Cybersecurity threats are becoming more common, more dangerous and more difficult to detect and mitigate. According to the Ponemon Institute 2018 Cost of Data Breaches study, organizations take 266 days on average to detect a breach, and over a month to contain it. Companies of all sizes need a formal organizational structure that can take responsibility for security threats and create an efficient process for detection, mitigation and prevention. This is where a Security Operations Center (SOC) comes in.
In this post you will learn:
- What is a Security Operations Center
- How Security Operations Centers work
- The Benefits of Security Operations Centers
- 5 Steps to Setting Up Your First SOC
- SOC Technologies
What is a Security Operations Center?
A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team. The team analyzes and monitors the security systems of an organization. The aim of the SOC is to protect the company from security breaches by identifying, analyzing and reacting to cybersecurity threats. SOC teams are made up of management, security analysts, and sometimes security engineers. The SOC works with development and IT operations teams within the company.
SOCs are a proven way to improve threat detection, decrease the likelihood of security breaches, and ensure an appropriate organizational response when incidents do occur. SOC teams isolate abnormal activity on servers, databases, networks, endpoints, applications, etc., identify security threats, investigate them, and react to security incidents as they occur.
A SOC was once believed to be suitable only for very large organizations. Today, many smaller organizations are setting up lightweight SOCs, such as a hybrid SOC, which relies on a combination of part-time in-house staff and outsourced experts, or a virtual SOC which does not have a physical facility, and is a team of in-house staff who also serve other duties.
How Do Security Operations Centers Work?
An organization must first define its security strategy and then provide a suitable infrastructure for the SOC team to work with. The information system that underlies SOC activity is a security information and event management (SIEM) system, which collects logs and events from hundreds of security tools and organizational systems, and generates actionable security alerts, which the SOC team can analyze and respond to.
A SOC team comprises several roles:
- Security analyst—responsible for detecting potential security threats and handling them. Also implements security measures and is involved in disaster recovery plans.
- Security engineer—in charge of maintaining and updating tools and systems and is usually a software or hardware specialist. They are also responsible for any documentation that might be needed by other team members, such as protocols.
- SOC manager—directs SOC operations, responsible for the SOC team. Responsible for synching between analysts and engineers, hiring, training, and security strategy. Directs and orchestrates response to major security threats.
- Chief information security officer (CISO)—establishes security related strategies, policies, and operations. Works closely with the CEO, informs and reports to management on security issues.
- Director of incident response—in large companies, responsible for managing incidents as they occur and communicating security requirements to the organization in the case of a significant breach.
Figure 1: The different roles and tiers in the operation of the SOC
SOC analysts are organized in four tiers:
- SIEM alerts flow to Tier 1 analysts who monitor, prioritize and investigate them.
- Real threats are passed to a Tier 2 analyst, with deeper security experience, who conducts further analysis and decides on a strategy for containment.
- Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident. Tier 3 analysts are also responsible for actively hunting for threats and assessing the vulnerability of the business.
- The Tier 4 analyst is the SOC manager, in charge of recruitment, strategy, priorities and the direct management of SOC staff when major security incidents occur.
Benefits of Security Operations Centers
- Incident response—SOCs operate around the clock to detect and respond to incidents.
- Threat intelligence and rapid analysis—SOCs use threat intelligence feeds and security tools to quickly identify threats, and fully understand incidents to enable appropriate response.
- Reduce cybersecurity costs—although a SOC represents a major expense, in the long run it saves the costs of ad hoc security measures and the damage caused by security breaches.
5 Steps to Setting Up Your First SOC
1. Ensure everyone understands what the SOC does
A SOC observes and checks endpoints and the network of the organization, and isolates and addresses possible security issues. Create a clear separation between the SOC and the IT help desk. The help desk is for employee IT concerns, whereas the SOC is for security issues related to the entire organization.
2. Provide Infrastructure for your SOC
Without the appropriate tools, a SOC team will not be able to deal with a security threat. Evaluate and invest in tools and technologies that will support the effectiveness of the SOC and are appropriate for the level of expertise of your in-house security team. See the next section for a list of tools commonly used in the modern SOC.
3. Find the right people
Build a security team using the roles we listed above: security analysts, security engineers, and a SOC manager. These specialists should receive ongoing training in areas such as reverse engineering, intrusion detection and the anatomy of malware. The SOC manager needs to have strong security expertise, management skills, and battle-tested crisis management experience.
4. Have an incident response plan ready
An incident response team should create a specific and detailed action plan. The team can also create a repeatable plan that can be used over time and adapt to different threat scenarios. Business, PR and legal teams should also be involved if necessary. The team should adhere to predefined response protocols so they can build on their experience.
A key aim of the SOC is to protect the perimeter. There should be staff dedicated to defending the perimeter, and staff responsible for detection. The SOC should aim to collect as much data and context as possible, prioritize incidents and ensure the important ones are dealt with quickly and comprehensively.
A modern SOC cannot operate without security tools. Traditional tools used in the SOC include:
- Security Information and Event Management (SIEM)
- Governance, Risk and Compliance (GRC) systems
- Vulnerability scanners and penetration testing tools
- Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and wireless intrusion prevention
- Firewalls and Next-Generation Firewalls (NGFW) which can function as an IPS
- Log management systems (commonly as part of the SIEM)
- Cyber threat intelligence feeds and databases
Advanced SOCs leverage next generation tools, in particular next-generation SIEMs, which provide machine learning and advanced behavioral analytics, threat hunting capabilities, and built-in automated incident response.
Learn more about the SOC, SecOps, and SIEM.
For an example of a next-generation SIEM which can power operations at SOCs of all sizes, learn more about the Exabeam Security Management Platform.