June 16, 2025 • 41 mins
Join G Mark Hardy and Carson Zimmerman, the author of '11 Strategies of a World-Class Cybersecurity Operations Center,' in this insightful episode of CISO Tradecraft. Carson shares his career journey, the evolution from the 10 to 11 strategies, and delves into the future needs of Security Operations Centers (SOCs). They discuss critical topics such as the importance of continuous improvement, AI's impact on SOCs, and the value of embracing neurodiversity in cybersecurity teams. Whether you're a seasoned cybersecurity leader or an aspiring professional, get actionable advice on how to enhance and revolutionize your SOC operations.
11 Strategies of a World Class Cybersecurity Operations Center https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
14 Questions are all you need - https://www.first.org/resources/papers/conf2024/1445-14-Questions-Carson-Zimmerman.pdf
Transcripts - https://docs.google.com/document/d/1WVJi9WkxOG7yedQYWSooiqRFjBERd9kV
Chapters
- 00:00 Introduction and Guest Welcome
- 00:53 Background and Book Discussion
- 03:33 SOC Challenges and Stagnation
- 06:10 Managing SOC Alerts and Burnout
- 09:26 SOC Evolution and Neurodiversity
- 23:50 Career Progression in Cybersecurity
- 30:28 Impact of AI on SOC Operations
- 40:07 Final Thoughts and Conclusion
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, it's been a few years since Iread the seminal book on how to run a
(00:03):
SOC, the 11 Strategies of a World-classcybersecurity operation center.
But I've got the author of thatbook here today, and we're gonna
talk about what comes next.
Stick around.
(00:24):
Hello and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy, and todayI have Carson Zimmerman with me.
As I mentioned before, he is theauthor of the 11 Strategies of a World
Class Cybersecurity Operations Center.
And it came out a few yearsback and I think it's still one
(00:47):
of the best documents today.
first of all, Carson, welcome to the show.
Pleasure to be here.
So tell me a little bit about yourbackground and, how'd you end up
doing this, and maybe a littlebit about your book and things.
it's your show here.
Absolutely.
Thank you.
I've been working in cybersecurity.
And most notably, securityoperations for most of my career.
(01:10):
And it's really exciting.
I think that cybersecurity is a reallyexciting field and inside of that, I
don't think it gets any cooler than eitherbreaking into systems or chasing after
people who are breaking into systems.
And it was those experiences that Ihad when I was at MITRE that led me to
write the first edition, 10 strategies.
(01:32):
After some time went past and Igot to talking with my co-authors,
Ingrid Parker and KatherineKnerler, we decided to do the second
edition of the book 11 Strategies.
And no, we didn't just add one strategy.
Actually there's about four newones and we moved a bunch of
pieces around on the chess board.
And what we ended up with was the bookthat came out, a couple years ago.
(01:54):
We made a very deliberate choice to makeit free, and there were many reasons why.
to put a very long story short, wefelt and still feel that it's more
important that the knowledge of how todo security operations really well, is
available to as many people as you can.
And the money book authors makeon their books is, very minor,
(02:18):
compared to their time investment.
Yeah, that's a good point.
And I think a lot of people think,oh, I'm getting a book out there.
I'll make a fortune.
it probably won't even cover minimumwage for the time you put into it, but.
It is a chance to go ahead and contribute.
And I do appreciate that because theysaid the 10 strategies is the one
that I used to, point to when I wasteaching at SANS for a number of years.
(02:39):
And they're like, so somebody says,Hey, I want your 11 strategies book.
Where do they find that?
It is@mitre.org WAC 11.
Strategies.
Very easy.
And probably also at Amazon or Kindle,do they, charge it for there it is
just best to go directly to mire.
You can go to Mitre ifyou want the PDF for free.
You can go to places like Kindle andAmazon and some other books, sellers.
(03:02):
You can do print on demand.
you can get the Kindle version.
And what we've done is deliberately setthose prices to where it's cost neutral.
I don't see a dime from it, and neitherdoes Mitre or neither do my coauthors.
We appreciate that and it'slike doing this podcast.
I'm, wow, it's hard to believe I'm237 weeks into this, and yet the idea.
(03:24):
Is to go ahead and create a body ofknowledge that's gonna help those who are
in our career and those who are followingin our footsteps to go do other things.
But probably since that book cameout, you've probably seen new things
as well as we know things evolve,information changes, situations change.
not that I'm trying to press you into it,but if you had to write a third edition
(03:46):
after the 10 and the 11 strategies, whatdo you think topics, what would you cover?
What, would you be adding?
A number of things.
I can talk about a handful.
the first I'll talk about is a phenomenonI've seen where anyone who's been
in a SOC for long enough sees thisconstant struggle between turning
(04:10):
the crank on the incident lifecycle.
detect, investigate, respond, recover.
And there's this huge tension betweendoing that and doing everything else
that's necessary to be awesome in a SOC.
And what I've seen and experiencedfirsthand, is that sense of stagnation.
(04:30):
You get.
Where you're only paying attentionto the incident funnel and you're not
stepping out of that and investingthe time you need to get better.
And that feeling I've had, andthen so many other people I've had
in security operation have feltis what led me to do the talk.
How to save your SOC from Stagnationa couple years ago, where the premise
of my talk, to put a long story short,is treat those investment areas in
(04:54):
the SOC as a first class citizen.
During normal times, as if there's evernormal, as you would the incident funnel.
So for example, engaging with yourservice owners and major stakeholders in
co hunt and co, detection, creation, or,
(05:19):
Working on your SOPs, in your playbooks,or using every incident as a training
venue and a PIR venue, meaningpost-incident response, how to get better.
So the point is.
SOC leaders, we need to build themetrics and rhythm and business around
(05:40):
the activities that help us get betterand step out of the incident funnel.
And one of the cool things that does forus is it'll both builds engagement and
investment by the workforce in the SOC.
And when the really big incident hitsof, course, we should have some breach
mindset, but when the really bigincident hits the capacity you had.
(06:01):
On those things can be paused, butcritically you need to come back to
them and don't just get stuck intothe, we're doing all of our resources
on incident funnel all the time.
Yeah, because I would think in a SOCthat one of the most difficult things,
and particularly about burnout andstuff like that, is the always on nature
of alerts, pouring in information.
And of course, no matter how youfilter them, there's still a triage.
(06:22):
Function at your level oneto say, Hey, is this thing
actually bigger than a bread box?
Do we need to kick this thing up?
Or can we handle it at this level?
Or do we just disregard it?
And it would seem to me that if youhad to look at every single alert
that came in and then make a manualdetermination at that first round,
you would be totally overwhelmed.
You'd feel like an air traffic controllerworking Newark airport all by yourself.
(06:45):
Are there tool sets out there that,or configuration tips that allow us
to go ahead and, make the input funnelfrom about this big down to about
that big where it's now manageable.
Does that help at all with ourburnout issue or are we really talking
about something completely else?
so completely, entirely differentthat would cause that factor?
(07:07):
I would say that is the number oneinvestment area, meaning controlling
the signal that comes into the SOC.
That is probably the number oneinvestment area to reduce burnout.
I'm not gonna say eliminate it, andit's not the only one, but I would say
it's either number one or top three.
And this is an area where I seeso many SOCs fail, and the failure
(07:30):
modes include, yes, burnout.
Yes, you are bringing in bad signal,but it's, a matter of discipline.
And a lot of people who are new to thisfield, they'll come in and they'll take
an off the shelf product from a verywell known vendor of security products.
(07:52):
Could be any of them.
I'm not gonna picking on anybody today.
And they turn it on and they get thedefaults and they're flooded with alerts.
This is, in fact, this is cliche atthis point, Every security vendor that
I know is talking about reducing alarmfatigue and increasing situational
awareness, and that's still a good goal.
But the best place of the SOC for be itshould be is where they have a disciplined
(08:18):
approach to tuning, and it is a dayover day, week over week investment.
So with that tuning, then, itsounds and a lot of companies, it's
hard to be, in the Navy we used tocall it a pre-commissioning crew.
If you're part of a brand newship, they're gonna lay the keel.
You get out there and then you say, Hey,we're gonna be part of that original crew.
(08:41):
that sounds great on paper, but inreality it means about 18 months.
Being in a shipyard and there's dustand there's noise, and there is grit,
and it's hot and it's miserable.
And then when you finally get outto sea and settle in, maybe you
join on the second crew out ofhowever many years you're doing.
But organizations today, we buildout SOCs and then we run them.
(09:05):
How often are thesenew SOCs coming online?
