With the number and sophistication of cyberattacks growing, some of these messages require urgent attention. But which ones? That’s where a security operations center (SOC) comes in.
What is a security operations center?
A security operations center (SOC) is a central location that an IT security team uses to monitor and analyze an organization’s security posture and operations. The SOC is responsible for the ongoing, operational component of enterprise information security. The SOC team’s goal is to detect, analyze, and respond to anomalies and potential cybersecurity incidents using a combination of technologies and processes. Staffers work closely with organizational incident response teams to ensure that security issues are addressed quickly upon discovery. Risk assessments, coordination and communication are key functions to ensure the supporting groups have accurate information on current risk status.
An SOC, then, provides information about the infrastructure that manages security operations. It offers continuous prevention and protection, detection of threats, and response capabilities to deal with any potential security issues. The benefits of an SOC include:
- Rapid response times to deal with malware threats that can spread in minutes
- The ability to recover quickly from a malicious attack such as DDoS
- Real-time monitoring
- Log aggregation
- Centralized reporting
- Visualization of security status
- Post-incident investigation and analysis
SOC vs NOC
A network operations team (NOC) can sometimes be confused with an SOC. Both the SOC and NOC are responsible for identifying, investigating, prioritizing, escalating and resolving issues. However, the types of issues they deal with differ considerably. Both look for and address anomalies. There may even be some crossover – various anomalies can affect both the network side and the security side. But the main difference between them is simply that the SOC is security-focused and the NOC is focused on network performance and availability.
During an outage, for example, those in the NOC think in terms of device malfunctions or system issues. Their attempts at resolution are likely to include hardware replacement or configuration adjustment. SOC personnel, on the other hand, think more in terms of malicious activity. Organizations need both viewpoints.
Global SOC vs traditional SOC
A traditional security operations center and a global SOC are essentially the same thing. However, there is a difference in scope. Some companies are only interested in their own immediate vicinity, while others monitor global operations. Further, global SOCs typically command several smaller SOCs under them. After all, global SOCs can manage better by delegating duties to local counterparts who can zero in on events happening within a clearly defined area. It is much easier to manage the actions of a security operations team by concentrating their attention on a smaller sector.
With the advent of the cloud and the need for cloud security, it is no longer essential for an SOC to be in one physical location. Some organizations, of course, maintain their SOC team and supporting infrastructure in one central place. But service providers are now starting to provide SOC-as-a-Service. In addition, even those companies that try to keep all of their SOC functions strictly in house tend to have at least some part of their environment in the cloud.
“Many of the tools or systems being monitored are hosted in the cloud regardless of the terminology used to define the SOC,” said Ray Chaple, CISSP, Information Security Officer at security training vendor KnowBe4.
Designing and building a security operations center
The design of an SOC is determined by its requirements and overall scope. While SIEM may be central to an SOC as a means of aggregating and analyze security information, the tools and platforms deployed will be specific to the environment. Consideration should be given to factors such as network bandwidth, incident response capabilities (automated and manual) and analytical capabilities.
A good early step in designing an SOC is an audit of existing security procedures. This provides planners with the actual picture as it exists on the ground. Planning should also include choice of location, resources needed, budgeting and training. However, plans will change as the SOC is being developed. It is almost impossible to prepare for everything in advance. Those that think they have covered every possible eventuality are going to be blindsided by such factors as an entirely new attack vector, or a part of the infrastructure that is poorly protected or unprotected. So don’t fall for the conceit that everything has been planned and designed perfectly. There is always room for improvement, and the threat landscape is constantly evolving. What is important is to evolve with it, and to be flexible in the planning and construction of an SOC.
Another part of planning is to define the specific tasks to be assigned to the SOC. This should include detecting external attacks, monitoring organizational compliance, checking for insider threats or non-compliance, managing incidents, and more. Also define how data will be collected, aggregated, centralized, summarized, analyzed and visualized for best effect. The different user groups that access the data will have certain requirements that have to be considered during the design stage.
There are several kinds of SOCs, as well as hybrids that share some of the qualities of each:
- Virtual SOC: no dedicated facility, geographically distributed team members, and often delegated to a managed service provider
- Combined SOC/NOC: One team and facility is dedicated to shared network and security monitoring
- Dedicated SOC: An in-house, dedicated facility
- Global or Command SOC: monitors a wide area that encompasses many other regional SOCs
Smaller organizations may get away with outsourced security operations centers. A hybrid model that combines a virtual SOC with some internal SOC duties is likely to be deployed by some small and midsize organizations, particularly those already outsourcing some security functions and are budget-constrained or have yet to develop a sufficiently competent set of internal personnel to carry the load.
Technologies needed in an SOC
Security operations centers depend upon or interact with a wide range of security technologies such as:
- Security event monitoring, detection, investigation and remediation
- Intrusion prevention and detection systems
- Security incident response management
- Forensic analysis
- Endpoint protection
- Threat intelligence tools
- Threat hunting tools
- Security device management
- Threat and vulnerability management
- Compliance management and reporting
- Behavioral analytics
- Traffic analysis
- Security orchestration and automation
- Attack simulation
SIEM systems encompass some, though not all, of these functions. To confuse matters further, vendors are packaging more and more security tools together into larger suites. Some retain the SIEM tag while others have grander names.
Chaple stressed that the technologies deployed will depend on the scope and requirements of the SOC.
“Some type of SIEM is the core data aggregation component that most all SOCs have,” said Chaple. “Other key areas or tools to consider include asset discovery, vulnerability assessment & pen testing, logging, monitoring & reporting, anomaly detection, intrusion detection, data analytics, and threat intelligence.”
SOC management and staff
SOCs are managed in various ways depending on the existing organizational structure. Typically, the SOC manager reports to the CISO or another C-level executive such as the CTO or CIO. The SOC manager can have various roles and responsibilities under him or her. This includes those who respond to incidents after they have happened, those who analyze the general threat landscape, those who hunt down threat actors, and more. Here are a few of the primary personnel functions:
- SOC manager: takes care of personnel, budgets, technology strategy, meeting SLAs and communication with the CISO
- SOC analyst: monitors the state of alerts, drills down to find the cause, advises on remediation and determines actions to take to further harden defenses
- Threat hunter: works proactively to track down avenues of potential attack, isolates new incursions before alerts are received, and detects the presence of malicious actors lying dormant within the network but ready to act in the future.