Security Operations Center: Ultimate SOC Quick Start Guide

Security Operations Center: Ultimate SOC Quick Start Guide

Published
January 24, 2019

Author
Steve Salinas

Understand how a SOC works, main focus areas, team responsibilities, and a quick guide to getting started with a SOC in your organization.

Cybersecurity threats are becoming more common, more dangerous and more difficult to detect and mitigate. According to the Ponemon Institute 2021 Cost of Data Breaches study, organizations take 287 days on average to detect a breach, and over a month to contain it. Companies of all sizes need a formal organizational structure that can take responsibility for information security and create an efficient process for detection, mitigation and prevention. This is where a security operations center (SOC) comes in.

In this article, you will learn:

A definition of security operations center

A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team. The team analyzes and monitors the security systems of an organization. The aim of the SOC is to protect the company from security breaches by identifying, analyzing and reacting to cybersecurity threats. SOC teams are made up of management, security analysts, and sometimes security engineers. The SOC works with development and IT operations teams within the company.

SOCs are a proven way to improve threat detection, decrease the likelihood of security breaches, and ensure an appropriate organizational response when incidents do occur. SOC teams isolate abnormal activity on servers, databases, networks, endpoints, applications, etc., identify security threats, investigate them, and react to security incidents as they occur.

A SOC was once believed to be suitable only for very large organizations. Today, many smaller organizations are setting up lightweight SOCs, such as a hybrid SOC, which relies on a combination of part-time in-house staff and outsourced experts, or a virtual SOC which does not have a physical facility, and is a team of in-house staff who also serve other duties.

How do security operations centers work?

An organization must first define its security strategy and then provide a suitable infrastructure for the SOC team to work with. The information system that underlies SOC activity is a security information and event management (SIEM) system, which collects logs and events from hundreds of security tools and organizational systems, and generates actionable security alerts, which the SOC team can analyze and respond to.

A SOC team has two core responsibilities:

  • Maintaining security monitoring tools – the team must maintain and update tools regularly. Without the correct tools, they can’t properly secure systems and networks. Team members should maintain tools used in every part of the security process.
  • Investigate suspicious activities – the SOC team should investigate suspicious and malicious activity within the networks and systems. Generally, your SIEM or analytics software will issue alerts. The team then analyses and examines the alerts, carries out triage, and discovers the extent of the threat.

Following are some of the core processes SOC teams carry out:

  • Alert triage – the SOC collects and correlates log data, and provides tools that allow analysts to review this data and detect relevant security events.
  • Alert prioritization – SOC analysts leverage their knowledge of the business environment and the threat landscape to prioritize alerts and decide which security events represent real security incidents.
  • Remediation and recovery – once an incident is discovered, SOC personnel are responsible for mitigating the threat, cleaning affected systems, and recovering them to normal working condition.
  • Post mortem and reporting – an important function of the SOC is to document the organization’s response to an incident, perform additional forensic analysis to ensure the threat has been fully contained, and learn from the incident to improve SOC processes.

Focus areas of a SOC

A SOC can have several different functions in an organization, which can be combined. Below are SOC focus areas with the level of importance assigned to each in the Exabeam State of the SOC survey.

SOC Focus Area

Level of Importance in USA SOCs

Control and Digital Forensics — enforcing compliance, penetration testing, vulnerability testing.

62%

Monitoring and Risk Management – capturing events from logs and security systems, identifying incidents and responding.

58%

Network and System Administration – administering security systems and processes such as identity and access management, key management, endpoint management, firewall administration, etc.

48%

SOC deployment models

Following are common models for deploying a SOC within your organization:

Dedicated SOC

Classic SOC with dedicated facility, dedicated full time staff, operated fully in house, 24×7 operations.

Distributed SOC

Some full time staff and some part-time, typically operates 8×5 in each region.

Multifunctional SOC / NOC

A dedicated facility with a dedicated team which performs both the functions of a Network Operations Center (NOC) and a SOC.

Fusion SOC

A traditional SOC combined with new functions such as threat intelligence, operational technology (OT).

Command SOC / Global SOC

Coordinates other SOCs in a global enterprise, provides threat intelligence, situational awareness and guidance.

Virtual SOC

No dedicated facility, part-time team members, usually reactive and activated by a high profile alert or security incident. The term Virtual SOC is also sometimes used for an MSSP or managed SOC (see below).