Are they like Chinese coal plantsor are putting 30 a month online?
Or are major SOCs onlyhappening every now and then?
And then people who get involvedin that build out is act, are
actually going through a rareexperience in 2025 and beyond.
I want to use the wordplank holder, but I won't.
(09:26):
I would say at this point in time, we'veseen so much digital transformation.
The part of almost every organizationout there has some kind of
digital, footprint digital estate.
And it's not like when I got startedin the field 20 years ago where
people are like, what's cyber?
(09:46):
It's now a transformation.
So rather than saying, oh, we're gonnacreate a SOC from nothing, usually it's.
We're doing some kind of transformationwhere we had something and then
we're doing something different.
And then I might be, we're doing, we'restarting with some hodgepodge of stuff.
It could be, we're starting with, someoutsourcing and maybe we're insourcing.
(10:09):
Maybe it's the reverse.
Maybe it's a mix.
So the point is, that relativeto tuning or anything?
Rarely do I see organizations startingfrom nothing, but rather they're
like, there's something that happens.
Usually it's a major incident, andthen it causes a change in investment
or investment events strategy.
Got it.
(10:30):
Now, one of the things that youhad mentioned, we talked about
is 14 questions are all you need.
but what do you mean by that?
what's the thought behind that?
I had a dream, that was more of adelusion right around the time I did
the second edition of the book 11Strategies with Catherine and Ingrid.
And one of the next things that Iwanted to do, I said I wanted to build
(10:55):
a maturity and capability frameworkfor SOCs and I didn't have the time.
And, because real life and.
In that time, there were a coupleother frameworks that came out.
Most notably SOCs, CMM, in the E-N-I-S-A.
SOC, or C cert maturity model.
(11:16):
You can go look them up onGoogle, you'll find them quickly.
And I said, these arerelatively comprehensive models.
I have some things and some commentaryabout each of them, but I said, I'm
not gonna do another one becauseI'm just, I'm crowding the space.
So instead, I thought about it for along time and talked to a bunch of people
and thought, what are the most importantquestions that a SOC needs to ask itself?
(11:42):
Pertaining to what's getting in its wayof success, and I thought about it a lot
more and said, I bet I could get this.
Answered this question in 20 questions.
I actually got down to 14 and thiswas about a year and a half ago.
And the whole LLM transformerthing was just coming out.
(12:02):
I said, I'm gonna make fun of some people.
attention is all you need, and I'mgonna do 14 questions are all you need.
So the premise of this talk in myargument is there's a very small
number of questions that we shouldmake sure we're focusing on because
those are the questions that areindicate we're getting in trouble.
So for example.
We can talk about things like how long hasa given group of people or a given role in
(12:25):
a SOC done the same thing In the same way,if the answer is years, you probably have
a problem because you are not evolvingwhat you do and how you do it fast enough,
or let me give you another example.
Many secret operations centers struggleto get what they need when they need
it from their engineering resources.
(12:46):
In fact, some SOCs have engineeringnot at all in the SOC, which
I think is a terrible ideaand is n I've never seen work.
But anyways, one of the questionsyou should ask yourself is, from
the time I say to myself, I needsomething to the time that I get
it satisfied, actually satisfied.
And I don't mean fake satisfiedlike we deliver to you a project.
No.
Like how long has it taken youto actually achieve ops impact?
(13:06):
Is something worth measuring?
And my argument also is it canfeel very draining to build a very
large and robust metrics program.
And part of my argument is a lot of timesanecdata is just as good because when
you say that ec, when you collect thatanecdata and then tell executives about
it, they're like, whoa, I had no idea.
(13:28):
We totally need to go change X,Y, Z, and it's just as good if
you spent six months building somecrazy complicated set of dashboards.
And we say anecdata, I'm figuring that'sa portmanteau of anecdote and data
That's right
and just try to make sure if, people aredriving in their car, what did he say?
And where do I find that?
(13:49):
It's ated.
It's those stories, it's those vignetteswhen you say, Hey, today it takes me,
I'm gonna make something outrageous up.
It takes me three hours to triage everyalert, and we have 10,000 of them a day.
I can do that based on an informed opinionabout what's going in ops without actually
having to go into my SIEM and my casemanagement system and actually measure
(14:13):
click times and, all of that stuff.
Yeah.
Now there's gonna be somepeople you need to convince.
That will say, I get it.
I got that.
And other people that aregonna be showing me the data.
And in a way, there's really noone solution that fits everybody.
It's really understanding how does yourmanagement team that allocates budget,
allocates resources, make their decisions?
(14:34):
And if you have that insight.
It's almost, that's almost moreat the political layer here, being
able to communicate to people whoare decision makers, power brokers
in the language that they prefer.
And if you tend to be a left brainby the book, hear the numbers and
show up with a ton of data, andyou're dealing with somebody who
makes major multimillion dollardecisions on a golf course based upon.
(14:57):
oh, hey, okay.
If I, make this putt, you get the deal.
If you make the putt, I get the deal.
Whatever.
Then you need to readjust.
And that's what I think a lot of uswho are in management to leadership
roles, it should be people running SOCs.
Alright?
You've progressed past the technicallevel, you're doing a shift
management or something like that.
But at some point, if you're leadinga SOC, which means in addition to
(15:19):
delivering on time, on budget and makingsure that all that stuff happens in the.
fashion you meet your SLAs, that you take.
Responsibility for thewellbeing of your people.
And that's what I say is the unwrittenrule in a lot of leadership positions.
They don't say that it's notin the job description, it's
not in the performance review.
It's really what differentiatesyou from a manager is that beyond
(15:40):
just getting the job done, you'regrowing and developing your people.
And some of the things that we're talkingabout here about being able to say,
Hey, I've gotta deal with stagnation.
I'm trying to deal with burnoutand stuff like that, go a long
way to being able to address the.
Taking care, if you will, orunderstanding and developing your people.
But one thing that's the elephant inthe room for a lot of us is our people.
(16:03):
And the nature of what we do incybersecurity doesn't necessarily
lend itself well to the averageperson that's out there.
And so what we find out is we lookat labels, and I hate labels because
it automatically causes you topre classify and pre-judge people.
But the reality is, let's faceit, the idea of neurodiversity,
(16:25):
however we wanted, define that.
But typically, is that people approachproblems in life a little bit differently.
Then the mainstream.
So if you look at the bell curve Yeah.
A lot here.
Okay.
And, maybe over here, but what do wesee in the SOC world and things like
that about, neurodiversity and in thesecurity operations world in general?
And is that a strength of ours?
(16:47):
Is that a weakness?
Are we coming a na where we're attractingpeople that can't get a job anywhere else?
Or is this is where people with thesespecial skills, because they're innate in
their personalities, can come and shine?
This is a fascinating topic and I'llmake a couple comments, G mark that
actually probably go back to theexperiences you and I have had at
(17:10):
security conferences 20 years ago whenI went to Defcon in the early aughts.
and I looked at the crowd.
I saw a lot of young white males,and it was a very unilateral,
one dimensional audience.
And in that time when I was learningcybersecurity, it was generally possible
(17:37):
to know and have your mind wrapped around.
Most of what you needed to know tobe a cybersecurity professional.
And in that last 20 years,we've branched out so much.
You've got people who aretotal nerds about GRC.
You've got people who are total nerdsabout just cloud authentication.
(17:57):
You've got people who are total nerdsabout certain areas of mal analysis
or penetration testing, et cetera.
One of the things I wannahighlight is the diversification
of experience and background.
When I now walk around Defcon, whichhas gotten absolutely huge, I see a
more diverse crowd and I see a morediverse set of experiences and expertise.
(18:22):
So we need to harness that and insidea SOC, when people think SOC, they
think someone who's staring at alerts.
That's true, but that's actually one ofonly about 10 or 12 different personas.
So we think about in that context,how do we think about those different
personas of leadership management types,hunters, triage people, investigators,
(18:46):
incident response coordinators, malwareanalysts, data scientists, et cetera.
So let's think about that for a second.
Is the persona and backgroundfor someone who's running an
incident call and herding 50 cats.
Along the way, the same personyou want doing PE header analysis.
And the answer today is absolutely not.
(19:09):
Can one person go from one role tothe other role that I described?
Yeah, I've seen it happen and infact, sometimes it's really awesome.
But here's a piece of anecdata for you.
I have stood in front of crowds atconferences as you do, and I've asked for
a show of hands that in the room I said,how many people here are neurodiverse?
(19:31):
And what happened next?
Blew me away.
Half the hands in the room went up.
In fact, probably more than half.
