A fascinating aspect of security operations teams is about how threats eventually become trivial, and what happens once they are seen that way.

Trivial threats are those that will rarely come up as something that humans have to deal with; they will be blocked by preventative technologies, fail because related vulnerabilities are present, or even handled via automated response. SOCs would die if they needed analysts to be involved in every attack the organization experiences, but fortunately, it doesn't happen. Trivial attacks happen, but they don't hit a point where they will trigger a full detection, investigation and response cycle with human involvement.

But what should be done to ensure that threats that are not trivial now will eventually be considered trivial in the future?

I noticed that many times this evolution happens without the SOC (as in TDIR functions) involvement. Vulnerabilities are patched by IT operations teams, preventative tools receive updates and start blocking those attacks. Eventually, the SOC stops seeing them.

But is this done in the most efficient manner? What happens when threat activity is between trivially blocked and "requires specific detection"? This seems to be a fertile ground for continuous improvement. Many teams will keep improving the TDIR process to make it more efficient, but if threats do not move to a point where they are automagically mitigated they will keep clogging the lines. Making improvements in TDIR ensure you have an efficient funnel, but moving threats to the category of trivially handled takes them out of the funnel, increasing the SOC bandwidth.

As said in a recent discussion about this, improving detection and response is like chewing a tums for your heartburn, while what you really should do is stop eating too much Taco Bell :-)

Does your SOC have a process to improve or accelerate that transition? How does it work?