(sorry for a link to an old article, I only just came across it)

“Every triggered rule should fire automation before it fires an alert to a human. When a human gets an alert they should be the right person, and be provided the right context and the right set of options. In our culture the person with the best understanding of the system is the system owner / oncall, whether a security team or application team. This is what I mean by SOCless; decentralizing alert triage to system experts. Within security that means you respond to the alerts you write.”

I love it!  One of my SOC roles included 3-4 hours a day of copy-paste IOC enriching, occasionally leading me to an alert for a system/process which I didn’t even know about and couldn’t find documentation for *

However, in my experience system owners typically care about availability/development not security/confidentiality/integrity.  This extra responsibility might only work when devsecops mindset matures.

Personally I’d explore a middle ground.  Have each alert is assigned a system specialist who takes ownership of an alert but also has a member of the CIRT/SOC who acts as a concierge (or Military Police if you prefer lol).


* I can’t RTFM until you WTFM