Cybersecurity threats are becoming more common, more dangerous and more difficult to detect and mitigate. According to the Ponemon Institute 2018 Cost of Data Breaches study, organizations take 266 days on average to detect a breach, and over a month to contain it. Companies of all sizes need a formal organizational structure that can take responsibility for security threats and create an efficient process for detection, mitigation and prevention. This is where a Security Operations Center (SOC) comes in.
In this post you will learn:
- What is a security operations center
- What is the difference between SOC and a CSIRT
- How security operations centers work
- The benefits of security operations centers
- Challenges of security operations centers
- 5 Steps to setting Up your first SOC
- 3 Best SOC practices
- SOC technologies
What is a security operations center?
A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team. The team analyzes and monitors the security systems of an organization. The aim of the SOC is to protect the company from security breaches by identifying, analyzing and reacting to cybersecurity threats. SOC teams are made up of management, security analysts, and sometimes security engineers. The SOC works with development and IT operations teams within the company.
SOCs are a proven way to improve threat detection, decrease the likelihood of security breaches, and ensure an appropriate organizational response when incidents do occur. SOC teams isolate abnormal activity on servers, databases, networks, endpoints, applications, etc., identify security threats, investigate them, and react to security incidents as they occur.
A SOC was once believed to be suitable only for very large organizations. Today, many smaller organizations are setting up lightweight SOCs, such as a hybrid SOC, which relies on a combination of part-time in-house staff and outsourced experts, or a virtual SOC which does not have a physical facility, and is a team of in-house staff who also serve other duties.
What is the difference between a SOC team and a CSIRT?
A computer security incident response team or CSIRT, also called CERT or CIRT, is responsible for receiving, analyzing, and responding to security incidents. CSIRTs can work under SOCs or can stand alone.
What makes a CSIRT different from a SOC? While the core function of a CSIRT is to minimize and manage damage caused by an incident, the CSIRT does not just deal with the attack itself, they also communicate with clients, executives, and the board.
How to determine if you need a SOC or team, CSIRT team, or both?
The case for a single entity
Often a single entity that unites the SOC and CSIRT is desirable. Why? Because the distinction between detection and response is not clear cut, and may even become irrelevant. For example, threat hunting is used to identify threats, but also operates as a method of response.
Both SOC teams and CSIRT teams use security orchestration, automation and response (SOAR) tools, which could indicate that these teams need to be merged, as it is hard to decide who owns the tool and is accountable for its evolution. Threat intelligence (TI) related activities also provide a case for a single entity. A single TI consumption position can offer insights into identification and response methods.
Another reason to unite these groups is related to managing the workforce. One problem with SOCs is that it is difficult to keep “level 1” analysts motivated, particularly when they work weekends and night shifts. By bringing IR and threat hunting together you create the option for job rotation.
The case for separate entities
Some industry experts argue that keeping SOC teams and CSIRT teams separate lets them concentrate on their core objectives, namely detection vs. response. Also, occasionally multiple SOCs are required (because of multiple regional offices or subsidiaries), yet organizations wish to keep incident response centralized because of the sensitivity of investigation results.
Strategic plans for outsourcing may demand the separation of these two functions. Today, this may not be an issue as many SOCs operate as hybrid organizations. Keeping SOC and CSIRT separate, however, may help an organization clearly define the responsibilities of a partner.
How do security operations centers work?
An organization must first define its security strategy and then provide a suitable infrastructure for the SOC team to work with. The information system that underlies SOC activity is a security information and event management (SIEM) system, which collects logs and events from hundreds of security tools and organizational systems, and generates actionable security alerts, which the SOC team can analyze and respond to.
A SOC team has two core responsibilities:
- Maintaining security monitoring tools—the team must maintain and update tools regularly. Without the correct tools, they can’t properly secure systems and networks. Team members should maintain tools used in every part of the security process.
- Investigate suspicious activities—the SOC team should investigate suspicious and malicious activity within the networks and systems. Generally, your SIEM or analytics software will issue alerts. The team then analyses and examines the alerts, carries out triage, and discovers the extent of the threat.
A SOC team comprises several roles:
- Security analyst—responsible for detecting potential security threats and handling them. Also implements security measures and is involved in disaster recovery plans.
- Security engineer—in charge of maintaining and updating tools and systems and is usually a software or hardware specialist. They are also responsible for any documentation that might be needed by other team members, such as protocols.
- SOC manager—directs SOC operations, responsible for the SOC team. Responsible for syncing between analysts and engineers, hiring, training, and security strategy. Directs and orchestrates response to major security threats.
- Chief information security officer (CISO)—establishes security related strategies, policies, and operations. Works closely with the CEO, informs and reports to management on security issues.
- Director of incident response—responsible for managing incidents in large companies as they occur and communicating security requirements to the organization in the case of a significant breach.
Figure 1: The different roles and tiers in the operation of the SOC
SOC analysts are organized in four tiers:
- SIEM alerts flow to Tier 1 analysts who monitor, prioritize and investigate them.
- Real threats are passed to a Tier 2 analyst, with deeper security experience, who conducts further analysis and decides on a strategy for containment.
- Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident. Tier 3 analysts are also responsible for actively hunting for threats and assessing the vulnerability of the business.
- The Tier 4 analyst is the SOC manager, in charge of recruitment, strategy, priorities and the direct management of SOC staff when major security incidents occur.
Benefits of security operations centers
- Incident response—SOCs operate around the clock to detect and respond to incidents.
- Threat intelligence and rapid analysis—SOCs use threat intelligence feeds and security tools to quickly identify threats, and fully understand incidents to enable appropriate response.
- Reduce cybersecurity costs—although a SOC represents a major expense, in the long run it saves the costs of ad hoc security measures and the damage caused by security breaches.