In fact, because we know at conferencesGA, you've probably done this many times,
you ask for audience participation.
It doesn't matter if you ask who'shere, not all hands will go up.
And I'm like, whoa.
(19:51):
Now this is not a scientificstudy that I've just done, but
think about that for the moment.
Half the people in the audience or morehave just asserted their neurodiverse.
And I would further conjecture, someof the most predominant areas of
neurodiversity are probably ADHD,Autism spectrum, and anxiety, and yes,
(20:12):
there's a comorbidity between them.
By the way, I'm not a healthprofessional, but I read a lot.
So my argument here is when we look ata security operation center, number one,
we need to think about those differentpersonas and for the people who are
bringing neurodiversity as a superpower.
(20:32):
That superpower of being able to focus ona problem to hyperfocus or that superpower
of being able to see a bunch of differentconnections and bring together different
perspectives or different pieces of datathat a neurotypical person wouldn't.
Those are superpowers, number one.
Not everyone in the audience or inthe SOC knows that they have that,
(20:55):
and they may just be over-functioning.
Or a high functioning person whodoesn't realize, they're neurodiverse,
but really good at it, or they are.
And the point is, how do we as leaders,as managers, as leaders, et cetera
of the SOC and other parts of thecybersecurity apparatus, recognize those
superpowers and embrace them and makethose people super effective people who
(21:20):
are gonna find the next major incidentor pre prevent the next major incident.
And that's a real challenge of leadership.
I think any of us whohave had that privilege.
to lead.
Others find that often there aresome, maybe one, maybe several
people that, for better or worse,they just don't quite fit in.
They're not in the correct role,they're not in that, but you don't
necessarily have a chance to change that.
(21:42):
But if you have the perceptivenessto be able to say he or she could do
this, and you assign them some typeof role where they could shine, not
only is there a great deal of jobsatisfaction in that because people
said, wow, I'm doing, I'm loving this.
But then other people who lookat the scans you know this guy.
(22:06):
Wow, this person is becoming a rock star.
And I have seen that myself bybeing able to find people like this,
give them specialized assignments,and they do extraordinarily well.
And the benefit is significantlybeyond what an individual contributor
might normally do because this isa role that you wouldn't give to
(22:26):
a typical individual contributor.
And One of the things that we haveto be sure of as leaders is to
look across the people that we havenow, of course, there's a lot of
pressure going on in political, andwe don't get into politics here about
identity and things such as that.
People are who they are.
And I don't think a lot of people wakeup one day and say, you know what?
I wanna get beat up a lot.
(22:47):
I wanna get bullied.
I want people to screw withme and make my life miserable.
So I'm gonna declare this.
rather, it's the opposite,is that here is who I am.
I've figured out, thyselflike the oracle at Delphi.
And then people say, I don't likethe fact that you know yourself
because you know yourself as this of.
Looking at stocks,cybersecurity, neurodiversity.
(23:09):
I tell people that is actually, as youhad said, the same term, a superpower.
It allows us to go ahead and look atthings and either absolutely focus
in laser focused and just go overand over and wait a minute, There
and nobody else could see that.
Or you've got such a huge rangeof inputs and a little bit like a
(23:30):
beautiful mind with Russell Crowe.
You see all these numbers and everythingpatterns and all of a sudden that's it.
And it's okay.
The average person doesn'tdo that, and we don't need
everybody to be able to do that.
But it does bring up an interestingpoint, and as we talk about boredom
and the like before, is that.
(23:50):
Career progression and career rotation.
I'm gonna fall back into my Navyexample because in the Navy we had
a couple things for our military.
In the office or community.
First of all, it's upper out.
So every six years you get another look atyou to say, are you progressing correctly?
Have you moved from matechnical to management?
Have you moved frommanagement to leadership?
Have you moved fromleadership, political work?
(24:10):
And at the end of six years, theysay, yeah, you're not gonna promote
lieutenant commander or captainor rear Admiral or whatever.
And that's a normal progression.
And it necks it downand it gets it smaller.
Similar things happen in thecorporate world, although maybe not.
In such a structured fashion.
But we used to talk about the fact thatthe Army had a lot of gray haired majors.
They were brilliant at theirtechnical role, and the Army
(24:34):
didn't force 'em out of it.
They said, look, you're a rockstar.
Be a rockstar now.
Title ten's gonna catch up withyou, and at the end of 20 years
as a major, you gotta go home.
But that's still a longrun for a technical expert.
The Navy's you're really good at that.
Okay, good.
Let's switch you over here.
you're really good at that.
Okay.
And waiting for the Peter principle.
You get promoted to yourown level of incompetence.
(24:55):
You're good here.
We'll promote you.
You're good here.
We'll promote you.
You're not good.
we can't promote you.
We're gonna leave youwhere you're not good.
the solution to that, by the way.
Is what we did, and we said someone needsto be fully qualified for the next level.
So when we say, Hey, I'm gonna put youinto the next level, it's, I'm not really
gambling that maybe you'll figure it out.
You've already demonstrated by, if youwill, overclocking your performance at
(25:18):
one level that yeah, you can do this.
And I've seen glimpses of, yeah,she's gonna do all right there.
So let's give her the full title,give her the paycheck and the
responsibility and run with it.
Now does this suggest.
That for we, if we're gonna be wise,leaders have to be able to have enough
insight to craft career patterns forour people to know that someone to say,
(25:42):
Hey, in this world of neurodiversity,they're gonna, if you will eventually
become a gray haired major, which isabsolutely okay, or this is somebody
who is going to be moving around indifferent levels, how do we gain that?
Wisdom number one.
And then number two, how dowe fight against the machine?
That is to say the human resourcesdepartment that might have an up or out
(26:02):
out thing to say, this person reallyhasn't progressed and they only met
the same goals they met last year.
They met the same goals they metthe last year and the year before.
So why do we wanna give them raises?
It's because they are doingabsolutely essential stuff.
So it's a big dilemma for alot of people running teams.
But any thoughts on all that?
I have many.
I'll offer just a couple.
(26:22):
The first is from my own experience.
One of the reasons why I've lovedserving in management and leadership
roles is that moment where you see aproblem the business needs to solve.
Someone who has talent in that areaand may not recognize that they can do
(26:44):
it, but that you believe in them andthen you're ready to take your hand
behind their back and push them intothe deep end and watch them succeed.
And it is so cool to seeand to see them grow.
So that's a big piece of it isrecognizing and making those connections.
one of the things that I thinkabout in this context is security
(27:07):
operations is such a dynamic field.
I'm sorry for the cliche, but it's true.
And as a consequence that we enablesus to have career progression and
skills progression built into theSOC as a necessary and more prominent
aspect of the job expectations thanI think exist in many other fields.
(27:31):
Sure all fields are progressing, but likeright now, think about how differently
we're doing things today than we were10 years ago or 10 years before that.
Like when we wrote the first editionof the book, when I wrote it, I spent
a long time on network sensing and it'sstill in there in the second edition.
(27:52):
It might be there in the third.
We'll talk about that in a second.
But like how many people haveI talked to recently who have
gotten fired up about Snort?
And the answer is no one.
Marty Rush.
he's, but
should we still have networksensing and network telemetry
and our portfolio of tools?
Of course we should.
(28:13):
Do I still think Suricataand Snort are premier tools?
Of course I do, but there's somany other things we have to bring
to the table now that we weren'tthinking about as hard before.
part of the moral of the storyhere is again, going back to
save your SOC from stagnation.
(28:34):
Make sure that all the roles in theSOC are progressing and that people
are having that prog career progressioninside the SOC, or maybe in and out of it.
Some of the best people in the SOCI've seen are people who used to do red
penetration testing and red teaming.
And so it's interesting.
Yeah, because we do have.
That ability to flow in and out of a SOC.
You don't have to sign up andthen say, okay, there's gonna
(28:55):
be my career for 20 years.
A lot going on out here.
And we look at all the additions andthe expansions of technology and the
roles and the tools and everything else.
but to use what almost becamea meme that the talk I had last
weekend up at the THOTCON, but AI.
Ugh.
We did a pattern that's, this is, forthose who are watching on YouTube, I
(29:16):
got the longest beard I've ever had andwe did a talk called Grey is the New
Black, Why You Should Listen to the OldPerson in the Room and the panel that
we had up there, it back and forth andwe discussed things, but it really came
around a lot to, that almost became sillyin a way because we're talking about it,
but not so silly when it comes to a SOC.
(29:37):
When we look at the constraints thatwe have in terms of available people.
