparing the user/device against behavior and attributes found with similar users/devices around the world, and continuously adapting to changes. I have seen movies depicting these types of futuristic features, such as a device scanning a user’s eye from across the room to provision various services at an office or an automated voice greeting by name a customer walking into a retail store and then suggesting what the customer should purchase based on previous buying habits. I have seen aspects of these features already used in the real world, with collaboration technologies leveraging big data trends blended with scrapping social media accounts and facial recognition technology.

Prediction: OPEX Replaces CAPEX

Organizations will increase investment in subscription-based technology with the goal of converting CAPEX (capital expenses, meaning to buy something) to OPEX (operational expenses, meaning the cost to do something), reducing the need to acquire and manage technology. Many IT hardware providers have already made this shift, and the future of successful technology providers is dependent on reoccurring revenue business models. For example, most vulnerability scanning providers in the past sold their scanners only as software you downloaded, installed, and managed (CAPEX). Today, it is more common for vulnerability scanning providers to offer the same technology from the cloud and as a subscription service (OPEX). From a customer viewpoint, the customer doesn’t have to deal with setting up or updating the product, and management of their scanning is accessible from anywhere that has Internet access. From a vulnerability service provider viewpoint, the vendor can quickly add new features, onboard customers, and troubleshoot tickets, enabling them to offer a better experience to customers. SaaS also curtails pirating of software and allows for more control over how customers can test out their solution using a cloud-based proof of concept approach.

Prediction: The Office Is Everywhere!

User performance needs and requirements for flexibility will continue to increase, forcing organizations to move security to the application and host rather than requiring traffic to tunnel through a security stack. In older network designs, organizations would build a defense-in-depth design at the network gateway and put a VPN concentrator at the front end. Any VPN user requiring access to internal resources would have to send traffic through a VPN back to their organization’s VPN concentrator, forcing traffic through the security stack within the gateway. Throughput requirements have already forced many organizations to leverage split tunneling—sending only those requests that need to go to the organization through the VPN while separating and sending all other traffic over the Internet. I previously explained how battling the bottleneck problem, meaning having too much traffic forced through a stack of security solutions, had led to a major driver for SD-WAN.

User traffic going through the gateway security stack is becoming more difficult to inspect due to SSL/TLS encryption, because data privacy rights require certain traffic to maintain its encryption even if decryption options are available. Secure Internet gateway (SIG) is a SASE concept that addresses this design problem by forcing user traffic through a cloud-based security stack, relieving organizations of the responsibility to force traffic through their corporate-owned security stack. SIG is growing in popularity and is a concept that will become the standard way to secure traffic from employees who are not physically at a corporate office. Essentially, security will follow the users, devices, and data rather than everybody having to accommodate restrictions based on how the network is designed. The need for encryption will not go away, but VPN as a service will be the more common method to encrypt than traditional VPN hosted from a VPN concentrator owned by an organization. The COVID-19 pandemic has prompted many organizations to adopt a work-from-anywhere mentality to accommodate their workforce having to work from home. Many organizations I have spoken with since the pandemic began are developing a work-from-anywhere architecture not only to improve work efficiency but to prepare for any future event that would force their employees to work from home. Some organizations have even announced permanently using a work-from-home model as it has shown to work during the pandemic.

Prediction: Increase Data Loss Prevention Needs

Data loss and data at rest will continue to increase in demand as both technology options become easier to deploy and manage. Frameworks such as Zero Trust are extremely popular in concept but difficult to operationalize. In theory, the concept of encrypting important data is easy to state as a requirement; however, the biggest hurdle is determining what data is considered important and requires protection.

Predefined data such as credit card numbers and Social Security numbers are easy to set up for monitoring; however, automatically labeling an organization’s data as important enough to be encrypted is much harder based on all the dynamics of what can be considered important and how fast data changes. Advances in technology based on machine learning and artificial intelligence are allowing for quicker and better decisions to be made regarding the importance of data, which can translate to a more accurate and automated data loss and data at rest technology. The future of the modern SOC will include automated data loss and data at rest technology as a backbone of its security practice similar to how antivirus is used today.

Prediction: Goodbye Tier One Support

Tier one support in most organizations represents the group responsible for basic customer issues. They are seen as the first responder when an employee has technical needs. I predict tier one support for services will be fully automated in the future SOC. As SD-WAN adaption increases, organizations will have access to more details on how their services are functioning. These details will open the door to automated response when issues are found in a service and automated response when a potential security event is occurring.

By automating responses to these situations, tier one support will not be needed because the network will know when an issue or attack is occurring and either resolve it on its own or send event data directly to higher-tier support when its automated response fails to remediate the situation. Because SASE is a cloud-based service, support for tier one services will move to the service provider, saving the SOC the need to offer any low-level support services. Automated tier one support is in common use by businesses via automated assistance that attempts to solve your problem rather than sending you to a human.

