What is a SOC?
A Security Operations Centre (SOC) is a centralised point in which security issues, whether they be organisational or technical, can be dealt with. Within a building, this is the location where staff supervise the site using data processing technology. The goal of a SOC is to detect, assess and tackle cyber security threats using its processes.
Activity on networks, servers, websites and databases are analysed for anomalies and the job of the SOC is to flag up and report any potential threats. SOCs are proven to decrease the likelihood of security breaches and give organisations an appropriate response should incidents occur. While previously the purview of large organisations, many smaller enterprises are setting up lightweight SOCs which use part-time staff or outsourcing.
Ultimately, a SOC is a command post in the war against cybercrime. A security headquarters through which potential threats are seen, tracked and solved.
How a SOC Works
The SOC team is responsible for the on going operation of IT security. Security analysts collaborate to detect, analyse, respond to, report on and prevent cybersecurity incidents. Some SOCs also have more advanced analytical tools in order to detect potential threats..
A SOC team has two main responsibilities – maintaining security monitoring tools and investigating suspicious activities. The team must continually be updating tools to ensure systems are properly secure, and they should also be investigating suspicious activity as and when it arrises. After this, the team investigates the extent of the threat.
Benefits of a SOC
The obvious benefit of having a SOC is being able to better improve security incident detection thanks to continuous data monitoring and analysis. By doing this at all hours of the day, SOC teams can detect and respond to incidents in a prompt and timely manner no matter where or when the attack emerged.
With a SOC, organisations can respond quickly to incidents and conduct rapid analysis using threat intelligence feeds and security tools.
SOCs also help to reduce cybersecurity costs by saving businesses money long-term against the damage breaches can cause. In addition, investigations can be streamlined to simplify complex tasks.
Common reasons why organisations turn to SOCs are if they are running a public service, they hold a large number of sensitive databases, they have large quantities of data or if they require a single point of visibility through which to view all potential threats.
Outsourced vs in house
Managed SOCs can be outsourced completely or working with on-premise security staff. If you choose to outsource your SOC, it will most likely be multi-tenanted, meaning threat intelligence gathered from your data will be used to improve the service delivered to the third party’s other customers. So it’s important to consider whether your business would be comfortable with such an arrangement.
SOC as a service means a cost-effective choice for organisations lacking in resources to build their own in-house operation.
Whether you choose to outsource or take it in house, this will depend on budget, your willingness to share information and how your business is managed day-to-day.
SOCs can be run either during business hours or round the clock, or 24/7. The latter allows organisations to defend against intrusions regardless of source or attack type.
24/7 Operation Centres do come at a great cost to an organisation though, as staffing just one 24/7 position, about 4.5 members of staff are needed when you consider shifts, weekends and holidays.
SOC Operations Room
A fully-operational Security Operations Centre should incorporate people, processes and technologies.
People: Staff need to be highly trained and certified, with a good grounding in security alerts and scenarios. They need to be able to adapt quickly, as the world of cybersecurity is constantly evolving to counter new threats. As well as the right training, they need to be able to learn on the job.
Processes: SOCs need to align themselves with security requirements and their associated security controls. Processes should be kept up to date and there needs to be a manageable workflow to ensure all team members are working to the best of their capabilities.
Technologies: Security monitoring systems can be used as an investigative tool to review suspicious activities and manage the response in the event of an incident or breach. Technologies use network, log and endpoint data gathered in order to find any anomalies.
SOC Team Structure
SOC teams comprise of several roles.
- A security analyst to detect and handle potential threats. The analyst also puts into place any necessary security measures. Within the analysts, there are three distinct tiers:
- Tier One analysts monitor, prioritise and investigate Security Information and Event Management (SIEM) alerts.
- Tier Two analysts conduct further analysis and decide on containment strategies for real threats.
- Tier Three analysts manage critical breaches and actively hunt for threats, as well as assessing a business vulnerability.
- A security engineer who is in charge of maintaining and updating tools. They are also responsible for any documentation that may be needed by other team members.
- SOC manager to direct operations and ensuring a smooth collaboration between analysts and engineers. They deliver all necessary training and are responsible for hiring and dictating responses to major cybersecurity threats.
- A Chief Information Security Officer to establish strategies and operations relating to security. In close contact with the CEO of an organisation, they report to management on security issues.
- Incident Responder to manage incidents in large companies and communicate procedures to the organisation should a significant breach occur.
A log source is a data source that creates an event log. For instance, firewalls log security-based events, almost every computing system generates logs.
There are many different types of log sources for SOCs, logs you should consider for inclusion include:
- Logs from your security controls: IDS, Endpoint Security (Antivirus, Antimalware), Data Loss Prevention, VPN Concentrators, Web filters, Honeypots, Firewalls.
- Logs from your network infrastructure: Routers, Switches, Domain Controllers, Wireless Access Points, Application Servers, Databases, Intranet Applications.
- These may look and behave differently but ultimately serve the same purpose – storing information. Endpoint logs are used to understand
Security Operation Centres face a number of challenges, chief among which is the very high volume of security alerts they face on a day-to-day basis, which take a lot of analyst’s time. Centres must also be able to prioritise efficiently, as threats range from mundane to urgent.
Security Operation Centres also find it difficult to effectively monitor all the data it generates, as data points and sources or so varied. A SOC may use up 20 or more systems to monitor data, meaning it can be hard to keep track of.
SOC’s also find that they are under-resourced, with a dearth of qualified staff in the sector. As a result, many organisations decide to outsource.
Questions to ask before setting up your SOC
- What will your hours be – business hours or 24/7?
- Will you have a stand-alone SOC or an integrated SOC and network operations centre (NOC?)
- Will everything be controlled in-house or will you use a managed security service provider?
- Will everything be on-premises or in a hybrid environment?
Download a Copy
Download a copy of our guide to Security Operation Centres. Food for thought when faced with setting up your own or looking to improve what you already have.