Possibly being able to get additionalresources for those people, the running
of a SOC itself, versus outsourcing to anMSSP, depending on your size, of course.
And now with the advent of artificialintelligence, which adds up on both sides,
it provides attackers, it democratizessome of the capabilities that were only
(30:01):
heretofore available to nation states andreally smart and clever and perhaps evil
people, but also on the defensive side.
It may allow us to go ahead and doa lot more without having to have
human intervention, allowing us toalmost make decisions at line speed.
So a lot of stuff there, but I wanna justsit back and listen to you talk about
(30:23):
what are your thoughts about what AIis gonna be doing for us going forward.
So there's no question that thereis a lot of hype and a lot of
attention about AI right now.
Now, to focus this for a little bit,when we talk about a ai, I'm going
to infer on your prompt pun, doublyintended, that we're thinking about
(30:47):
Ag agentic models, SLMs and LLMs,and other generative capabilities.
Yes, all of this AI stuff I think isgonna transform the way SOCs operate.
And I'm actually deliberately waitingfor this field to develop before I
(31:09):
write the third edition of the book.
More on that in a little bit.
So I further agree that, they'regonna help different parts of the SOC.
And I think we're just getting started inunderstanding what that really looks like.
So first of all, if you haven't seenthe fact that there's a million startups
(31:31):
and all the big companies, who areputting resources towards this, if
you're not seeing that, you're notpaying attention to the industry.
So let's get that out of the way and.
I wanna also acknowledge that there'sa lot of products coming to market
now that have really great promise,and beyond that, there's a lot of
vision around using these generativetechnologies to replace human tasks.
(31:57):
And I think we're allthere with the vision.
The question is, how soon will we be ableto depend upon them and in what capacity?
I. So there's a couple thingsI wanna pull back from.
I don't think we're gonna get ourhuman body count down to zero for
(32:19):
all of the things that we have thesegenerative technologies take over for us.
We will probably have ourhumans doing other things.
So the first misconception that Iwould offer is that a lot of people
when they approach this, they think ofwhat the work that the SOC has to do
(32:40):
as a static and finite set of stuff.
And I reject that, remodel that model.
Instead, think of it as, Hey,I've never met a SOC that felt
like they had enough people.
So the point is, that there'salways more signal to consume,
analyze, and respond to.
So the name of the game now is,what are the things that we can
(33:03):
automate now and where are we gonnamove our humans to moving forward?
The first thing I think I seea lot of people spending a lot
of calories on is, writing codesummarization and alert triage.
there's, you go look at a, bunchof go to market strategies, lots of
(33:23):
marketing around this, blah, blah, blah.
Everybody's talking about it.
where I think you and I haveprobably ourselves had success
is like, Hey, whatever tool Ilike, Jim and I co-pilot whatever.
Write me a code that does blank andyou'll get results that look pretty good.
Are they perfect?
No.
And that's the first placeI wanna stop and say.
(33:47):
one of the ways I think about usingLLMs right now is you've starting
with a blank sheet of paper.
What do I do?
So that's one way is to think about it.
The next way to think about it is weare applying LLMs and technologies
like that and using Agenticframeworks to automate a bunch of
tasks together, and we immediatelygo to Analyst Triage, which is great.
(34:10):
But think about those differentpersonas I mentioned before.
Think about all those differentpersonas in the SOC and how can
we use generative AI to enable allof those personas and think about
them across the incident lifecycle.
And suddenly, we now have allkinds of ideas on how these
(34:31):
technologies will help differentparts of the SOC at different times.
And then the third way to think aboutthis is I'm gonna take a page out
of the old book and say, think backto the days of network intrusion
prevention systems and think aboutSOAR meaning, SOC Orchestration,
Automation, and Response automation.
(34:53):
The mental models we used with thosetechnologies still hold when I turn on
an IPS back in the days, back in 2005.
When I had more hair,
people would turn on it in fullauto straightaway and they'd be
very disappointed at the results.
And instead they learned thatthey needed to turn it on in alert
(35:16):
only mode for a while and tune it.
And so when we think about G Mark,to your point, are the adversaries
going to use generative ai?
Yes, they are.
Are they gonna use it to go a lot faster?
Yes, they are.
And before we go full auto.
We need to manage our own expectations,tune our implementations, make sure
(35:38):
that the underlying signal qualityis good enough and that we have
full transparency into how thosemodels are working on our behalf.
I. So what is old is new again.
Just like when cloud technologyhappened 10 years ago, there were
a lot of people with this reaction.
Like they, it's like theyhad an instant amnesia.
(35:58):
I've forgotten everything I ever knewabout it and I'm gonna start over.
And I say, no, actually,more than you think you know.
And what I'm saying is take themental models we applied to anything
that's in line, or preventionand any of the automation stuff,
because all those same conceptsand our approach still apply here.
(36:19):
That's, my, that's myTED talk on the matter.
I'm sure you have questions.
Sounds good.
one of the things that with theembracing of AI is I'm worried about
people getting over the handlebarswhere they're, oh, they're gonna throw,
let's just outsource this thing to ai.
Let give it to it.
Oh, who needs people when we have this?
And of course they're gonna endup, with a difficult situation.
They're gonna say that's not helpful.
(36:40):
that is not gonna give us what we need.
And as a result.
What comes out of that is that we say,okay, you've now created this function
in your organization because whetherit's hallucination or lack of being able
to understand how this thing is gonnainteract, it's just not gonna work.
And then okay, fine.
How do we get the people back?
(37:01):
I'm sorry you fire mebecause you wanna have ai.
I'm not coming back.
And, so people can.
Disassemble a well performing team bymisunderstanding the capabilities of ai.
Absolutely agree.
You wanna walk before you run.
You wanna put it in audit mode, ifyou will, or monitor mode before
you let it go and do actions.
But at some point in time, we needto go ahead and say, yeah, it's a
(37:24):
competitive advantage, if not, justin terms of using it in our business
model to be able to keep up with thethreat actors who are incorporating.
These types of generative tools inincreasing the intensity, the capability,
the breadth of what we're facing.
I don't know.
I, you're right.
It's something to observeand watch and find out.
(37:46):
I think, as you had said, your thirdedition, which I'm guessing if you're
gonna do in the oceans 11 and 12, thatthis is gonna be the 12, tips that you
can use for your SOC and you progressfrom there, will encompass, encompass ai.
But anything else.
It's never going to be fully ready.
We can't say, yep, we're baked in.
(38:07):
We're good to go.
so at what point in time do wejust jump in a little bit and start
going, is now too early to start,putting in the AI tools in our SOC?
And if so, are there.
Anything we're seeing out therethat we expect some big developments
taking place in the vendorspace in the next few months.
Kind of doing a little bit ofprediction since we've been in our
sac and, have black hat coming up.
(38:29):
They always get to see thoseshows and see what's next.
My advice is if you haven't started,you really ought to and use the model
of the different personas in theSOC, the different jobs to be done to
help us understand where to achievethoughtful insertion of AI technologies.
(38:52):
and I also advise being very pragmaticand very thoughtful in application of lms.
Don't just say, oh, an LLM was the answer.
What was the question instead?
in fact, there's a lot of, automationtechniques that are not going away.
rioting a Python script is still useful.
(39:13):
in fact, predictability and repeatabilityand determinism are still important.
having an LLM based agentic frameworkmay not be the way you want to respond
to every alert because there's somebuilt in lack of determinism there.
That's part of the point.
So the point is be thoughtfulabout which technology, you're
(39:35):
applying to each of them.
Cost, efficacy, efficiency,et cetera, being part of it.
but absolutely my advice is get started.
now be thoughtful about the differentparts of your SOC and where you're
using it, and be very thoughtful ofwhat are the measurements of success?
can I rely on this?
(39:56):
have I saved time or is this a, haveI gone off and chasing squirrels,
because I've got a shiny technology.
Sounds good.
we're getting close to the end of theshow here, so any final thoughts that
you have that you'd like to leave ourlisteners with to, perhaps look forward to
in the next few months or things that youjust think are in general are important?
(40:19):
I would say at the risk of stating a wornout cliche, expect constant and continual
improvement and innovation from your SOC.
If your ops model and what you'reasking your SOC to do or your
resourcing, don't sustain that.
(40:39):
I strongly urge you to reexaminewhat that is looking like for you.
You either need to work with them toenable them to cut down the work that's
of lower value or work with them torestructure and focus their resources
on stuff that helps 'em get better.
Sounds good.
for everybody out there, thank you verymuch for being part of our audience
(41:01):
here at CISO Tradecraft Carson.
