Contents
Torq is thrilled to have Patrick Orzechowski (also known as “PO”) on board as our new Field CISO, bringing his expertise and years of experience as a SOC leader to our customers. PO is a seasoned security veteran with a deep understanding of the modern security landscape. By way of introduction, below he shares his five top pieces of advice for SOC leaders facing today’s security challenges.
When I say I’ve been in your shoes as a SOC leader, I mean it! I’ve spent around 25 years in the trenches of cybersecurity and security operations centers (SOCs). I’ve dealt with alert fatigue, managed incidents where our team didn’t sleep for days, and searched far and wide for an automation solution that can truly help SOC teams collaborate better and gain deeper insights into incident data.
I started my journey in a SOC at RipTech, which was acquired by Symantec. From there, I worked in the U.S. defense and intelligence communities as both a Blue Teamer and a Red Teamer, building SOCs and leading forensics and incident response as well as doing penetration testing for the U.S. government. My focus then shifted towards data analytics in security operations, and I held roles at telecom giants like TW Telecom and Level 3.
Ten years ago, I co-founded a Managed Detection and Response (MDR) service called Deepwatch, where I built the SOC infrastructure to run and handle over 250 customers — and which is where I first came across Torq Hyperautomation as the answer to our SOC scaling challenges.
Today, as Field CISO at Torq, I’m applying my experiences as a security practitioner to help organizations navigate the complexities of modern cybersecurity. You’ll find me speaking at security conferences and events around the world, sharing my expertise in Torq content, and leading independent research projects to explore topics like SOC efficiency and case management effectiveness.
I have seen firsthand that the old ways of doing things in cybersecurity are going away and need to be left in the dust. I truly believe Torq’s AI-driven Hyperautomation is an unprecedented solution for helping SOC leaders stay ahead of this evolution and the main reason why I am so excited to be here now. To pay it forward, below are my 5 top pieces of advice for SOC leaders facing today’s challenges.
5 Keys to Modern SOC Success
1. Evolve for the Expanding Attack Surface
The combination of cloud hyperscalers (such as AWS, Azure, GCP, etc.), legacy apps, on premise requirements, remote work, and SaaS solutions present a very complex problem set for SOC leaders. As the attack surface expands and gets more complex, attackers will have the competitive advantage of targeting disparate systems that do not talk to each other.
Therefore, as vulnerabilities and entry points multiply and digital transformation and AI adoption accelerate, security teams will need systems that become the “glue” that ties together the systems themselves (i.e., automation), the data they produce (i.e., SIEM and search), and event-driven case management.
The sheer volume of data gives attackers an advantage as SOCs struggle to sift through the noise. Torq HyperSOC can process and triage high volumes of events to close out false positives more quickly and prioritize responses more efficiently, helping reduce alert fatigue and and intelligently escalating high-priority cases to security analysts so that nothing slips through the cracks.
2. Embrace the AI Revolution, Strategically
We are in a security AI arms race. While AI is undoubtedly a game-changer, it’s a double-edged sword because attackers are also leveraging AI — and they’ll always have the advantage over a defense team that has to worry about compliance, privacy, and red tape.
It’s daunting to know that attackers can scale everything they do through AI and automation — and that it’s throwing traditional cyber defense rules out the window. For example, every phishing training for the last 15 years told users to “look for grammar errors or weird punctuation”, but a phishing email written with AI can look like a perfectly written email from a legitimate person.
Deflating the AI fear factor requires strategically automated defenses that can match attackers’ AI-powered speed and scale. With Torq’s AI-powered Hyperautomation, SOC teams can automate repetitive tasks to free up analysts for complex incidents and proactive threat hunting, and can accelerate incident response through auto-remediation and AI-enhanced investigations. Torq’s platform is fully battle-tested to handle the immense data output of the modern SOC’s cloud-native security stack.
It’s crucial to remember that AI is a tool, not a magic bullet. We still need skilled analysts to make informed decisions based on AI insights. Additionally, any AI solution deployed in the SOC should be able to explain how it arrived at its conclusions and provide citations to original forensic evidence so that you can understand and verify its logic.
3. Focus on Security Operations Transformation
Security Operations rationalization is a critical component of any long-term strategy for CISOs and security leadership. While cybersecurity is now recognized as a key business risk, the era of the “blank check” from the C-suite and board to buy whatever technology you want is over. SOC leaders now have to justify your budget and show value and ROI.
Throwing money at the problem by purchasing the newest, shiniest security tools or simply increasing headcount won’t solve your problems anyway. Instead, focus on fundamentally transforming your security operations by investing in automation for routine tasks, streamlining processes, and consolidating data insights from across your stack so you can eliminate analyst burnout and empower your existing team.
4. Overcome Security Data Assumptions
The classic notion of the SOC triad has proven to fail against threat actors who have time and resources. Legacy SIEM, SOAR, EDR, and network controls are not enough to operationalize and automate detection and prevention in an era where attackers are getting faster and faster thanks to AI.
The idea of a singular SIEM to gather, correlate, and alert on all data across the enterprise needs to go extinct. As we move to the new arena of SOC automation, we need scalable, flexible systems that can interconnect not just traditional security stacks but all data sources, including traditional IT systems, HR, Accounting, Sales, and Finance.
5. Don’t Forget the Fundamentals
There’s a lot out there to distract SOC leaders, but maintaining strong cyber hygiene remains crucial. Following basic security practices like zero trust or the NIST cybersecurity framework can never fall by the wayside.
Additionally, your SOC team’s wellbeing remains central to your security wellbeing. Many SOC challenges are people challenges. Sleep deprivation during major incidents, challenges in effective collaboration, and an inability to access data insights from across different solutions, all add up to frustrated, tired, and checked out analysts — which means a weaker defense.
When you automate menial, routine tasks and auto-remediate the majority of low-level alerts, you free up analysts to focus on more engaging and rewarding work while also cutting down on alert fatigue. I truly believe all SOCs should be measuring “analyst happiness” as a KPI that reflects the health of security operations.
A Real-World SOC Transformation: Torq + Deepwatch
I know first-hand what happens when a solution like Torq comes in and changes not just technology, but also SOC processes to bring about a more strategic approach.
At Deepwatch, our first foray into automation was with legacy SOAR — but hosting 250 SOAR instances became very expensive, very fast. The platform we were using proved to be costly to scale and extracting critical KPIs like mean time to response (MTTR) was difficult. This hindered our ability to demonstrate value to both internal stakeholders and external customers.
To address these limitations, Deepwatch embarked on a transformative journey with Torq Hyperautomation. The stress test we ran on the Torq platform during the POC was my “aha” moment — and it only impressed me more from there. The Torq platform’s ability to handle high-volume workloads, the simplicity of Torq’s integrations, and the speed and flexibility at which the team could build new workflows accelerated Deepwatch’s analysis, triage, validation, and response.
Read the full Deepwatch case study here >
Moving Forward, Faster Than Ever
What worked in the SOC a few years ago is often obsolete today, making the ability to adapt rapidly key to survival in the modern security landscape. But this gets harder every day as attackers’ arsenal of technology and tactics gets more complex, sophisticated, and lethal. Somehow, SOC leaders have to keep evolving their tech, people, and processes to combat these evolving threats. It’s not easy, as I know first-hand.
At Torq, we’re revolutionizing the ability of the SOC to quickly move past the challenges that once left SOC leaders in a tar pit of despair.
Want to chat about the practicalities of transforming your SOC? Let’s talk.