Prediction: Automated Upgrades

With SASE, software upgrades will just happen rather than be a responsibility of the SOC. SASE means a service is provided by a cloud service provider, translating to the service provider always having access to the management tools. If new features are needed, the entire configuration and upgrade process can occur without the end user being notified because backup systems can be used while primary systems are being upgraded, leading to zero downtime during the upgrade process. This can and will all occur in the cloud without customers’ knowledge, removing technology maintenance requirements from the SOC’s list of responsibilities. Tesla provides a great example of this concept. Tesla owners agree to receiving updates, and their parked vehicles will inform drivers that an update is available and will be installed when they are not using the car. The Tesla owner doesn’t have to do anything but wait for updates to be pushed from the cloud to their vehicle. SASE allows for the same update strategy to occur. I point out this example because technology continues to be part of all industries, leading to SASE impacting more than just our computers.

Another software development concept that will impact automated upgrades is agile software development methodologies. Agile software development means smaller chunks of a program are developed and released more often. Using this approach also allows for pushing upgrades and patches along with software releases, providing a much smoother upgrade experience than waiting and combining multiple changes into one larger release. Cloud complements agile software development because the cloud service provider can continuously push smaller updates with little risk of impacting its customers.

SASE Predictions Summarized

The potential value of SASE to the SOC includes shifting the responsibilities of certain services to the cloud, which frees up time for SOC analysts to focus on different tasks. SASE technology also solves some challenges that SOCs deal with, reducing or even outright eliminating some risk that today’s SOCs must account for.

Pay attention to the SASE trend as it impacts all of IT. There are many resources you can follow as SASE matures. I recommend using a blend of reading publications from industry firms such as Gartner, monitoring IT vendor acquisition trends, and speaking with other organizations regarding their cloud adaption roadmap. If you do not already have a SASE strategy today, now is a good time to start looking at how you plan to adopt cloud technology into your SOC’s practice.

The next topic regarding the future of the SOC is how the services that it provides today will change in the future. Any forward-thinking SOC must consider not only what services the organization needs from the SOC today, but also how those and other services will change over time.

Hello World, Meet Emily Williams

Playing the role of Emily, we became connected via social media to key members of the organization we were penetration testing. Within a few days, we had over 170 employees of that organization associated as digital friends to our fake account. On LinkedIn, Emily Williams was receiving endorsements for her fake certifications. On Facebook, people were congratulating her on her new job and offering help as she started her fake role in the organization. In a short amount of time, Emily Williams was welcomed in social media circles as a new hire looking to connect with fellow employees. Figure 11-7 shows LinkedIn endorsements for Emily’s certifications. Some of these endorsements came within two hours after we created her account.

During my initial outreach to targets using Facebook, one IT administrator at the organization being penetration tested asked “Emily” if he knew her after receiving her friend request that I sent, as shown in Figure 11-8. I quickly looked at his Facebook profile and saw that he had worked at Hungry Howie’s Pizza 10 years prior to the conversation, so I immediately jumped on that topic and responded that I (“Emily”) knew him from back then. My strategy was based on the assumption that it would be hard for this person to remember the girlfriends of people he knew 10 years ago. That strategy required finding another person he knew 10 years ago to be Emily’s former boyfriend. I clicked the target’s Facebook connections and saw he had a friend named Derrick that worked at Hungry Howie’s during the same time period. Derrick’s Facebook page showed that he currently was living in New York, allowing me to quickly make up a story about being Derrick’s girlfriend 10 years ago and recently running into Derrick while in New York. I explained that Derrick told me the IT employee I was speaking with worked at the organization Emily was recently hired at; hence, the reason for the Facebook friend request. The person not only accepted my friend request but also provided me valuable information about the interworking of the organization’s IT operations.

Impact of Emily Williams

The results of the penetration test enabled my team to conduct further social engineering that resulted in receiving a phone, a computer, and access to the target’s network without stepping foot into the organization (all equipment was shipped to us and preconfigured). With leadership’s explicit authorization, we were able to abuse vulnerabilities in how services were distributed, which led to a complete compromise of the organization.

Compromise not only occurred through receiving equipment from the organization, but also occurred through social engineering attacks launched from Facebook that allowed my team to collect login credentials to remote worker VPN accounts using a social engineer penetration tool known as the Browser Exploitation Framework (BeEF). The goal of our presentation at RSA Europe 2013 was to show the vulnerabilities of social media as well as weakness in human trust, including those people responsible for delivering services to employees: IT operations. Figure 11-9 is an example of one of the many articles covering our research results.

The key takeaway from this research is the potential danger of not securing IT operations. I predict IT operations and security will merge and be part of the SOC due to the types of risk exposed in our research project. Every forward-thinking SOC must consider securing IT services, which implies the SOC being involved with IT service security.