I do appreciate having on the show.
I always loved talking with you.
You get me thinkingabout really great ideas.
It's one of our latest, entranceinto the career pattern.
This is my niece Zoia, sowe're staying up at her house.
Yay.
So for folks out there, wedo more than just podcasts.
Go ahead and follow us onLinkedIn if you don't already.
(41:21):
We have a Substack newsletter, wehave shorts out, things like that.
Also, go ahead and subscribe if youdon't, and let everybody else know where
you got your great information from.
So appreciate you beingpart of our audience.
Thank you for taking thetime to develop your career.
This is your host, G MarkHardy at CISO Tradecraft.
Until next time.
Stay safe out there.
Hey, it's been a few years since Iread the seminal book on how to run a
(00:03):
SOC, the 11 Strategies of a World-classcybersecurity operation center.
But I've got the author of thatbook here today, and we're gonna
talk about what comes next.
Stick around.
(00:24):
Hello and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy, and todayI have Carson Zimmerman with me.
As I mentioned before, he is theauthor of the 11 Strategies of a World
Class Cybersecurity Operations Center.
And it came out a few yearsback and I think it's still one
(00:47):
of the best documents today.
first of all, Carson, welcome to the show.
Pleasure to be here.
So tell me a little bit about yourbackground and, how'd you end up
doing this, and maybe a littlebit about your book and things.
it's your show here.
Absolutely.
Thank you.
I've been working in cybersecurity.
And most notably, securityoperations for most of my career.
(01:10):
And it's really exciting.
I think that cybersecurity is a reallyexciting field and inside of that, I
don't think it gets any cooler than eitherbreaking into systems or chasing after
people who are breaking into systems.
And it was those experiences that Ihad when I was at MITRE that led me to
write the first edition, 10 strategies.
(01:32):
After some time went past and Igot to talking with my co-authors,
Ingrid Parker and KatherineKnerler, we decided to do the second
edition of the book 11 Strategies.
And no, we didn't just add one strategy.
Actually there's about four newones and we moved a bunch of
pieces around on the chess board.
And what we ended up with was the bookthat came out, a couple years ago.
(01:54):
We made a very deliberate choice to makeit free, and there were many reasons why.
to put a very long story short, wefelt and still feel that it's more
important that the knowledge of how todo security operations really well, is
available to as many people as you can.
And the money book authors makeon their books is, very minor,
(02:18):
compared to their time investment.
Yeah, that's a good point.
And I think a lot of people think,oh, I'm getting a book out there.
I'll make a fortune.
it probably won't even cover minimumwage for the time you put into it, but.
It is a chance to go ahead and contribute.
And I do appreciate that because theysaid the 10 strategies is the one
that I used to, point to when I wasteaching at SANS for a number of years.
(02:39):
And they're like, so somebody says,Hey, I want your 11 strategies book.
Where do they find that?
It is@mitre.org WAC 11.
Strategies.
Very easy.
And probably also at Amazon or Kindle,do they, charge it for there it is
just best to go directly to mire.
You can go to Mitre ifyou want the PDF for free.
You can go to places like Kindle andAmazon and some other books, sellers.
(03:02):
You can do print on demand.
you can get the Kindle version.
And what we've done is deliberately setthose prices to where it's cost neutral.
I don't see a dime from it, and neitherdoes Mitre or neither do my coauthors.
We appreciate that and it'slike doing this podcast.
I'm, wow, it's hard to believe I'm237 weeks into this, and yet the idea.
(03:24):
Is to go ahead and create a body ofknowledge that's gonna help those who are
in our career and those who are followingin our footsteps to go do other things.
But probably since that book cameout, you've probably seen new things
as well as we know things evolve,information changes, situations change.
not that I'm trying to press you into it,but if you had to write a third edition
(03:46):
after the 10 and the 11 strategies, whatdo you think topics, what would you cover?
What, would you be adding?
A number of things.
I can talk about a handful.
the first I'll talk about is a phenomenonI've seen where anyone who's been
in a SOC for long enough sees thisconstant struggle between turning
(04:10):
the crank on the incident lifecycle.
detect, investigate, respond, recover.
And there's this huge tension betweendoing that and doing everything else
that's necessary to be awesome in a SOC.
And what I've seen and experiencedfirsthand, is that sense of stagnation.
(04:30):
You get.
Where you're only paying attentionto the incident funnel and you're not
stepping out of that and investingthe time you need to get better.
And that feeling I've had, andthen so many other people I've had
in security operation have feltis what led me to do the talk.
How to save your SOC from Stagnationa couple years ago, where the premise
of my talk, to put a long story short,is treat those investment areas in
(04:54):
the SOC as a first class citizen.
During normal times, as if there's evernormal, as you would the incident funnel.
So for example, engaging with yourservice owners and major stakeholders in
co hunt and co, detection, creation, or,
(05:19):
Working on your SOPs, in your playbooks,or using every incident as a training
venue and a PIR venue, meaningpost-incident response, how to get better.
So the point is.
SOC leaders, we need to build themetrics and rhythm and business around
(05:40):
the activities that help us get betterand step out of the incident funnel.
And one of the cool things that does forus is it'll both builds engagement and
investment by the workforce in the SOC.
And when the really big incident hitsof, course, we should have some breach
mindset, but when the really bigincident hits the capacity you had.
(06:01):
On those things can be paused, butcritically you need to come back to
them and don't just get stuck intothe, we're doing all of our resources
on incident funnel all the time.
Yeah, because I would think in a SOCthat one of the most difficult things,
and particularly about burnout andstuff like that, is the always on nature
of alerts, pouring in information.
And of course, no matter how youfilter them, there's still a triage.
(06:22):
Function at your level oneto say, Hey, is this thing
actually bigger than a bread box?
Do we need to kick this thing up?
Or can we handle it at this level?
Or do we just disregard it?
And it would seem to me that if youhad to look at every single alert
that came in and then make a manualdetermination at that first round,
you would be totally overwhelmed.
You'd feel like an air traffic controllerworking Newark airport all by yourself.
(06:45):
Are there tool sets out there that,or configuration tips that allow us
to go ahead and, make the input funnelfrom about this big down to about
that big where it's now manageable.
Does that help at all with ourburnout issue or are we really talking
about something completely else?
so completely, entirely differentthat would cause that factor?
(07:07):
I would say that is the number oneinvestment area, meaning controlling
the signal that comes into the SOC.
That is probably the number oneinvestment area to reduce burnout.
I'm not gonna say eliminate it, andit's not the only one, but I would say
it's either number one or top three.
And this is an area where I seeso many SOCs fail, and the failure
(07:30):
modes include, yes, burnout.
Yes, you are bringing in bad signal,but it's, a matter of discipline.
And a lot of people who are new to thisfield, they'll come in and they'll take
an off the shelf product from a verywell known vendor of security products.
(07:52):
Could be any of them.
I'm not gonna picking on anybody today.
And they turn it on and they get thedefaults and they're flooded with alerts.
This is, in fact, this is cliche atthis point, Every security vendor that
I know is talking about reducing alarmfatigue and increasing situational
awareness, and that's still a good goal.
But the best place of the SOC for be itshould be is where they have a disciplined
(08:18):
approach to tuning, and it is a dayover day, week over week investment.
So with that tuning, then, itsounds and a lot of companies, it's
hard to be, in the Navy we used tocall it a pre-commissioning crew.
If you're part of a brand newship, they're gonna lay the keel.
You get out there and then you say, Hey,we're gonna be part of that original crew.
(08:41):
that sounds great on paper, but inreality it means about 18 months.
Being in a shipyard and there's dustand there's noise, and there is grit,
and it's hot and it's miserable.
And then when you finally get outto sea and settle in, maybe you
join on the second crew out ofhowever many years you're doing.
But organizations today, we buildout SOCs and then we run them.
(09:05):
How often are thesenew SOCs coming online?
Are they like Chinese coal plantsor are putting 30 a month online?
Or are major SOCs onlyhappening every now and then?
And then people who get involvedin that build out is act, are
actually going through a rareexperience in 2025 and beyond.
I want to use the wordplank holder, but I won't.
(09:26):
I would say at this point in time, we'veseen so much digital transformation.
The part of almost every organizationout there has some kind of
digital, footprint digital estate.
And it's not like when I got startedin the field 20 years ago where
people are like, what's cyber?
(09:46):
It's now a transformation.
So rather than saying, oh, we're gonnacreate a SOC from nothing, usually it's.
We're doing some kind of transformationwhere we had something and then
we're doing something different.
