Humans are dynamic. Our tools should be too. Innovations from the Anthropological Study of Security Operations Centers

Security Operation Centers (SOCs) are being operated by universities, government agencies, and corporations to defend their enterprise networks in general and in particular to identify and thwart malicious behaviors in both networks and hosts. The success of a SOC depends on a combination of good tools, processes and, most importantly, efficient and effective analysts. During the 4 years that we have used anthropological fieldwork methods to study SOCs, we have discovered that successful SOC innovations must resolve a number of internal and external conflicts to be effective and efficient. This discovery, guided by Activity Theory (AT) which provides a framework for analyzing our fieldwork data, enabled us to understand these realities. Our research indicates conflictresolution is a prerequisite for continuous improvement of SOCs in both human and technological aspects. Failure to do so can leadto adverse effects such as analyst burnout and reduction in overall effectiveness.