IT operations has changed since we conducted our Emily Williams research, and events such as COVID-19 have escalated certain trends such as the work-from-anywhere concept. Next, let’s look at recent IT services trends.

SASE and IT Services

As I stated earlier in this chapter, the future of SOC services will include SASE components. A major driver for this shift is the need to adapt to a work-from-anywhere architecture. Using cloud services means that technology doesn’t have to be shipped to an employee and that the risk of compromise can be shared or altogether handed off from the SOC to a service provider—other than securing the data being used. Data security will continue to be a fundamental responsibility of the SOC even after SASE becomes the norm.

Cloud technology allows for more flexibility, enabling employees to obtain the services they require rather than receiving tools they might or might not use. I personally have worked remotely for the past 15 years and rarely use an employer-provided VoIP phone. In order to use the physical VoIP phone, I have to plug it into my home network and use it as a desk phone; however, I don’t require that type of service for the work I do. Instead, I prefer to use a softphone or my mobile phone, making the company’s investment in my physical VoIP phone a waste of IT resources. In a large company, if you multiply the number of remote employees that don’t use their company-provisioned VoIP phone by the expense of provisioning and managing the unused VoIP phones, the sum will be a large amount of wasted money. One huge benefit of cloud computing is the ability to convert CAPEX to OPEX, which would be ideal versus always automatically provisioning a physical phone when a softphone is all that is needed.

Prediction: 3D Printing Resources

The IT operations function within the SOC of the future will offer a catalog of services that employees can request as needed rather than being provisioned as a set of services. As an example, 3D printing technology introduces the interesting concept of enabling employees to print something that was created by an outside party. I predict that in the future, if an employee needs a VoIP phone, they will be emailed a 3D image and be authorized to print their phone, removing the need to ship equipment. The services for the phone will automatically be set up, creating an extremely efficient process to provision such services.

When the asset is no longer needed, the service to the device will be automatically terminated and the user will be instructed to destroy the asset or mail it to a third party responsible for asset destruction. In the example of a VoIP phone, the future 3D printer could also offer the option to recycle the material, meaning melt the phone back into material that can be used to print future assets. Some manufacturers are already offering 3D sketches of replacement parts for their products. Rather than having to purchase a replacement part, a customer can simply download the 3D diagram and print what is needed.

Prediction: Virtualized Computers

Another service model that is shifting to the cloud is how compute power is provided to employees. Organizations today provide employees with computers for daily work. If higher compute power is needed, organizations either upgrade an employee’s computer or provision access to high-end servers in a corporate-owned datacenter. This approach to provision resources requires interaction with multiple departments, including the datacenter administrators to create the account and service, network administrator to connect the system to the network, and security administrator to open required services in existing security tools. Due to the multiple parties being involved, adjustment to services is tedious to enforce, causing security exceptions to exist beyond the life of the service and wasted services based on requests for more than what is needed to avoid having to go through the request process in the future.

The future of provisioning compute is to offer it from the cloud based on business need. When a user needs compute resources of a certain type or size, that user will be able to access a system that can quickly make the desired resources available. When the resource is no longer needed or is not actively being used for a certain time period, it will dynamically be reduced or be deleted. I predict even personal computers will function in this manner. Everybody will have template hardware similar to the Chromebook model; however, the organization will determine what resources that hardware will have access to. The future might even allow for template hardware to be vendor agnostic, meaning an employee could be using Windows while employed with a company, but later have the software switch to Linux on their personally owned hardware template based on a new company sending it different compute services. The employee would simply provide their MAC address and their employer would be able to send everything from the operating system to what is installed.

Another huge value of using cloud computing is the flexibility to adjust services when demand increases. Microsoft defines the ability to dynamically deal with peaks in IT demand as cloud bursting. According to Microsoft, Azure always has additional resources available to the customer via cloud bursting, and the customer is charged only for additional services used. This approach to provisioning services allows organizations to offer an almost limitless amount of services (setting aside concerns about associated costs to the organization). The concept of cloud bursting is the future of provisioning services, eliminating the traditional approaches of buying more services than needed just to accommodate future requirements or limited high-usage scheduling. I can imagine a future SOC analyst needing to run a task requiring heavy compute power and his/her laptop being able to pull down the needed resources dynamically. An example could be needing to decrypt packets using a brute-force technique, which would be much quicker if a supercomputer could be accessed for this purpose for a short period of time.

Prediction: Cloud Management Platforms

Management platforms for IT operations and security products are shifting to the cloud. This makes sense because having a hardware platform for management of technology affords no benefit, outside of supporting network environments that do not permit Internet access. The benefits of moving management platforms to the cloud include the following:

• Easy access from anywhere

• No hardware maintenance, power cost, or labor for updates

• Easy vendor access for support and troubleshooting

• Simplified integration with other tools because management is already in the cloud

• CAPEX converted to OPEX

• Much more robust high availability

Many vendors are already moving to this model. Certain customers, such as those that do not permit Internet access to their management tools, will need hardware options; however, I predict the majority of all IT and security tools used by the future SOC will be managed from the cloud. This includes firewalls, IPS, routers, switches, honeypots, and sandboxes.