And then I might be, we're doing, we'restarting with some hodgepodge of stuff.
It could be, we're starting with, someoutsourcing and maybe we're insourcing.
(10:09):
Maybe it's the reverse.
Maybe it's a mix.
So the point is, that relativeto tuning or anything?
Rarely do I see organizations startingfrom nothing, but rather they're
like, there's something that happens.
Usually it's a major incident, andthen it causes a change in investment
or investment events strategy.
Got it.
(10:30):
Now, one of the things that youhad mentioned, we talked about
is 14 questions are all you need.
but what do you mean by that?
what's the thought behind that?
I had a dream, that was more of adelusion right around the time I did
the second edition of the book 11Strategies with Catherine and Ingrid.
And one of the next things that Iwanted to do, I said I wanted to build
(10:55):
a maturity and capability frameworkfor SOCs and I didn't have the time.
And, because real life and.
In that time, there were a coupleother frameworks that came out.
Most notably SOCs, CMM, in the E-N-I-S-A.
SOC, or C cert maturity model.
(11:16):
You can go look them up onGoogle, you'll find them quickly.
And I said, these arerelatively comprehensive models.
I have some things and some commentaryabout each of them, but I said, I'm
not gonna do another one becauseI'm just, I'm crowding the space.
So instead, I thought about it for along time and talked to a bunch of people
and thought, what are the most importantquestions that a SOC needs to ask itself?
(11:42):
Pertaining to what's getting in its wayof success, and I thought about it a lot
more and said, I bet I could get this.
Answered this question in 20 questions.
I actually got down to 14 and thiswas about a year and a half ago.
And the whole LLM transformerthing was just coming out.
(12:02):
I said, I'm gonna make fun of some people.
attention is all you need, and I'mgonna do 14 questions are all you need.
So the premise of this talk in myargument is there's a very small
number of questions that we shouldmake sure we're focusing on because
those are the questions that areindicate we're getting in trouble.
So for example.
We can talk about things like how long hasa given group of people or a given role in
(12:25):
a SOC done the same thing In the same way,if the answer is years, you probably have
a problem because you are not evolvingwhat you do and how you do it fast enough,
or let me give you another example.
Many secret operations centers struggleto get what they need when they need
it from their engineering resources.
(12:46):
In fact, some SOCs have engineeringnot at all in the SOC, which
I think is a terrible ideaand is n I've never seen work.
But anyways, one of the questionsyou should ask yourself is, from
the time I say to myself, I needsomething to the time that I get
it satisfied, actually satisfied.
And I don't mean fake satisfiedlike we deliver to you a project.
No.
Like how long has it taken youto actually achieve ops impact?
(13:06):
Is something worth measuring?
And my argument also is it canfeel very draining to build a very
large and robust metrics program.
And part of my argument is a lot of timesanecdata is just as good because when
you say that ec, when you collect thatanecdata and then tell executives about
it, they're like, whoa, I had no idea.
(13:28):
We totally need to go change X,Y, Z, and it's just as good if
you spent six months building somecrazy complicated set of dashboards.
And we say anecdata, I'm figuring that'sa portmanteau of anecdote and data
That's right
and just try to make sure if, people aredriving in their car, what did he say?
And where do I find that?
(13:49):
It's ated.
It's those stories, it's those vignetteswhen you say, Hey, today it takes me,
I'm gonna make something outrageous up.
It takes me three hours to triage everyalert, and we have 10,000 of them a day.
I can do that based on an informed opinionabout what's going in ops without actually
having to go into my SIEM and my casemanagement system and actually measure
(14:13):
click times and, all of that stuff.
Yeah.
Now there's gonna be somepeople you need to convince.
That will say, I get it.
I got that.
And other people that aregonna be showing me the data.
And in a way, there's really noone solution that fits everybody.
It's really understanding how does yourmanagement team that allocates budget,
allocates resources, make their decisions?
(14:34):
And if you have that insight.
It's almost, that's almost moreat the political layer here, being
able to communicate to people whoare decision makers, power brokers
in the language that they prefer.
And if you tend to be a left brainby the book, hear the numbers and
show up with a ton of data, andyou're dealing with somebody who
makes major multimillion dollardecisions on a golf course based upon.
(14:57):
oh, hey, okay.
If I, make this putt, you get the deal.
If you make the putt, I get the deal.
Whatever.
Then you need to readjust.
And that's what I think a lot of uswho are in management to leadership
roles, it should be people running SOCs.
Alright?
You've progressed past the technicallevel, you're doing a shift
management or something like that.
But at some point, if you're leadinga SOC, which means in addition to
(15:19):
delivering on time, on budget and makingsure that all that stuff happens in the.
fashion you meet your SLAs, that you take.
Responsibility for thewellbeing of your people.
And that's what I say is the unwrittenrule in a lot of leadership positions.
They don't say that it's notin the job description, it's
not in the performance review.
It's really what differentiatesyou from a manager is that beyond
(15:40):
just getting the job done, you'regrowing and developing your people.
And some of the things that we're talkingabout here about being able to say,
Hey, I've gotta deal with stagnation.
I'm trying to deal with burnoutand stuff like that, go a long
way to being able to address the.
Taking care, if you will, orunderstanding and developing your people.
But one thing that's the elephant inthe room for a lot of us is our people.
(16:03):
And the nature of what we do incybersecurity doesn't necessarily
lend itself well to the averageperson that's out there.
And so what we find out is we lookat labels, and I hate labels because
it automatically causes you topre classify and pre-judge people.
But the reality is, let's faceit, the idea of neurodiversity,
(16:25):
however we wanted, define that.
But typically, is that people approachproblems in life a little bit differently.
Then the mainstream.
So if you look at the bell curve Yeah.
A lot here.
Okay.
And, maybe over here, but what do wesee in the SOC world and things like
that about, neurodiversity and in thesecurity operations world in general?
And is that a strength of ours?
(16:47):
Is that a weakness?
Are we coming a na where we're attractingpeople that can't get a job anywhere else?
Or is this is where people with thesespecial skills, because they're innate in
their personalities, can come and shine?
This is a fascinating topic and I'llmake a couple comments, G mark that
actually probably go back to theexperiences you and I have had at
(17:10):
security conferences 20 years ago whenI went to Defcon in the early aughts.
and I looked at the crowd.
I saw a lot of young white males,and it was a very unilateral,
one dimensional audience.
And in that time when I was learningcybersecurity, it was generally possible
(17:37):
to know and have your mind wrapped around.
Most of what you needed to know tobe a cybersecurity professional.
And in that last 20 years,we've branched out so much.
You've got people who aretotal nerds about GRC.
You've got people who are total nerdsabout just cloud authentication.
(17:57):
You've got people who are total nerdsabout certain areas of mal analysis
or penetration testing, et cetera.
One of the things I wannahighlight is the diversification
of experience and background.
When I now walk around Defcon, whichhas gotten absolutely huge, I see a
more diverse crowd and I see a morediverse set of experiences and expertise.
(18:22):
So we need to harness that and insidea SOC, when people think SOC, they
think someone who's staring at alerts.
That's true, but that's actually one ofonly about 10 or 12 different personas.
So we think about in that context,how do we think about those different
personas of leadership management types,hunters, triage people, investigators,
(18:46):
incident response coordinators, malwareanalysts, data scientists, et cetera.
So let's think about that for a second.
Is the persona and backgroundfor someone who's running an
incident call and herding 50 cats.
Along the way, the same personyou want doing PE header analysis.
And the answer today is absolutely not.
(19:09):
Can one person go from one role tothe other role that I described?
Yeah, I've seen it happen and infact, sometimes it's really awesome.
But here's a piece of anecdata for you.
I have stood in front of crowds atconferences as you do, and I've asked for
a show of hands that in the room I said,how many people here are neurodiverse?
(19:31):
And what happened next?
Blew me away.
Half the hands in the room went up.
In fact, probably more than half.
In fact, because we know at conferencesGA, you've probably done this many times,
you ask for audience participation.
It doesn't matter if you ask who'shere, not all hands will go up.
And I'm like, whoa.
(19:51):
Now this is not a scientificstudy that I've just done, but
think about that for the moment.
Half the people in the audience or morehave just asserted their neurodiverse.
And I would further conjecture, someof the most predominant areas of
neurodiversity are probably ADHD,Autism spectrum, and anxiety, and yes,
(20:12):
there's a comorbidity between them.
By the way, I'm not a healthprofessional, but I read a lot.
So my argument here is when we look ata security operation center, number one,
we need to think about those differentpersonas and for the people who are
bringing neurodiversity as a superpower.