- Reduce the complexity of investigations—SOC teams can streamline their investigative efforts. The SOC can coordinate data and information from sources, such as network activity, security events, endpoint activity, threat intelligence and authorization. SOC teams have visibility into the network environment so the SOC can simplify the tasks of drilling into logs and forensic information for example.
Challenges Facing Security Operation Centers
- Increased volumes of security alerts—the growing number of security alerts requires a significant amount of an analyst’s time. Analysts may attend to tasks from the mundane to the urgent when determining the accuracy of alerts. They could miss alerts as a result, which highlights the need for alert prioritization. Exabeam Advanced Analytics uses UEBA technology to provide security alert prioritization, which relies on the dynamic analysis of anomalous events. This ensures analysts can find the alerts which require immediate attention.
- Management of many security tools—as various security suites are being used by SOCs and CSIRs, it is hard to efficiently monitor all the data generated from data points and sources. A SOC may use 20 or more technologies, which can be hard to keep track of and control individually making it important to have a central source and a single platform. A security information and event management platform (SIEM) serves this function in most SOCs. For an example of a next-generation SIEM solution with advanced analytics and security automation, see the Exabeam Security Management Platform.
- Resource allocation—staffing or lack of qualified individuals is an issue. An organization may decide to outsource, however, the issue of greater vulnerability that comes with remote working conditions arises. Some organizations are now using managed security service providers (MSSP) to help them with their SOC services via outsourcing. Managed SOCs can be outsourced entirely or in partnership with on-premise security staff.
Setting up your first SOC
Questions to ask before setting up a SOC
Availability and hours—will you staff your SOC 8×5 or 24×7?
Format—will you have a stand-alone SOC or an integrated SOC and network operations center (NOC)?
Organization—do you plan to control everything in- house or will you use a managed security service provider?
Priorities and capabilities—is security the core concern or is compliance a key issue? Is monitoring the main priority or will you need capabilities such as ethical hacking or penetration testing? Will you make extensive use of the cloud?
Environment—are you using a single on-premises environment or a hybrid environment?
5 Steps to Setting Up Your First SOC
1. Ensure everyone understands what the SOC does
A SOC observes and checks endpoints and the network of the organization, and isolates and addresses possible security issues. Create a clear separation between the SOC and the IT help desk. The help desk is for employee IT concerns, whereas the SOC is for security issues related to the entire organization.
2. Provide Infrastructure for your SOC
Without the appropriate tools, a SOC team will not be able to deal with a security threat. Evaluate and invest in tools and technologies that will support the effectiveness of the SOC and are appropriate for the level of expertise of your in-house security team. See the next section for a list of tools commonly used in the modern SOC.
3. Find the right people
Build a security team using the roles we listed above: security analysts, security engineers, and a SOC manager. These specialists should receive ongoing training in areas such as reverse engineering, intrusion detection and the anatomy of malware. The SOC manager needs to have strong security expertise, management skills, and battle-tested crisis management experience.
4. Have an incident response plan ready
An incident response team should create a specific and detailed action plan. The team can also create a repeatable plan that can be used over time and adapt to different threat scenarios. Business, PR and legal teams may also be involved if necessary. The team should adhere to predefined response protocols so they can build on their experience.
A key responsibility of the SOC is to protect the perimeter with a dedicated team focused on detecting threats. The SOC’s goal is to collect as much data and context as possible, prioritize incidents and ensure the important ones are dealt with quickly and comprehensively.
3 SOC best practices
1. Detect threats through all stages of an attack
To cope with the increasing number and complexity of cyber threats, organizations have implemented security solutions that deal with specific vulnerabilities or attack vectors. Attackers in response have created sophisticated responses, using multiple techniques.
Point solutions working by themselves cannot identify the relationship between a series of events. To stop an attacker from penetrating security, security operations must:
- Deploy prevention and detection approaches throughout the entire attack chain, the IT environment, and every attack vector.
- Design the technologies to function together and, communicate information.
For an example of a security tool that provides automated incident timelines, aggregating data across multiple security tools, users and devices, see Exabeam Threat Hunter.
2. Investigate all alerts to ensure nothing is overlooked
A copious number of alerts was an early driver for SIEM. SIEM systems created correlation rules to group similar events into alerts, this helped teams deal with the tens of thousands of events isolated daily. Today, organizations state that even with correlation, there are too many alerts to investigate, which leaves the organization open to risk.
Organizations need to develop solutions that not only group alerts but automatically investigate and validate them. They should try to limit the number of events that must be reviewed by human analysts.
3. Gather forensic evidence for investigation and remediation
To investigate alerts, security teams require in-depth endpoint and network activity data. This is made available by forensics solutions. However, forensics tools, specifically on the network, are known to be time-consuming and complex to use.
Organizations should find solutions for forensics that are simple to use and automated. It is important to adopt solutions that proactively combine forensic evidence into investigation procedures. An organization should also convey the results in relation to the alert or lead the data validates.
A modern SOC cannot operate without security tools. Traditional tools used in the SOC include:
- Security information and event management (SIEM)
- Governance, risk and compliance (GRC) systems
- Vulnerability scanners and penetration testing tools
- Intrusion detection systems (IDS), intrusion prevention systems (IPS), and wireless intrusion prevention
- Firewalls and next-generation firewalls (NGFW) which can function as an IPS
- Log management systems (commonly as part of the SIEM)
- Cyber threat intelligence feeds and databases
Advanced SOCs leverage next generation tools, specifically next-generation SIEMs, which provide machine learning and advanced behavioral analytics, threat hunting capabilities, and built-in automated incident response.
Learn more about the SOC, SecOps, and SIEM.
For an example of a next-generation SIEM which can power operations at SOCs of all sizes, learn more about the Exabeam Security Management Platform.