IT Services Predictions Summarized

Of all my predictions, the biggest prediction I’m making regarding IT operations is that it will become part of security and therefore be a responsibility of future SOCs. Other predictions for IT operations fall in line with the predictions I made regarding the impact of SASE to the SOC. Tier one support will go away. Updates will be automatic. The office will be anywhere the employee can work. Cloud services will be the standard for delivering IT operations. Many of these predictions are starting to happen today and others might have already happened within your organization. Make sure your SOC has a plan for rolling in IT services, as all signs point to this becoming a normal practice within the SOC.

The third topic to dive into regarding future SOCs is how employees will be trained. Remember that security involves people, process, and technology. I predict there will be major changes in how people are trained as well as what training will be needed within the future SOC. Every organization leader I meet with has training as part of their agenda for maturing their SOC.

Training Today Summarized

To summarize training today, I refer to the article “Top 10 Types of Employee Training Methods” by Corey Bleich (CEO of EdgePoint Learning, an employee training service provider), which lists the following top 10 ways organizations provide training:

1. Instructor-led training

2. Learning

3. Simulation employee training

4. Hands-on training

5. Coaching or mentoring

6. Lectures

7. Group discussion and activities

8. Role-playing

9. Management-specific activities

10. Case studies or other required reading

When I ask an organization’s leadership about how they deliver training to their employees, the typical answer is that they use a blend of these options. My experience is that the most common options used by organizations are instructor-led training, eLearning, and hands-on training, all three of which tend to be outsourced to either the vendor of a certification program or a third party that is aligned with a certification program.

Next, I’ll briefly describe which of the preceding list of methods I use when I require training.

Learning Management Systems

Learning management systems apply gaming concepts to learning complex content with the goal of motivating students to complete tasks. An example of a popular LMS is Moodle (https://moodle.org/). I run a lab at Cisco that has a lab guide containing more than 300 pages of steps to perform all tasks. The older versions of my lab required a student to download the lab guide and perform all of the tasks as listed in a huge PDF file. I had no way to know how far students got in the lab, where they encountered problems (other than when they reached out to me), what areas they found the most and least interesting (unless I asked using a survey), and where they had to spend the most time. Therefore, I had trouble determining how and where to improve the lab to help encourage students to want to complete the lab. I also had no way to motivate students to overcome challenging tasks. Essentially, I was blind to how my lab was being used.

LMS technology (Moodle in my case) changed the way my team delivered the lab by allowing my team to associate points with completing steps. I could see how much time was spent on each step, what topics were considered interesting, and how far the average person would get in the lab. I was able to adjust the lab instructions based on real feedback as displayed in Moodle as it tracked people’s progress. I found that when students ran into problems, they were more likely to push through when they were close to scoring enough points for a digital badge. Student feedback from the new approach to delivering the lab was very positive. Figure 11-10 is a screenshot from my lab guide converted into the Moodle platform. LMS didn’t replace anything that had to do with the actual lab configuration; LMS replaced the lab guide.

The first key point to note in Figure 11-10 is the Completion Progress bar at the top right. LMSs include this type of progress indicator to show the student how far they are into the learning objectives as well as offer a click and access approach to picking up where a student left off when they need to come back to a task at a later time by clicking the progress bar step. Notice on the right in Figure 11-10 the Your Score area showing a ranking system, leader board, and other gaming tactics included to encourage a student to continue learning. The lab guides are posted on an Internet-based platform that offers language translation plugins to open up content to more people without the steps needed to translate the lab guide.

I predict LMSs will be the future for learning technical content. The LMS approach connects the developers with the students in a way that allows for more interactive collaboration between what is delivered and how it is perceived by the end user, leading to better results. The LMS approach also drives students to complete content and encourages better performance through various reward options and ranking systems. Don’t be surprised if you start to find more learning platforms moving away from static PDFs and becoming more interactive.

On-Demand Learning Example: Khan Academy

One fantastic example of on-demand learning is Khan Academy, which is a free version of Kindergarten-College education. One specific feature of on-demand learning that Khan Academy uses is personalized learning. Personalized learning means the content adjusts to the student; as the student masters topics, the content will adjust what is covered next based on what concepts the student needs to learn. Also, if the evaluation of a subject shows that more improvement is needed, the content will adjust and keep focusing on a topic until the student shows they have a firm understanding of the content. Personalized learning mixed with 24/7 access means students can learn when they want to learn and maximize their time, making this approach extremely effective. Figure 11-11 shows an example of a Khan Academy dashboard offering computer programming, early math, and grammar classes.

