What is the nature of the security operations center (SOC) you are building? What type of capabilities does it require? How will you delegate roles and responsibilities? Understand how you can utilize technological elements, organizational structure, and best practices to make your SOC effective.
In this post you will learn:
- The importance of an effective security operations center
- The basic responsibilities of a SOC team
- Security operations center roles and responsibilities
- Best practices for building a SOC team
Importance of an Effective Security Operations Center
A security operations center is an organizational structure that continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks.
The aim of the SOC team is to identify, analyze and react to cybersecurity threats using a reliable set of processes and technology solutions. The SOC staff generally includes managers, security analysts, and engineers who work together with organizational incident response teams to address security issues quickly.
A SOC tracks and analyzes activity on servers, endpoints, networks, applications, databases, websites and other technology systems. Its team members provide a critical layer of analysis needed to seek out any irregular activity that could suggest a security incident. While technology systems such as IPS or firewalls can prevent basic attacks, human expertise is needed to respond to serious incidents.
Security information and event management (SIEM) is a solution that empowers SOC analysts by collecting security data from across the enterprise, identifying events that have security relevance and bringing them to the attention of the SOC team. A modern SIEM puts all the relevant information in front of security specialists to help them identify and mitigate incidents faster.
6 Basic Responsibilities of a SOC Team
The SOC team ensures that possible security incidents are accurately identified, analyzed, guarded against, investigated and made known.
1. Implement and Manage Security Tools
A SOC team should have a suite of technology products that provide insight into the organization’s security environment. The SOC needs to appoint a skilled security team that can select and leverage the appropriate tools for a job. The team should evaluate the request for proposals (RFPs) from vendors, take into account system integration requirements, develop solution trials and demos, and assess interoperability with current infrastructure.
Basic security tools include firewalls, intrusion detection and prevention technology, threat and vulnerability management tools, data loss prevention tools, filtering technologies, traffic inspection solutions, reporting technology and data analytics platforms. The SOC may also have access to enterprise forensic tools that support incident response investigations.
On top of this toolset, a SIEM solution can help aggregate security events and generate alerts for analysts to investigate. Next-generation SIEM tools include new capabilities like User and Entity Behavior Analytics (UEBA) and Security Orchestration and Automation (SOAR), which can save time for analysts and help identify threats that traditional tools could not. For an example of a next-gen SIEM solution that includes UEBA and SOAR, see Exabeam’s Security Management Platform.
2. Investigate Suspicious Activities, Contain and Prevent Them
With the assistance of security monitoring tools, the SOC team looks into suspicious activity within IT systems and networks. Typically, they do this by receiving and analyzing alerts from the SIEM, which may contain signs of compromise and related threat intelligence. The team performs triage on the alerts, understands the extent of the threat and responds.
Organizations may not be able to entirely stop threats from entering their network, but they can stop threats from spreading. If a network system is compromised, the SOC should identify the infected hosts and prevent them from affecting the rest of the network. The SOC can use controls on switches, routers, and virtual local area network (VLANs) to stop the threat from spreading.
The SOC should correlate and validate alerts. SOC staff can contextualize these events within the network environment of the business, and coordinate response activities with key staff in real time.
3. Reduce Downtime and Ensure Business Continuity
Businesses need to ensure their network and systems run with minimal or no downtime. It was once possible to shut down a mail server infected by a virus for cleanup, but in today’s environment the business cannot sustain downtime of critical infrastructure such as email.
In the event of a breach, the SOC can proactively notify the appropriate business stakeholders about serious security events. If possible, risks are mitigated before security events reach key business infrastructure, and if they do reach critical systems, redundancy must be in place to ensure business continuity.
4. Security Strategy
SOCs ideally function as shared service centers that provide value to business stakeholders and help them meet their agendas. SOCs are cross-functional organizations that centralize operations carried out by different departments.
Organizations should define the SOC’s operating model and governance to ensure accountability, oversee communication, and guide interactions, with individuals from IT, IR, HR, legal, compliance and other groups. A clear line of authority can limit confusion during critical emergency actions, such as connectivity termination or complete system shutdown.
5. Audit and Compliance Support
A SOC is often responsible for auditing systems to meet compliance requirements for government, corporate and industry regulations such as SB 1386, HIPAA, and Sarbanes-Oxley. Efficient access to threat information, patch levels, identity and access control data is essential for compliance.
In the past, organizations used existing documentation to create new documentation for an audit. This process is prone to errors and time-consuming. When correctly managed by security teams, modern SOCs use security tools such as the SIEM, which aggregates security data from across the organization and generates compliance audits and reports.