Managed SOC / MSSP / MDR

Many organizations are turning to Managed Security Service Providers (MSSP) to provide SOC services on an outsourced basis. Modern offerings are called Managed Detection and Response (MDR). Managed SOCs can be outsourced completely or co-managed with in-house security staff.

Security operations center roles and responsibilities

  • Security analyst – the first to respond to incidents. Their response typically occurs in three stages: threat detection, threat investigation, and timely response. Security analysts should also ensure that the correct training is in place and that staff can implement procedures and policies. Security analysts work together with internal IT staff and business administrators to communicate information about security limitations and produce documentation.

  • Security engineer/ architect – maintains and suggests monitoring and analysis tools. They create a security architecture and work with developers to ensure this architecture is part of the development cycle. A security engineer may be a software or hardware specialist who pays particular attention to security aspects when designing information systems. They develop tools and solutions that allow organizations to prevent and respond effectively to attacks. They document procedures, requirements, and protocols.

  • SOC manager – manages the security operations team and reports to the CISO. They supervise the security team, provide technical guidance, and manage financial activities. The SOC manager oversees the activity of the SOC team, including hiring, training, and assessing staff. Additional responsibilities include creating processes, assessing incident reports, and developing and implementing crisis communication plans. They create compliance reports, support the audit process, measure SOC performance metrics, and report on security operations to business leaders.

  • CISO – defines the security operations of the organization. They communicate with management about security issues and oversee compliance tasks. The CISO has the final say on policies, strategy, and procedures, relating to the organization’s cybersecurity. They also have a central role in compliance and risk management and implement policies to meet specific security demands.

Learn more in our detailed guide to the SOC Team.

Benefits of security operations centers

  • Incident response – SOCs operate around the clock to detect and respond to incidents.
     
  • Threat intelligence and rapid analysis – SOCs use threat intelligence feeds and security tools to quickly identify threats, and fully understand incidents to enable appropriate response.
     
  • Reduce cybersecurity costs – although a SOC represents a major expense, in the long run it saves the costs of ad hoc security measures and the damage caused by security breaches.
     
  • Reduce the complexity of investigations – SOC teams can streamline their investigative efforts. The SOC can coordinate data and information from sources, such as network activity, security events, endpoint activity, threat intelligence and authorization. SOC teams have visibility into the network environment so the SOC can simplify the tasks of drilling into logs and forensic information for example.

Challenges facing the SOC and how technology can help

  • Increased volumes of security alerts – the growing number of security alerts requires a significant amount of an analyst’s time. Analysts may attend to tasks from the mundane to the urgent when determining the accuracy of alerts. They could miss alerts as a result, which highlights the need for alert prioritization. Exabeam Advanced Analytics uses UEBA technology to provide security alert prioritization, which relies on the dynamic analysis of anomalous events. This ensures analysts can find the alerts which require immediate attention.
     
  • Management of many security tools – as various security suites are being used by SOCs and CSIRs, it is hard to efficiently monitor all the data generated from data points and sources. A SOC may use 20 or more technologies, which can be hard to keep track of and control individually making it important to have a central source and a single platform. A security information and event management platform (SIEM) serves this function in most SOCs. For an example of a next-generation SIEM solution with advanced analytics and security automation, see the Exabeam Security Management Platform.
     
  • Skills shortage – staffing or lack of qualified individuals is an issue. A key strategy for dealing with the cybersecurity skills shortage is automating SOC processes, to save time for analysts. In addition, an organization may decide to outsource – some organizations are now using managed security service providers (MSSP) to help them with their SOC services via outsourcing. Managed SOCs can be outsourced entirely or in partnership with on-premise security staff.

Learn about how security technologies are helping solve SOC challenges in our guide: The SOC, SIEM, and Other Essential SOC Tools

Getting started with a SOC

Questions to ask before setting up a SOC

  1. Availability and hours – will you staff your SOC 8×5 or 24×7?
     
  2. Format – will you have a stand-alone SOC or an integrated SOC and network operations center (NOC)?

  3. Organization – do you plan to control everything in- house or will you use a managed security service provider?

  4. Priorities and capabilities – is security the core concern or is compliance a key issue? Is monitoring the main priority or will you need capabilities such as ethical hacking or penetration testing? Will you make extensive use of the cloud?