Future of Training: On-Demand Experts

I am a landlord, but I have never gone through formal training to learn how to repair things in my rental units. Instead, YouTube provides me access to very experienced advisors. If I need to install a new sink, I can buy the materials as listed in a YouTube video, follow the video’s steps to install it, and complete the project without any prior experience. I predict on-demand training will continue to grow and become the standard for learning how to complete technical projects just like it has helped me become my own handyman. This trend will lead to engineers not needing training to accomplish certain tasks, such as setting something up or performing a specific task, since they can learn in real time.

The SOC of the future will rely on a blend of wizards and on-demand learning to accomplish tasks, with expectations that the tools will teach the people rather than the people being expected to know how to use the tools. For example, a new analyst will be able to verbally ask a tool how to do something and the tool’s wizard will explain and do the work along with the analyst. This will also lead to a different skillset requirement such as DevOps and programming, meaning understanding how to create or build things rather than needing skillsets for managing existing tools, because those tasks can be done by following a wizard.

I experienced a version of a configuration wizard that understands verbal commands and explains complex tasks when setting up an HP Pavilion Windows 10 laptop. Upon startup, a robotic voice asked me questions with a detailed explanation of what was needed to get my laptop ready for use. I did not need a desktop support expert to help me with the setup because the on-demand virtual wizard clearly explained what I needed. I also saw a link to open a chat with a live on-demand expert if the wizard did not clearly explain what I needed to accomplish. The wizard not only explained features such as Windows multifactor authentication, but also explained why I would want to use them and how to set them up. I predict on-demand support will eventually only offer artificial support, similar to wikis, that learns and adapts based on its usage.

Future of Training: Universal Language

I predict that future technology will remove the need for people to speak the same language to communicate, meaning the future SOC will allow all employees to speak their native language and language translation will just occur in real time. In January of 2020, Apple added language translation to its software, allowing for quick translation between languages. Movies depicting the future show much more advanced versions of this technology where a simple earpiece can understand and translate any language on demand, which isn’t too far from becoming a reality. The future SOC applications will offer displays to support any language and voice will be translated in real time as conversations occur through Voice over IP technology. The breakdown of language barriers will allow the SOC to hire from all parts of the world and focus on what somebody knows rather than if they can communicate effectively with other team members. I predict that language training will be replaced with culture training, helping people understand other cultures, because that is a much harder concept to address with technology.

Future of Training: DevOps

I introduced the concept of DevOps in Chapter 10, which I pointed out is the future of the IT professional in the SOC. I explained how today organizations are throwing tons of money at technology that can produce outcomes, including SOAR and XDR. Outcome-oriented programming such as automation and orchestration continues to grow in popularity and will become a required skillset of the future SOC analyst. The future Internet will offer hundreds of services that can be leveraged using DevOps concepts replacing the need to start any project from scratch. Rather than buying a tool or building something new, the future SOC will simply obtain a generic template and choose from available configurations what they need and adjust the configuration as they see fit. If services or data are needed, such as threat data, that data will be pulled from other systems using APIs. I predict the future SIEM, SOAR, and XDR will simply be a platform that pulls in features and data from various sources, representing a true vendor-agnostic central point for all SOC data.

Cue Robot by Wonder Workshop is an example of a toy that incorporates the concept of using prebuilt programmable templates. My daughter has a Wonder Workshop robot for which she can download prebuilt templates that are customizable to make the robot do different things. My daughter’s role in the robot’s operation is to choose from the different available applications and make modifications until she is happy with how the robot responds. She doesn’t have to build the robot or configure the software for the robot. Instead, she just chooses existing software templates such as “move forward” or “turn the headlamp red” and modifies how that software works, saving time and the need to re-create what others in the Wonder Workshop community have posted online for her to leverage. For example, she can download a program named “Joey’s cool dance” and the robot will start moving around and making sounds based on how Joey configured and saved the program.

Many video games such as Minecraft are designed with the focus of modifying the code the game functions on. Players can copy the code of an environment they like and modify it so others can enjoy a new world built by a fellow player. Object-oriented programming (OOP) employs smaller programs, or “objects,” that contain code or data that can be called upon, and OOP is popular for teaching children programming. Both Minecraft and the Wonder Workshop community use the “move” command to move something, which represents a set of commands hidden within the move object. I predict the typical SOC analyst of the future will rely heavily on OOP rather than having to understand complex code. DevOps uses lots of OOP by calling APIs to enable prebuilt tasks to function. DevOps engineers rarely build things from scratch; rather, they learn how to create code that can make things work together or update existing code.

IT Training Predictions Summarized

People are a SOC’s most critical asset, and employee retention will continue to be challenging as SOCs around the world fight for the best people. Good training programs can not only help retain your best SOC employees but also help other employees become your best people. Leadership within organizations realize this and will continue to invest heavily in training options that are easy to obtain and deliver as well as have the best impact. This will fuel many of the predictions I have made about IT training, including training becoming a service that anybody can access from any part of the world. I highly recommend ensuring that your SOC keeps up with the latest training trends and considers migrating from classic in-person training to on-demand options that include the latest training technology.