For example, here’s how Exabeam’s next-generation SIEM solution provides support for compliance with GDPR, PCI DSS, SOX, and more.
Security Operations Center Roles and Responsibilities
- Security Analyst—the first to respond to incidents. Their response typically occurs in three stages: threat detection, threat investigation, and timely response. Security analysts should also ensure that the correct training is in place and that staff can implement procedures and policies. Security analysts work together with internal IT staff and business administrators to communicate information about security limitations and produce documentation.
- Security Engineer/ Architect—maintains and suggests monitoring and analysis tools. They create a security architecture and work with developers to ensure this architecture is part of the development cycle. A security engineer may be a software or hardware specialist who pays particular attention to security aspects when designing information systems. They develop tools and solutions that allow organizations to prevent and respond effectively to attacks. They document procedures, requirements, and protocols.
- SOC manager—manages the security operations team and reports to the CISO. They supervise the security team, provide technical guidance, and manage financial activities. The SOC manager oversees the activity of the SOC team, including hiring, training, and assessing staff. Additional responsibilities include creating processes, assessing incident reports, and developing and implementing crisis communication plans. They create compliance reports, support the audit process, measure SOC performance metrics, and report on security operations to business leaders.
- CISO—defines the security operations of the organization. They communicate with management about security issues and oversee compliance tasks. The CISO has the final say on policies, strategy, and procedures, relating to the organization’s cybersecurity. They also have a central role in compliance and risk management and implement policies to meet specific security demands.
The Three-Level SOC Analyst Hierarchy
A security operations center typically assigns analysts to three or four tiers:
- Tier 1 Support Security Analyst—receives and looks into alerts daily. Reviews the most recent SIEM alerts to see their relevance and urgency. Carries out triage to ensure that a genuine security incident is occurring. Oversees and configures security monitoring tools.
- Tier 2 Support Security Analyst—addresses real security incidents. Evaluates incidents identified by tier 1 analysts. Uses threat intelligence such as updated rules and Indicators of Compromise (IOCs) to pinpoint affected systems and the extent of the attack. Analyzes running processes and configs on affected systems. Carries out in-depth threat intelligence analysis to find the perpetrator, the type of attack, and the data or systems impacted. Creates and implements a strategy for containment and recovery.
- Tier 3 Security Analyst—more experienced than a tier 2 analyst. Deals with critical incidents. Carries out vulnerability assessments and penetration tests to assess the resilience of the organization and to isolate areas of weakness that need attention. Reviews alerts, threat intelligence, and security data. Identifies threats that have entered the network, and security gaps and vulnerabilities currently unknown.
- Incident Response Manager—manages and prioritizes actions during isolation, analysis, and containment of an incident. They also communicate any special requirements of high severity incidents to both internal and external stakeholders.
Best Practices for Building a Winning Security Operations Center Team
Security operations team face many challenges—they can be overworked, understaffed and often gain little attention from upper management. Security operations best practices can give companies the tools they need to protect themselves and offer SOC teams a better working environment.
Efficient SOCs use security automation
By using highly-skilled security analysts together with security automation, organizations can analyze more security events, identify more incidents and protect against them more effectively.
Use effective technology
The abilities of your SOC are dependent on its technology capabilities. Technology should collect and aggregate data, prevent threats, and respond as they occur. A team that is equipped with tools and data sources that reduce false positives to a minimum can maximize the time analysts spend investigating real security incidents.
Be up to date with current threat intelligence
Threat intelligence data from within the organization in conjunction with information from external sources provides insight into vulnerabilities and threats to the SOC team. External cyber intelligence includes signature updates, news feeds, incident reports, vulnerability alerts, and threat briefs. SOC staff can leverage SOC monitoring tools that provide integrated threat intelligence.
People and responsibilities
Organizations often share administrative duties across subsidiaries, between partner organizations, and business units. The organization’s security policy standards should be used to define responsibilities in relation to tasks and accountability for a response. An organization can also define the role of each business unit or agency in relation to the SOC.
Defend the perimeter
A key responsibility of a SOC team is to defend the perimeter, but what information are analysts required to gather? Where can that information be found?
The SOC team can take into account all data input, for example:
- Network information, such as URLs, hashes, connection details
- The monitoring of endpoints, vulnerability information revealed by vulnerability scanners, security intelligence feeds, intrusion prevention (IPS) and detection (IDS) systems
- Operating systems
- Topology information
- External-facing firewall, and antivirus