Components, best practices, and next-gen capabilitiesRead More
An Information Security Operations Center (ISOC or SOC) is a facility where security staff monitor enterprise systems, defend against security breaches, and proactively identify and mitigate security risks.
In the past, the SOC was considered a heavyweight infrastructure which is only within the reach of very large or security-minded organizations. Today, with new collaboration tools and security technology, many smaller organizations are setting up virtual SOCs which do not require a dedicated facility, and can use part-time staff from security, operations and development groups. Many organizations are setting up managed SOCs or hybrid SOCs which combine in-house staff with tools and expertise from Managed Security Service Providers (MSSPs).
A SOC is an advanced stage in the security maturity of an organization. The following are drivers that typically push companies to take this step:
A SOC can have several different functions in an organization, which can be combined. Below are SOC focus areas with the level of importance assigned to each in the Exabeam State of the SOC survey.
SOC Focus Area
Level of Importance in USA SOCs
Control and Digital Forensics—enforcing compliance, penetration testing, vulnerability testing.
Monitoring and Risk Management—capturing events from logs and security systems, identifying incidents and responding.
Network and System Administration—administering security systems and processes such as identity and access management, key management, endpoint management, firewall administration, etc.
The classic Security Operations Center is a physical facility which is well protected in terms of cyber security and physical security. It is a large room, with security staff sitting at desks facing a wall with screens showing security stats, alerts and details of ongoing incidents. Nowadays, many SOCs look quite different. For example, a Virtual SOC (VSOC) is not a physical facility, but rather a group of security professionals working together in a coordinated manner to perform the duties of a SOC.
Security teams building a SOC face several common challenges:
All three of these challenges are addressed by a security information and event management (SIEM) system, which powers daily operations in modern SOCs. Read more about SIEMs below in Technologies Used in the SOC.
Security Operations (SecOps) is a collaboration between security and IT operations teams, where security and operations staff assume joint ownership and responsibility for security concerns. It is a set of SOC processes, practices and tools which can help organizations meet security goals more efficiently.
In the past, operations and security teams had conflicting goals. Operations was responsible for setting up systems to achieve uptime and performance goals. Security was responsible for verifying a checklist of regulatory or compliance requirements, closing security holes and putting defenses in place.
In this environment, security was a burden—perceived as something that slows down operations and creates overhead. But in reality, security is part of the requirements of every IT system, just like uptime, performance or basic functionality.
SecOps combines operations and security teams into one organization. Security is “shifting left”—instead of coming in at the end of the process, it is present at the beginning, when requirements are stated and systems are designed. Instead of having ops set up a system, then having security come in to secure it, systems are built from the get go with security in mind.
SecOps has additional implications in organizations which practice DevOps—joining development and operations teams into one group with shared responsibility for IT systems. In this environment, SecOps involves even broader cooperation—between security, ops and software development teams. This is known as DevSecOps. It shifts security even further left—baking security into systems from the first iteration of development.
The classic Security Operations Center is not compatible with SecOps—security analysts sit in their own room and respond to incidents, while operations are in another room, or building, running IT systems, with little or no communications between them. However, the modern SOC can foster a SecOps mentality:
Different organizations find themselves at different stages of developing their security presence. We define five stages of security maturity—in stages 4 and 5, an investment in a Security Operations Center becomes relevant and worthwhile.
“Security isn’t our top conern. We’ve got AV and FWs. We’re good!”
“We haven’t explored solutions and don’t belive we are at risk. We’ll deal with a breach if it happens.”
“We’re at risk, but budget is a problem. We’re overwhelemed by the alerts we’re facing. We need help prioritizing and addressing threats.”
“We have budget to invest in security. We have limited personnel and need to maximize them.”
“We’re knowledgable about security. We continuously innovate and improve our program.”
Following are common models for deploying a SOC within your organization:
Classic SOC with dedicated facility, dedicated full time staff, operated fully in house, 24×7 operations.
Some full time staff and some part-time, typically operates 8×5 in each region.
Multifunctional SOC / NOC
A dedicated facility with a dedicated team which performs both the functions of a Network Operations Center (NOC) and a SOC.
A traditional SOC combined with new functions such as threat intelligence, operational technology (OT).
