A SOC is responsible for detecting, investigating, and responding to cyber threats. As the attack surface continues to expand, SOC teams are extremely overburdened. Further, there are talent shortages. The Google SOC team has found a way to scale and automate the detection and response process.

  • Eliminate security blindspots with cloud-native infrastructure
  • Get to “aha” faster with sub-second search, insights, and streamlined processes
  • Democratize security operations by leveraging threat intelligence, out-of-the-box detections, and playbooks



About Speaker

Kristen Cooper is a Security Operations Product, Google Cloud. She has over 16 years of product management and product marketing experience with the past decade focused on cybersecurity, working for companies such as Mandiant, Siemplify and now Google. Kristen has a passion for building world-class product marketing teams and working with companies to solve their security challenges.



(Webinar) Recorded



Discussion Highlights

1. Agenda:

-The need for SOC Transformation

-Modernizing people, Process & Technology

-Chronicle Security Operations


2. Security Operations is Ripe For Transformation:

-We cant store and analyze all data, resulting in blindspots

-It's cost prohibitive to ingest all the data we need

-It takes too long to investigate alerts

-We struggle to build effective detection and have too many false positives/negatives

-Our processes are too manual, we are too slow to respond to and remediate threats

-We don't have enough skilled engineers to make eevrything work


3. CISOs & Security Leaders are still asking questions:

- How can we increase the operational efficiency of our  workforce?

- Are we effectively detecting & responding to all business threats?

- Can we budget, optimize and manage our financial costs?

- How can we modernize & get ahead of the talent shortage?

- Where can we co- innovate with Google?


4. Legacy SOC

  • Inspired by IT helpdesk philosophy
  • Treats incidents as rare and abnormal
  • Focuses on alert pipeline and pairs alerts to analysts
  • Centered on a SIEM (SOC=SIEM analyst team)
  • Has walls between alert handlers and alert tuners
  • Threat intelligence is sometimes consumed
  • Shallow metrics on handling time



 5. Modern SOC

  • Teams are organized by skill, not rigid level
  • Process structured around threats, not alerts
  • Threat hunting covers cases where alerts never appear
  • Multiple visibility approaches, not just logs
  • Automation via SOAR works as a force multiplier
  • Deeper testing and coverage analysis
  • Threat intelligence is consumed and created
  • Soc elegantly uses third party services




6. Five Key Steps:

-Baseline skills required against workforce & identify gaps

-Shift hiring program to align to new skill structure

-Implement an automation backlog, focus on toil reduction

-Fill gaps with partners, 3rd parties, and "shift-left" via x-fn

-Strive to achieve 40/40/20 ops-eng-learning utilization


7. People Transformation:


  • Analysts are organized by skills and focusing on threats not alerts
  • Implement learning paths, certifications, stretch opportunities
  • Analysts have clear success metrics
  • Hire partners to augment your team
  • Expand visibility to other practices (Devops, Security Architecture)


  • Supports additional stages of threat lifecycle (eg. creates content)
  • Provide comprehensive onboarding and skills develoment programs leadership training
  • Individual OKRs are aligned to solutions
  • Revamp your hiring program to seed talent potential and skills
  • Build interlock between SecOps & DevOps


  • Analysts create use cases and own end-to-end lifecycle of threats
  • Analysts export thought leadership and participate in community R&D
  • Program-wide OKRs aligned to solutions
  • Continually measure, hire inclusively retain and promote often, train leaders
  • SecOps heavily influences DevOps
  • Analysts spend majority of time doing Dev (engineering/automating) vs Ops




 8. Process Transformation:


  • Optimize the alert triage process
  • Expand use of threat intelligence
  • Build use cases
  • Adopt continuous Detection, Continuous Response workflow


  • Start threat hunting
  • 100% coverage across ATT&CK
  • Integrate with x-fn dev process
  • Build SOAR playbooks
  • Establish OKRs around CD/CR


  • Team is fully utilized towards proactive work, reactive work is continually automated
  • Create and share threat intelligence across adjacencies & organizations
  • Fully adopted CD/CR workflow with full visibilty of threats, optimize OKRs and board level metric visibilty




9. Five Key steps to take:

-Implement your first deployable CD/CR pipeline

-Identify coverage gaps across MITRE ATT&CK

-Establish OKRs around CD/CR

-Start doing proactive threat hunting

-Identify opportunities to better operationalize threat intel



10. Technology Transformation:


  • Implement cloud native SIEM
  • begin developing a content library for deployment pipelines
  • Add network endpoint, cloud and other telemetry to SIEM
  • Develop SOAR playbooks


  • Robust implementation of ATT&CK across all data sources
  • Optimize technology TCO to spare budget for people and process improvements
  • Orchestration at the forefront of all new process additions


  • Maximize ATT&CK coverage by leveraging all available detection techniques
  • Autonomous discovery of assets and log sources
  • Co-develop technology features with your vendors and partners
  • Implement a data science program to identify AI/ML use case opportunities




 11. Five Key steps to take:

-Start developing a use case library for content

-Expand visibility across endpoint, network, cloud ++

-Migrate to cloud native tools

-Utilize SOAR, especially in the earlt stages

- Optimize your tech costs for people/process improvement



 12. Security Operations by Google




13. Key Takeaways & Recommendations:

-Shift organizational structure to align with skills NOT tiers

-Strive for a contionuous Detection + Continuous response model

-Operationalize threat Intelligence and begin threat hunting

-Migrate to cloud-native tools & utilize SOAR early

-Optimize your technology costs for people / process improvement



E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)