Having worked in a number of SOCs throughout my career, one thing that’s always been a point of frustration is working with legacy tools and processes and the inherent difficulty when trying to make changes to these legacy systems.

Tools:

In many SOCs I’ve used a variety of tools that have been built over a long period of time and don’t integrate well with each other. Tools that have suffered from being used for too long without proper tuning, and the tuning that does exist has not been controlled and documented.

Processes

In many cases, the processes that exist were designed around tools that no longer exist or for customers whose requirements have changed. It’s difficult to change these processes when coming into an established SOC , more often than not I’ve simply been told “this is just the way it’s done”. This is demotivating and extremely frustrating as it inevitably ends up with the analyst spending time carrying out inefficient or non-value adding processes.

Starting from scratch

Building a SOC from scratch has been such a refreshing experience. Reviewing and tuning the rulesets right from the outset, testing the integrations between tools and even working on the automated scripts that the systems execute, has allowed me to develop a far deeper understanding of the systems than I have ever had before. We’ve been able to develop the processes tailored specifically around our chosen tools and the analysts preferred ways of working.