Header image

From NOC to SOC to ROC - Is Qualys Removing Alert Fatigue?

The introduction of a Risk Operations Centre promises the capability to make lives easier in security.


This week saw the launch of a first ‘Risk Operations Center’ - otherwise known as the ROC - by Qualys.

Designed to ingest security posture data, business context and threat intelligence to enable organisations to prioritise and mitigate risks based on their business impact, offering a coordinated, proactive response. Essentially its purpose is to distil down alerts to enable better prioritisation of alerts, and align cyber risk operations with business priorities.

According to Mayuresh Ektare, vice president, product management at Qualys, the ROC is “the natural evolution in enterprise risk management from the Security Operations Center (SOC)” as while the SOC transformed incident response by aggregating and normalising data from various security tools, the ROC elevates this approach by consolidating risk signals across the entire enterprise.

“The ROC creates a unified view of an organisation’s risk posture—not limited to cybersecurity incidents but encompassing operational, financial, and business context,” Ektare said.

Minimally Disruptive

SC UK talked to Richard Seiersen, Qualys’ chief risk technology officer who dismisses this as being about outsourcing risk, but instead said the ROC is “minimally disruptive” and allows CISOs to “get in front of threats, so you don't necessarily have to wait for the bad thing.”

Following the comments by president and CEO Sumedh Thakar about the need to know where assets are in order to better understand which threats are a priority, Seiersen says that with the average security team having 70 plus solutions on average, “that's a lot of information right to bring in and it's producing a lot of telemetry, but telemetry is not the same thing as metrics - telemetry is like the raw ingredient, so how do you answer the question of what is actually at risk to the business?”

He says: “If something bad were to happen to this exposed asset, what could this mean monetarily? So bring all that vulnerability data, all that threat data, all of that asset data together and essentially and you can normalise it.”

Bring Risk Scores Together

He explains that every security solution out there has their own interpretation of ‘normalising’ as in they all produce their own risk score - such as a CVE (Common Vulnerabilities and Exposure) - so the ROC is about bringing various risk scores together and gain “meaningful measurements without losing information about risk.”

This is commonly solved by CISOs using data lakes or warehouses, but Seiersen says these concepts require a lot of man power, and if it is 70-100 products, no one is going to have a team that's full time dedicated to this.

“The risks of doing it badly I think are fairly overwhelming, so we are just observing that reality,” he says. “Another reality we're realising is CISOs have a lot of investments and the idea that you're going to have to rip and replace, that's another thing that's not going to happen. So how can we show up and meet this CISO, meet this CFO in their tool chains in their pipelines and in their budgets?”

He says: “So the ROC is about getting in front of that risk, or if we're saying to go and fix something we're going to say, let's just leave it, let's just focus on those things that actually really matter. Just reduce the noise. Let's focus on what matters now, so you can get back to producing value for your customers.”

ROC and SOC Connection

Seiersen says the ROC will feed into the SOC and give the SOC meaning, so that when you have your first line of defence, they're looking at ‘blinking red is bad’ and they'll then pass that context list to some typically a second line of defence, who will then filter it out. He claims this will enrich and inform the SOC, and make it more “capital efficient.”

If you’re distilling down alert data into something digestible, can that help you spot the next big deal vulnerability? Seiersen concluded by saying if a user started seeing 20 something threat feeds and there is something indicative of a major problem - and the ROC can determine where your assets are and there is a patch available - the fix could rolled out easily with minimal business disruption.

That’s the word, disruption. We’re always looking at concepts that change security and enable practitioners to work better. Is the ROC the next one? If it helps a CISO know their role, and overcome alert overload, it could be a real asset.


Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

No events found.