Command SOC / Global SOC
Coordinates other SOCs in a global enterprise, provides threat intelligence, situational awareness and guidance.
No dedicated facility, part-time team members, usually reactive and activated by a high profile alert or security incident. The term Virtual SOC is also sometimes used for an MSSP or managed SOC (see below).
Managed SOC / MSSP / MDR
Many organizations are turning to Managed Security Service Providers (MSSP) to provide SOC services on an outsourced basis. Modern offerings are called Managed Detection and Response (MDR). Managed SOCs can be outsourced completely or co-managed with in-house security staff.
A Security Operations Center has a hierarchy of roles with a clear escalation path. Day-to-day alerts are received and investigated by the Tier 1 Analyst; a real security incident is stepped up to a Tier 2 Analyst; and business critical incidents pull in the Tier 3 Analyst and if necessary, the SOC Manager.
Tier 1 Analyst
System administration skills, web programming languages such as Python, Ruby, PHP, scripting languages, security certifications such as CISSP or SANS SEC401
Monitors SIEM alerts, manages and configures security monitoring tools. Prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.
Tier 2 Analyst
Similar to Tier 1 analyst but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. White-hat hacker certification or training is a major advantage.
Receives incidents and performs deep analysis, correlates with threat intelligence to identify the threat actor, nature of the attack and systems or data affected. Decides on strategy for containment, remediation and recovery and acts on it.
Tier 3 Analyst
Subject Matter Expert / Threat Hunter
Similar to Tier 2 analyst but with even more experience including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing responses to new threats and attack patterns.
Day-to-day, conducts vulnerability assessments and penetration tests, and reviews alerts, industry news, threat intelligence and security data. Actively hunts for threats that have found their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, joins the Tier 2 Analyst in responding and containing it.
Tier 4 SOC Manager
Similar to Tier 3 analyst, including project management skills, incident response management training, strong communication skills.
Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy, manages resources, priorities and projects, and manages the team directly when responding to business critical security incidents. Acts as point of contact for the business for security incidents, compliance and other security
Support and Infrastructure
Degree in computer science, computer engineering or information assurance, typically combined with certifications like CISSP.
A software or hardware specialist who focuses on security aspects in the design of information systems. Creates solutions and tools that help organizations deal robustly with disruption of operations or malicious attack. Sometimes employed within the SOC and sometimes supporting the SOC as part of development or operations teams.
A SOC cannot operate without technology. The table below summarizes traditional and next-generation tools used in today’s security operations center. Below we provide more details about a few of the most important.
Traditional Tools Used in the SOC
Next-Gen Tools Leveraged by Advanced SOCs
The foundational technology of a SOC is a SIEM system, which aggregates system logs and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.
Firewalls are a standard part of any cybersecurity arsenal. Two new technologies are complementing or replacing the traditional firewall:
These technologies are leveraged in the modern SOC to reduce the attack profile of websites and web applications, and gather higher quality data about legitimate and malicious traffic hitting critical web properties.
EDR is a new category of tools that helps SOC teams respond to attacks on endpoints, like user workstations, mobile phones, servers or IoT devices. These tools are built around the assumption that attacks will happen, and that the SOC team usually has very limited visibility and control into what’s happening on a remote endpoint. EDR solutions are deployed on endpoints, provide instant, accurate data about malicious activity, and gives SOC teams remote control over endpoints to perform immediate mitigation.
For example, the SOC team can use EDR to identify 50 endpoints infected with Ransomware, isolate them from the network, wipe and re-image the machines. All this can be done in seconds to identify attacks as they happen, prevent them from spreading and support eradication.
Monitoring is a key function of tools used in the SOC. The SOC is responsible for enterprise-wide monitoring of IT systems and user accounts, and also monitoring of the security tools themselves—for example, ensuring antivirus is installed and updated on all organizational systems. The main tool that orchestrates monitoring is the SIEM. Organizations use many dedicated monitoring tools, such as network monitoring and Application Performance Monitoring (APM). However, for security purposes only the SIEM, with its cross-organizational view of IT and security data, can provide a complete monitoring solution.
These stages of tools adoption were proposed by Anthony Chuvakin of Gartner.