My next focus for future SOC technology is automation. Chapter 10 hit this topic pretty hard; however, I believe most SOCs have barely scratched the surface regarding the potential of automation and orchestration concepts, making this topic a futuristic concept. Any future-looking SOC will be adopting automation that includes machine learning concepts.

Future of Machine Learning: Auto Adapting to Threats

Human behavior is complex, but with enough data, it can be predictable. Daniel Negreanu is a famous world champion poker player who has been ascribed the ability to predict what cards other players are holding. He has been filmed yelling out “You have king queen not suited!” and everybody is shocked to discover he is correct (sometimes). Mr. Negreanu has explained that what he does isn’t magic but based on various datapoints leading to a conclusion. He also explains that the slightest human gestures can determine how somebody will respond to his moves, allowing him to control the other players based on what he says and how he bets.

Strategies from poker champions such as Daniel Negreanu are being collected and automated with poker software. Such software uses a combination of behavior learning and math to determine what cards should or should not be played as well as the possibility of a certain outcome when cards are played. I believe the same concepts apply to security, which is why security concepts such as artificial intelligence are becoming more relevant in how a tool predicts attack behavior. I predict the security tools of the future will rely heavily on various big data learning mechanisms that take into consideration not only how threats function but also general human decision patterns, enabling the tools to both predict an attack and identify the attacker and their intent. Today, many security tools can identify an attack, but few can determine who is perpetrating the attack or why. By knowing those additional details, more holistic responses can be performed, including preventing future attacks by addressing the threat directly.

One amusing example of this concept is a web application firewall (WAF) I saw at a security conference a few years back. One feature being demonstrated was that when the WAF identified a certain type of web application attack based on matching attack behavior, the WAF would display to the attacker the classic Clippy paperclip stating “It looks like you are trying to deliver a certain type of attack. You can learn more about what you are doing here.” I predict the future of machine learning will include this level of response, such as “Hi Joey Muniz located at (home address), it looks like you are attempting a cross-site scripting attack against my client. This is illegal and I have recorded what you are doing. This is your last warning before I send the authorities to your location.” In order for this type of response to occur, there would need to be a lot of evidence with clear accuracy; however, I believe we are not too far from the technology needed for this level of detail to be collected.

Future of Machine Learning: Chatbots Take Over

A chatbot is an automated response to a conversation with a human. You likely have seen chatbots on websites asking if you have questions. When you ask a question, the chatbot will attempt to control the conversation by limiting possible responses and asking you to work within its response catalog. If the chatbot can’t answer your question, you are offered alterative options including contacting a real support representative.

I predict technology of the future will allow for hyper-personalized conversations between humans and machines. I will be able to instruct a chatbot such as Amazon Alexa “I see these details; explain to me what type of attack is occurring” and obtain a very specific answer identifying what the attack is and how it is impacting my organization. I use the example of Amazon Alexa because I also forecast that the type of security data used exclusively in SOCs today will be readily available for anybody in the future.

The best example I’ve seen of this type of conversation is in the Iron Man movies, in which Iron Man (Robert Downey, Jr.) speaks with Just A Rather Very Intelligent System, shortened to J.A.R.V.I.S, regarding real-time events. Iron Man asks J.A.R.V.I.S to predict what is the best action to take based on hundreds of factors. The idea and technology needed to allow J.A.R.V.I.S to understand what a threat is and cause a change in J.A.R.V.I.S’s outcome doesn’t exist today, but it is coming, as computer AI is designed to mimic human behavior. I predict the future SOC will have a J.A.R.V.I.S-like system that everybody will speak with as if it is part of the SOC’s staff. This AI to employee collaboration is also very common in movies featuring a spaceship crew interacting with the spaceship computer system.

Future of Machine Learning: Self-Configuration

Automation in security means machines automatically making changes a human would make. Many organizations are extremely cautious about deploying automated responses that have the potential to lead to drastic negative results. When the technology proves there is a very low risk of negative impact, I predict automatic security will become common in the SOC, meaning automated response will become part of all SOC procedures. Automated response will include adjusting the configuration of tools, logging all actions taken, and giving a post-incident explanation of what occurred both to the SOC and to whoever was impacted by the incident. I mentioned earlier in this chapter that I predict management tasks will be automated. This will occur due to improvements with machine learning, leading to a trust in the automated response from artificial intelligence.

An interesting depiction of futuristic trust in machines appears in the movie I, Robot, in the scene in which Spooner (Will Smith) manually drives the car. In the future world of I, Robot, machines drive all the cars. Manually driving is seen as a huge risk and a violation of insurance policies since the world trusts machines more than humans with driving. I predict this mindset will eventually apply to decisions made by AI tools in the SOC. Imagine a scenario in which an analyst makes a prediction but is dismissed by the rest of the SOC because they believe a different prediction that came from an AI tool. In my opinion, this is the future of AI in the SOC!