(20:32):
That superpower of being able to focus ona problem to hyperfocus or that superpower
of being able to see a bunch of differentconnections and bring together different
perspectives or different pieces of datathat a neurotypical person wouldn't.
Those are superpowers, number one.
Not everyone in the audience or inthe SOC knows that they have that,
(20:55):
and they may just be over-functioning.
Or a high functioning person whodoesn't realize, they're neurodiverse,
but really good at it, or they are.
And the point is, how do we as leaders,as managers, as leaders, et cetera
of the SOC and other parts of thecybersecurity apparatus, recognize those
superpowers and embrace them and makethose people super effective people who
(21:20):
are gonna find the next major incidentor pre prevent the next major incident.
And that's a real challenge of leadership.
I think any of us whohave had that privilege.
to lead.
Others find that often there aresome, maybe one, maybe several
people that, for better or worse,they just don't quite fit in.
They're not in the correct role,they're not in that, but you don't
necessarily have a chance to change that.
(21:42):
But if you have the perceptivenessto be able to say he or she could do
this, and you assign them some typeof role where they could shine, not
only is there a great deal of jobsatisfaction in that because people
said, wow, I'm doing, I'm loving this.
But then other people who lookat the scans you know this guy.
(22:06):
Wow, this person is becoming a rock star.
And I have seen that myself bybeing able to find people like this,
give them specialized assignments,and they do extraordinarily well.
And the benefit is significantlybeyond what an individual contributor
might normally do because this isa role that you wouldn't give to
(22:26):
a typical individual contributor.
And One of the things that we haveto be sure of as leaders is to
look across the people that we havenow, of course, there's a lot of
pressure going on in political, andwe don't get into politics here about
identity and things such as that.
People are who they are.
And I don't think a lot of people wakeup one day and say, you know what?
I wanna get beat up a lot.
(22:47):
I wanna get bullied.
I want people to screw withme and make my life miserable.
So I'm gonna declare this.
rather, it's the opposite,is that here is who I am.
I've figured out, thyselflike the oracle at Delphi.
And then people say, I don't likethe fact that you know yourself
because you know yourself as this of.
Looking at stocks,cybersecurity, neurodiversity.
(23:09):
I tell people that is actually, as youhad said, the same term, a superpower.
It allows us to go ahead and look atthings and either absolutely focus
in laser focused and just go overand over and wait a minute, There
and nobody else could see that.
Or you've got such a huge rangeof inputs and a little bit like a
(23:30):
beautiful mind with Russell Crowe.
You see all these numbers and everythingpatterns and all of a sudden that's it.
And it's okay.
The average person doesn'tdo that, and we don't need
everybody to be able to do that.
But it does bring up an interestingpoint, and as we talk about boredom
and the like before, is that.
(23:50):
Career progression and career rotation.
I'm gonna fall back into my Navyexample because in the Navy we had
a couple things for our military.
In the office or community.
First of all, it's upper out.
So every six years you get another look atyou to say, are you progressing correctly?
Have you moved from matechnical to management?
Have you moved frommanagement to leadership?
Have you moved fromleadership, political work?
(24:10):
And at the end of six years, theysay, yeah, you're not gonna promote
lieutenant commander or captainor rear Admiral or whatever.
And that's a normal progression.
And it necks it downand it gets it smaller.
Similar things happen in thecorporate world, although maybe not.
In such a structured fashion.
But we used to talk about the fact thatthe Army had a lot of gray haired majors.
They were brilliant at theirtechnical role, and the Army
(24:34):
didn't force 'em out of it.
They said, look, you're a rockstar.
Be a rockstar now.
Title ten's gonna catch up withyou, and at the end of 20 years
as a major, you gotta go home.
But that's still a longrun for a technical expert.
The Navy's you're really good at that.
Okay, good.
Let's switch you over here.
you're really good at that.
Okay.
And waiting for the Peter principle.
You get promoted to yourown level of incompetence.
(24:55):
You're good here.
We'll promote you.
You're good here.
We'll promote you.
You're not good.
we can't promote you.
We're gonna leave youwhere you're not good.
the solution to that, by the way.
Is what we did, and we said someone needsto be fully qualified for the next level.
So when we say, Hey, I'm gonna put youinto the next level, it's, I'm not really
gambling that maybe you'll figure it out.
You've already demonstrated by, if youwill, overclocking your performance at
(25:18):
one level that yeah, you can do this.
And I've seen glimpses of, yeah,she's gonna do all right there.
So let's give her the full title,give her the paycheck and the
responsibility and run with it.
Now does this suggest.
That for we, if we're gonna be wise,leaders have to be able to have enough
insight to craft career patterns forour people to know that someone to say,
(25:42):
Hey, in this world of neurodiversity,they're gonna, if you will eventually
become a gray haired major, which isabsolutely okay, or this is somebody
who is going to be moving around indifferent levels, how do we gain that?
Wisdom number one.
And then number two, how dowe fight against the machine?
That is to say the human resourcesdepartment that might have an up or out
(26:02):
out thing to say, this person reallyhasn't progressed and they only met
the same goals they met last year.
They met the same goals they metthe last year and the year before.
So why do we wanna give them raises?
It's because they are doingabsolutely essential stuff.
So it's a big dilemma for alot of people running teams.
But any thoughts on all that?
I have many.
I'll offer just a couple.
(26:22):
The first is from my own experience.
One of the reasons why I've lovedserving in management and leadership
roles is that moment where you see aproblem the business needs to solve.
Someone who has talent in that areaand may not recognize that they can do
(26:44):
it, but that you believe in them andthen you're ready to take your hand
behind their back and push them intothe deep end and watch them succeed.
And it is so cool to seeand to see them grow.
So that's a big piece of it isrecognizing and making those connections.
one of the things that I thinkabout in this context is security
(27:07):
operations is such a dynamic field.
I'm sorry for the cliche, but it's true.
And as a consequence that we enablesus to have career progression and
skills progression built into theSOC as a necessary and more prominent
aspect of the job expectations thanI think exist in many other fields.
(27:31):
Sure all fields are progressing, but likeright now, think about how differently
we're doing things today than we were10 years ago or 10 years before that.
Like when we wrote the first editionof the book, when I wrote it, I spent
a long time on network sensing and it'sstill in there in the second edition.
(27:52):
It might be there in the third.
We'll talk about that in a second.
But like how many people haveI talked to recently who have
gotten fired up about Snort?
And the answer is no one.
Marty Rush.
he's, but
should we still have networksensing and network telemetry
and our portfolio of tools?
Of course we should.
(28:13):
Do I still think Suricataand Snort are premier tools?
Of course I do, but there's somany other things we have to bring
to the table now that we weren'tthinking about as hard before.
part of the moral of the storyhere is again, going back to
save your SOC from stagnation.
(28:34):
Make sure that all the roles in theSOC are progressing and that people
are having that prog career progressioninside the SOC, or maybe in and out of it.
Some of the best people in the SOCI've seen are people who used to do red
penetration testing and red teaming.
And so it's interesting.
Yeah, because we do have.
That ability to flow in and out of a SOC.
You don't have to sign up andthen say, okay, there's gonna
(28:55):
be my career for 20 years.
A lot going on out here.
And we look at all the additions andthe expansions of technology and the
roles and the tools and everything else.
but to use what almost becamea meme that the talk I had last
weekend up at the THOTCON, but AI.
Ugh.
We did a pattern that's, this is, forthose who are watching on YouTube, I
(29:16):
got the longest beard I've ever had andwe did a talk called Grey is the New
Black, Why You Should Listen to the OldPerson in the Room and the panel that
we had up there, it back and forth andwe discussed things, but it really came
around a lot to, that almost became sillyin a way because we're talking about it,
but not so silly when it comes to a SOC.
(29:37):
When we look at the constraints thatwe have in terms of available people.
Possibly being able to get additionalresources for those people, the running
of a SOC itself, versus outsourcing to anMSSP, depending on your size, of course.
And now with the advent of artificialintelligence, which adds up on both sides,
it provides attackers, it democratizessome of the capabilities that were only
(30:01):
heretofore available to nation states andreally smart and clever and perhaps evil
people, but also on the defensive side.
It may allow us to go ahead and doa lot more without having to have
human intervention, allowing us toalmost make decisions at line speed.
So a lot of stuff there, but I wanna justsit back and listen to you talk about
(30:23):
what are your thoughts about what AIis gonna be doing for us going forward.
So there's no question that thereis a lot of hype and a lot of
attention about AI right now.