  5. Environment – are you using a single on-premises environment or a hybrid environment?

5 steps to setting up your SOC

  1. Ensure everyone understands what the SOC does – A SOC observes and checks endpoints and the network of the organization, and isolates and addresses possible security issues. Create a clear separation between the SOC and the IT help desk. The help desk is for employee IT concerns, whereas the SOC is for security issues related to the entire organization.

  2. Provide Infrastructure for your SOC – Without the appropriate tools, a SOC team will not be able to deal with a security threat. Evaluate and invest in tools and technologies that will support the effectiveness of the SOC and are appropriate for the level of expertise of your in-house security team. See the next section for a list of tools commonly used in the modern SOC.

  3. Find the right people – Build a security team using the roles we listed above: security analysts, security engineers, and a SOC manager. These specialists should receive ongoing training in areas such as reverse engineering, intrusion detection and the anatomy of malware. The SOC manager needs to have strong security expertise, management skills, and battle-tested crisis management experience.

  4. Have an incident response plan ready – An incident response team should create a specific and detailed action plan. The team can also create a repeatable plan that can be used over time and adapt to different threat scenarios. Business, PR and legal teams may also be involved if necessary. The team should adhere to predefined response protocols so they can build on their experience.

  5. Defend – A key responsibility of the SOC is to protect the perimeter with a dedicated team focused on detecting threats. The SOC’s goal is to collect as much data and context as possible, prioritize incidents and ensure the important ones are dealt with quickly and comprehensively.

The security maturity spectrum — are you ready for a SOC?

A SOC is an advanced stage in the security maturity of an organization. The following are drivers that typically push companies to take this step:

  • Requirements of standards such as the Payment Card Industry Data Security Standard (PCI DSS), government regulations, or client requirements
  • The business must defend very sensitive data
  • Past security breaches and/or public scrutiny
  • Type of organization—for example, a government agency or Fortune 500 company will almost always have the scale and threat profile that justifies a SOC, or even multiple SOCs

Different organizations find themselves at different stages of developing their security presence. We define five stages of security maturity—in stages 4 and 5, an investment in a security operations center becomes relevant and worthwhile.

Security Operations Center: Ultimate SOC Quick Start Guide


The future of the SOC

The security operations center is undergoing an exciting transformation. It is integrating with ops and development departments, and is empowered by powerful new technologies, while retaining its traditional command structure and roles—to identify and respond to critical security incidents.

We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning and SOC automation, open up new possibilities for security analysts.

The impact of a next-gen SIEM on the SOC can be significant:

  • Reduce alert fatigue – via User Entity Behavioral Analytics (UEBA) that goes beyond correlation rules, helps reduce false positives and discover hidden threats.
  • Improve MTTD – by helping analysts discover incidents faster and gather all relevant data.
  • Improve MTTR – by integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology.
  • Enable threat hunting – by giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.

Exabeam is an example of a next-generation SIEM which combines data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder and a threat hunting module with powerful data querying and visualization.

See our additional guides on key information security topics

We have authored in-depth guides on several other information security topics that can also be useful as you explore the world of security operation centers.

Information security core concepts

Information security (InfoSec) is critical to ensuring that your business and customer information is not manipulated, lost, or compromised. Information security practices can help you secure your information, ensuring that your secrets remain confidential and that you maintain compliance. 

See top articles in our information security guide:

Security information and event management (SIEM) core concepts

SIEM solutions are powerful tools for centralizing and correlating data from across your systems. These solutions enable you to create comprehensive visibility over your systems and provide important contextual information about events. 

See top articles in our SIEM guide:

Advanced SIEM security guide

This guide explains SIEM security practices, how SIEM security has evolved, the importance and value of SIEM solutions, and the role UEBA and SOAR play. 

See top articles in our advanced SIEM security guide:

Recent Security Operations Center Articles

SOC Analyst: Job Description, Skills, and 5 Key Responsibilities

Read More

SOC Processes and Best Practices in a DevSecOps World

Read More

Automated SOCs — Musings from Industry Analysts (and Ex-analysts)

Read More

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Threat Hunting: Methodologies, Tools and Tips for Success

Read More



Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

Exabeam/KPMG Joint Special Session After Report

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More