The app/API layer is being bombarded with torpedoes. With ADR, the SOC can finally see the threats that lie below the waterline, react quickly and save the ship from sinking.

fig. 1: driving around in the figurative submarine Nautilus fending of lurking threats

SOC defends organizations, the constant chasing and triaging, and especially the nitty-gritty task of trying to find out what really happened. If you have read my “Fear and Loathing in the SDLC” article, you will no longer consider the developers’ island as the happy island...but I must admit, despite everything, and for a long part of my 22+ year career as a developer and software architect, it was a happy place.

fig. 2: The developers’ island is not an elysian island of the blessed

In this article, I leave the island and dare to set sail in order to explore the wild, dangerous sea. Based on real-life feedback from my colleagues who have worked in a SOC for multiple years, we will discover the tool landscapes (or seascapes?) and dive into those tools’ caveats, discovering why the collected information is more “muddy marshes” than “pristine waters.” If you are new to life in the SOC, you’ll get a glimpse of why it takes a strong shell to stay in the SOC for a long time these days. If the SOC is already part of your life, then we’ll also sail to new horizons together and discover how Application Detection and Response (ADR) can help you to sail safely through the opaque, dangerous waters of Application Security (AppSec), clearing the blind spot that obscures the threats — be they torpedoes or injection attacks — that lurk below the surface of applications.

SOC duty vs. getting a life

You get paged for the third time in a week while spending well-deserved time with your significant other. You are at the movies. But something happened. You leave, it rains, so you sit in your cold car to log in and flip through what feels like a million tools, log files and reports to try to understand what just happened.

fig. 3: with remote access always on duty

If you get lucky, you see what happened, and you can take the appropriate action fast and once again feel like the hero in the movie that you just missed. You saved your organization’s or your customer’s world from the apocalypse — again. It’s not even exciting anymore. If being a superhero becomes your day job, everything can become a boring, yet draining, routine.

Fact is, SOCs work with many tools. These tools cover a lot of facets in order to keep organizations safe. Having been born into IT as a webmaster and developer, I only really saw two facets of IT security. The network and … well, to be honest, for a long time, I didn’t even think that AppSec was a real issue. These days, all too often, I discover that this “innocence” is still embedded in the creative minds of many developers.

So, what’s on the SOC’s menu?

• Intrusion Detection Prevention: Starting with network-based attacks, distributed denial-of-service (DDoS) and man-in-the-middle (MitM) attacks on the side.
• Cloud-native application protection platform (CNAPP): Starting with container and cloud security attacks, continuing with identity and access management (IAM), with serverless function-based attacks for dessert.
• Internet and email: Malware and viruses prepare your stomach for spam and phishing, while an assorted plate with impersonation, spoofing and ransomware will spice up your day.
• Data loss prevention: Email leakage, compromised accounts, unauthorized access,...