Now, to focus this for a little bit,when we talk about a ai, I'm going
to infer on your prompt pun, doublyintended, that we're thinking about
(30:47):
Ag agentic models, SLMs and LLMs,and other generative capabilities.
Yes, all of this AI stuff I think isgonna transform the way SOCs operate.
And I'm actually deliberately waitingfor this field to develop before I
(31:09):
write the third edition of the book.
More on that in a little bit.
So I further agree that, they'regonna help different parts of the SOC.
And I think we're just getting started inunderstanding what that really looks like.
So first of all, if you haven't seenthe fact that there's a million startups
(31:31):
and all the big companies, who areputting resources towards this, if
you're not seeing that, you're notpaying attention to the industry.
So let's get that out of the way and.
I wanna also acknowledge that there'sa lot of products coming to market
now that have really great promise,and beyond that, there's a lot of
vision around using these generativetechnologies to replace human tasks.
(31:57):
And I think we're allthere with the vision.
The question is, how soon will we be ableto depend upon them and in what capacity?
I. So there's a couple thingsI wanna pull back from.
I don't think we're gonna get ourhuman body count down to zero for
(32:19):
all of the things that we have thesegenerative technologies take over for us.
We will probably have ourhumans doing other things.
So the first misconception that Iwould offer is that a lot of people
when they approach this, they think ofwhat the work that the SOC has to do
(32:40):
as a static and finite set of stuff.
And I reject that, remodel that model.
Instead, think of it as, Hey,I've never met a SOC that felt
like they had enough people.
So the point is, that there'salways more signal to consume,
analyze, and respond to.
So the name of the game now is,what are the things that we can
(33:03):
automate now and where are we gonnamove our humans to moving forward?
The first thing I think I seea lot of people spending a lot
of calories on is, writing codesummarization and alert triage.
there's, you go look at a, bunchof go to market strategies, lots of
(33:23):
marketing around this, blah, blah, blah.
Everybody's talking about it.
where I think you and I haveprobably ourselves had success
is like, Hey, whatever tool Ilike, Jim and I co-pilot whatever.
Write me a code that does blank andyou'll get results that look pretty good.
Are they perfect?
No.
And that's the first placeI wanna stop and say.
(33:47):
one of the ways I think about usingLLMs right now is you've starting
with a blank sheet of paper.
What do I do?
So that's one way is to think about it.
The next way to think about it is weare applying LLMs and technologies
like that and using Agenticframeworks to automate a bunch of
tasks together, and we immediatelygo to Analyst Triage, which is great.
(34:10):
But think about those differentpersonas I mentioned before.
Think about all those differentpersonas in the SOC and how can
we use generative AI to enable allof those personas and think about
them across the incident lifecycle.
And suddenly, we now have allkinds of ideas on how these
(34:31):
technologies will help differentparts of the SOC at different times.
And then the third way to think aboutthis is I'm gonna take a page out
of the old book and say, think backto the days of network intrusion
prevention systems and think aboutSOAR meaning, SOC Orchestration,
Automation, and Response automation.
(34:53):
The mental models we used with thosetechnologies still hold when I turn on
an IPS back in the days, back in 2005.
When I had more hair,
people would turn on it in fullauto straightaway and they'd be
very disappointed at the results.
And instead they learned thatthey needed to turn it on in alert
(35:16):
only mode for a while and tune it.
And so when we think about G Mark,to your point, are the adversaries
going to use generative ai?
Yes, they are.
Are they gonna use it to go a lot faster?
Yes, they are.
And before we go full auto.
We need to manage our own expectations,tune our implementations, make sure
(35:38):
that the underlying signal qualityis good enough and that we have
full transparency into how thosemodels are working on our behalf.
I. So what is old is new again.
Just like when cloud technologyhappened 10 years ago, there were
a lot of people with this reaction.
Like they, it's like theyhad an instant amnesia.
(35:58):
I've forgotten everything I ever knewabout it and I'm gonna start over.
And I say, no, actually,more than you think you know.
And what I'm saying is take themental models we applied to anything
that's in line, or preventionand any of the automation stuff,
because all those same conceptsand our approach still apply here.
(36:19):
That's, my, that's myTED talk on the matter.
I'm sure you have questions.
Sounds good.
one of the things that with theembracing of AI is I'm worried about
people getting over the handlebarswhere they're, oh, they're gonna throw,
let's just outsource this thing to ai.
Let give it to it.
Oh, who needs people when we have this?
And of course they're gonna endup, with a difficult situation.
They're gonna say that's not helpful.
(36:40):
that is not gonna give us what we need.
And as a result.
What comes out of that is that we say,okay, you've now created this function
in your organization because whetherit's hallucination or lack of being able
to understand how this thing is gonnainteract, it's just not gonna work.
And then okay, fine.
How do we get the people back?
(37:01):
I'm sorry you fire mebecause you wanna have ai.
I'm not coming back.
And, so people can.
Disassemble a well performing team bymisunderstanding the capabilities of ai.
Absolutely agree.
You wanna walk before you run.
You wanna put it in audit mode, ifyou will, or monitor mode before
you let it go and do actions.
But at some point in time, we needto go ahead and say, yeah, it's a
(37:24):
competitive advantage, if not, justin terms of using it in our business
model to be able to keep up with thethreat actors who are incorporating.
These types of generative tools inincreasing the intensity, the capability,
the breadth of what we're facing.
I don't know.
I, you're right.
It's something to observeand watch and find out.
(37:46):
I think, as you had said, your thirdedition, which I'm guessing if you're
gonna do in the oceans 11 and 12, thatthis is gonna be the 12, tips that you
can use for your SOC and you progressfrom there, will encompass, encompass ai.
But anything else.
It's never going to be fully ready.
We can't say, yep, we're baked in.
(38:07):
We're good to go.
so at what point in time do wejust jump in a little bit and start
going, is now too early to start,putting in the AI tools in our SOC?
And if so, are there.
Anything we're seeing out therethat we expect some big developments
taking place in the vendorspace in the next few months.
Kind of doing a little bit ofprediction since we've been in our
sac and, have black hat coming up.
(38:29):
They always get to see thoseshows and see what's next.
My advice is if you haven't started,you really ought to and use the model
of the different personas in theSOC, the different jobs to be done to
help us understand where to achievethoughtful insertion of AI technologies.
(38:52):
and I also advise being very pragmaticand very thoughtful in application of lms.
Don't just say, oh, an LLM was the answer.
What was the question instead?
in fact, there's a lot of, automationtechniques that are not going away.
rioting a Python script is still useful.
(39:13):
in fact, predictability and repeatabilityand determinism are still important.
having an LLM based agentic frameworkmay not be the way you want to respond
to every alert because there's somebuilt in lack of determinism there.
That's part of the point.
So the point is be thoughtfulabout which technology, you're
(39:35):
applying to each of them.
Cost, efficacy, efficiency,et cetera, being part of it.
but absolutely my advice is get started.
now be thoughtful about the differentparts of your SOC and where you're
using it, and be very thoughtful ofwhat are the measurements of success?
can I rely on this?
(39:56):
have I saved time or is this a, haveI gone off and chasing squirrels,
because I've got a shiny technology.
Sounds good.
we're getting close to the end of theshow here, so any final thoughts that
you have that you'd like to leave ourlisteners with to, perhaps look forward to
in the next few months or things that youjust think are in general are important?
(40:19):
I would say at the risk of stating a wornout cliche, expect constant and continual
improvement and innovation from your SOC.
If your ops model and what you'reasking your SOC to do or your
resourcing, don't sustain that.
(40:39):
I strongly urge you to reexaminewhat that is looking like for you.
You either need to work with them toenable them to cut down the work that's
of lower value or work with them torestructure and focus their resources
on stuff that helps 'em get better.
Sounds good.
for everybody out there, thank you verymuch for being part of our audience
(41:01):
here at CISO Tradecraft Carson.
I do appreciate having on the show.
I always loved talking with you.
You get me thinkingabout really great ideas.
It's one of our latest, entranceinto the career pattern.
This is my niece Zoia, sowe're staying up at her house.
Yay.
So for folks out there, wedo more than just podcasts.
Go ahead and follow us onLinkedIn if you don't already.
(41:21):
We have a Substack newsletter, wehave shorts out, things like that.
Also, go ahead and subscribe if youdon't, and let everybody else know where
you got your great information from.
So appreciate you beingpart of our audience.
Thank you for taking thetime to develop your career.
This is your host, G MarkHardy at CISO Tradecraft.
Until next time.
Stay safe out there.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.