Self-configuration and response will lead to fewer job positions related to performing those types of tasks. I stated it before and will make the prediction again that jobs involving asset management tasks will be completely automated in the future SOC. The good news is that there will be an increase in demand for engineers that specialize in machine learning. Tasks for these future engineers include developing training data, adjusting classifiers in machine learning algorithms, and tuning how self-configuration tasks are handled.

Future of Machine Learning: Battle of the Bots!

As indicated in my previous predictions, I foresee automated responses becoming a normal activity in a SOC. I predict attackers will also leverage the same technology, leading to an AI versus AI cyberthreat landscape. Some future networks will become so hostile that manual interaction will not be able to keep up with response, leading to only being able to use AI to have tables stake performance, meaning only AI can keep up with AI-based attack. Future environments that become too hostile to monitor will become the top concerns for organizations based on the lack of controls and unknowns that are associated within the automated AI chaos. I can’t predict how big of a problem AI versus AI will become, but my gut tells me it will become a leading problem that won’t be solved with more technology. More technology will just fuel the problem.

Machine Learning Predictions Summarized

There continues to be a lot of hype in the security industry about machine learning, and for good reason. As the number of events a SOC needs to deal with increases, automation will be needed to keep up with the workload. Machine learning will also become a requirement to match the future speed of change in the threat landscape, which is why leading security vendors are heavily investing in machine learning capabilities. This is why many of my machine learning predictions are focused on how security tools will incorporate machine learning to improve capabilities and response time. Every forward-looking SOC will include automation and orchestration as part of their maturity roadmap. The future of automation and orchestration is dependent on machine learning.

The final topic to address is how to predict how your SOC will function in the future. I will attempt to apply many of the concepts from this book with the hope that the concepts positively influence the outlook for your future SOC.

Assessing Accessing the Datacenter

As I’ve covered in this chapter, many facility services will shift to the cloud in the future. You will need to adjust your SOC capabilities assessment to meet those changes. Figure 11-15 is an example of a SOC capabilities assessment that starts with the endpoint and works through security capabilities up to a server in the datacenter. Rather than including the endpoint, this diagram focuses on the security capabilities in the network and the servers in the datacenter.

Assessing Remote Users

Another scenario that exists today and will exist in the future is protecting remote users. VPN technology is not going away anytime soon since data privacy is a top concern and encryption is the industry standard for protecting data in motion. In the future, I predict remote-access VPN as a Service (VPNaaS) will be more common than traditional VPNs deployed through hardware known as VPN concentrators; however, the concepts are the same regarding security capabilities. Figure 11-16 is an example of creating a SOC capabilities assessment focused on VPN. This example uses the traditional VPN concentrator to provide VPN services, but how the VPN service is provisioned is not a security capability, which is why the VPN service provider is shown as an unlabeled icon because it doesn’t matter.

Based on changes in technology trends, your future SOC’s facility needs will be different than they are today. Earlier in this chapter, I spoke about how the concept of the office is shifting away from a physical location to one that allows for SOC members to work from anywhere. Many of the facility planning concepts covered in Chapter 2 will change to services and technology that are delivered to wherever the SOC team member is located. Collaboration technology will be critical to keep a physically separated SOC in synch. The savings from reduced facility expenses can be used to fuel a more advanced collaboration technology as your SOC makes the transition away from a dedicated facility.

Figure 11-16 has one specific change regarding how network access control is performed compared to the server-focused capabilities assessment shown in Figure 11-15. I replaced NAC with TrustSec/segmentation for provisioning access to the network. TrustSec classifies traffic based on contextual identity versus using an IP address. TrustSec represents the concept of group tags, which leads us to the next topic regarding the future of your SOC. That topic is the focus of using segmentation concepts that will replace traditional VLANs and ACLs.

Group Tags Explained

A group tag works by being assigned when a user authenticates to the network. That user is assigned a group such as the PCI group, which in this example is configured to allow access to the PCI resources. No access is granted to any packets if they do not have the PCI group tag assigned. This Layer 2 tag is held as the user accesses resources on the network, which means the entire network must support group tagging for this model to work.

Today, most modern network and security tools support group tagging, which has been one of the major holdbacks for organizations supporting older equipment and unable to invest in a network-wide upgrade. As organizations update their old network equipment, they will eventually be able to support group tag type technologies, making the case for switching from VLANs and ACLs to tagging a much easier conversation.

Figure 11-18 shows an example of a user connecting to the network and Cisco’s NAC solution, called Identity Services Engine (ISE), providing the secure group tag (SGT) classification of 5. When the user attempts to access the HR servers, she is denied based on not having the right access (SGT level 10). The firewall and switch both deny this access. This diagram also shows a financial server with an SGT of 4 attempting to access the HR servers and, once again, being denied by the switch due to not having the proper authorization. The key takeaway is that the entire network becomes the enforcement point of SGTs, allowing a much simpler security policy to be enforced network wide. I predict the current model of having thousands of ACLs and VLANs will be replaced by a centralized group tag policy matrix that is understood network wide.

NIST Tabletop Exercises

NIST SP 800-84, Guide to Test, Training, and Exercise (TT&E) Programs for IT Plans and Capabilities, points out that before performing a tabletop exercise, your organization needs to consider your organization’s overall objectives. The guideline also assumes your organization has a TT&E program. Those objectives can be evaluated using the following questions:

• Have the personnel who would participate in the tabletop exercise been trained on their roles and responsibilities within the plan? If the personnel have not yet been trained, the TT&E (test, training, and exercise) program coordinator should consider conducting a training event before the tabletop exercise so that the personnel can participate more effectively in the tabletop exercise, increasing its benefits.

• When was the last time the organization conducted a tabletop exercise for the plan?

• Have recent organizational changes been made that could impact the content of the plan?

• Has new TT&E guidance been issued that could impact the content of the plan?

Your SOC should periodically perform tabletop exercises to accommodate change and to evaluate your SOC’s current maturity level. Chapter 1 covered different approaches to evaluating each SOC service’s maturity as well as the overall SOC’s maturity. Figure 11-19 is an example of ISACA’s approach to evaluating the maturity level of the people, process, and technology in a SOC. It is critical to establish an understanding of the maturity of your SOC and associated services in order to develop a roadmap for what is needed to improve your capabilities.

Which Service to Use?

Assessments are a general evaluation of potential risk. Chapter 9, “Vulnerability Management,” focused on identifying and responding to IT vulnerabilities. I covered various approaches to performing assessments of IT systems using network- and client-based techniques that result in potential vulnerabilities. I also pointed out the risk of false positives being found, since assessments do not attempt to exploit the target to validate the risk is real. Chapter 6 explained how penetration testing is a more thorough but also higher risk and heavier service engagement for evaluating people, process, and technology for vulnerabilities. Penetration testing attempts to exploit the target to provide a more realistic assessment of a potential risk, leading to more accurate results. Due to the increase in risk and expected services, I recommended properly planning how you will execute a penetration test. As a refresher from Chapter 6, Figure 11-20 is a high-level diagram of the NIST SP 800-15 four-stage penetration testing methodology.

Your SOC services today and in the future must adopt audit, assessment, and penetration testing services based on your business needs. All three services are fundamental to maintaining a mature risk management service, and all three are used for different use cases. I pointed out earlier in this book that you do not want to perform a penetration test when you know you are vulnerable, as that is a waste of resources to inform you what you already know. You want to first perform an assessment and apply the best controls to reduce risk of exploitation before engaging in a penetration test, meaning the penetration test will evaluate how well you responded to what was found during the assessment. Audits should be assigned to required compliance and separate from how you perform assessment and penetration testing since audits are not designed to make your organization more secure.

Learning DevOps

The best way to make the jump from manual processes to automation and orchestration in your playbooks is to gain experience with DevOps. I covered many core DevOps concepts in Chapter 10, but mastering DevOps will require much more reading and hands-on experience. I recommended Cisco’s free labs found at (https://developer.cisco.com/site/sandbox) as a great starting point for SOC analysts to get hands-on DevOps training now at no cost. There are also industry certification programs that SOC analysts can work toward, which will help them gain the skills and confidence to convert steps in your SOC’s playbooks into automated and higher-functioning processes, leading to a much better SOC service. Figure 11-22 shows a screenshot of some of the many free labs offered in the Cisco DevNet Sandbox labs catalog that focus on Security.

Responding to Threats

Once a threat is detected, incident response begins. Chapter 8 covered best practices for performing incident response. How your SOC responds to incidents today will be automated or outsourced to cloud services in the future. Guidelines such as NIST SP 800-61 provide recommendations for how to handle an incident along with who should be involved. I also pointed out in Chapter 8 that organizations such as FIRST.org have well-documented guidelines for PSIRT and CSIRT, all of which can help you develop mature incident response playbooks.

The technology may change but the fundamental approach to handing threats will remain the same. One key point from Chapter 8 that complements this thought is that you must plan for what you know and why you don’t know. You should prepare for attack techniques you have never seen and understand potential risk, legal concerns, and costs as you develop and launch your response. In certain cases, you will need to leverage external resources such as legal authorities or forensic specialists. Other times, you will depend on your SOC tools and analysts to return the impacted systems to normal operation. Once again, I highly recommend performing the different assessment services, ranging from tabletop exercises to penetration testing, to ensure your SOC analysts and the playbooks you have developed are capable of handling the threats encountered today and ones that will attempt to attack your organization tomorrow.