The SIEM can help security staff combine data about malware detected across the organization, correlate it with threat intelligence and help understand the systems and data affected. Next-gen SIEMs provide security orchestration capabilities, a visualization of incident timelines, and can even automatically “detonate” malware in a threat intelligence sandbox.
Phishing prevention and detection
The SIEM can use correlations and behavioral analysis to determine that a user clicked a phishing link, distributed via email or other means. When an alert is raised, analysts can search for similar patterns across the organization and across timelines to identify the full scope of the attack.
When an employee is suspected of direct involvement in a security incident, a SIEM can help by drawing in all data about the employee’s interaction with IT systems, over long periods of time. A SIEM can uncover anomalies like logins into corporate systems at unusual hours, escalation of privileges, or moving large quantities of data.
Departed employees risk mitigation
According to an Intermedia study, 89% of employees who leave their jobs retain access to at least some corporate systems, and use those credentials to log in. A SIEM can map out the problem in a large organization, identifying which systems have unused credentials, which former employees are accessing systems, and which sensitive data is affected.
Security Operations Center processes used to be completely isolated from other parts of the organization. Developers would build systems, IT operations would run them, and security were responsible for securing them. Today it is understood that joining these three functions into one organization—with joint responsibility over security—can improve security and create major operational efficiencies.
Here are a few ways in which a SOC can integrate its processes with dev and IT:
While SOCs are undergoing transformation and assuming additional roles, their core activity remains incident response. The SOC is the organizational unit that is expected to detect, contain, and mitigate cyber attacks against the organization. The people responsible for incident response are Tier 1, Tier 2 and Tier 3 analysts, and the software they primarily rely on is the SOC’s Security Information and Event Management (SIEM) system.
Tier 1 Analysts monitor user activity, network events, and signals from security tools to identify events that merit attention.
Tier 1 Analysts prioritize, select the most important alerts, and investigate them further. Real security incidents are passed to Tier 2 Analysts.
Containment and Recovery
Once a security incident has been identified, the race is on to gather more data, identify the source of the attack, contain it, recover data and restore system operations.
Remediation and Mitigation
SOC staff work to identify broad security gaps related to the attack and plan mitigation steps to prevent additional attacks.
Assessment and Audit
SOC staff assess the attack and mitigation steps, gather additional forensic data, draw final conclusions and recommendations, and finalize auditing and documentation.
A SIEM is a foundational technology in a SOC—here is how a SIEM can help with each incident response stage:
Alert generation and ticketing
A SIEM collects security data from organizational systems and security tools, correlates it with other events or threat data, and generates alerts for suspicious or anomalous events.
Searching and exploring data
A SIEM can help Tier 1 and Tier 2 analysts search, filter, slice and dice, and visualize years of security data. Analysts can easily pull and compare relevant data to better understand an incident.
Context on incidents and security orchestration
When a real security incident is identified, a SIEM provides context around the incident—for example, which other systems were accessed by the same IPs or user credentials.
Reporting and dashboarding
Remediation and mitigation are an ongoing activity, and they require visibility of the status and activity of critical security and IT systems. SIEMs have a cross-organization view which can provide this visibility.
One of the core functions of a SIEM is to produce reports and audits for regulatory requirements and standards like PCI DSS, HIPAA and SOX—both on an ongoing basis and following an incident or breach.
Next Gen SIEM
Next-generation SIEMs leverage machine learning and behavioral analytics to reduce false positives and alert fatigue, and discover hard-to-detect complex events like lateral movement, insider threats and data exfiltration.
Next Gen SIEM
Next-generation SIEMs are based on data lake technology that allows organizations to store unlimited data at low cost. They also leverage machine learning and User Event Behavioral Analytics (UEBA) to easily identify high risk events and surface them to analysts.
Next Gen SIEM
Next-generation SIEMs provide Security Orchestration and Automation (SOAR) capabilities. They integrate with other security systems and can automatically perform containment actions. For example, quarantine an email infected by Malware, download and test the Malware in a threat intel sandbox.
Next Gen SIEM
Next-generation SIEMs leverage machine learning and data science capabilities that establish smart baselines for groups of users and devices. This allows faster and more accurate detection of insecure systems or suspicious activity.
Here are a few important metrics that can help understand the scale of activity in the SOC, and how effectively analysts are handling the workload.
What it Measures
Mean Time to Detection (MTTD)
Average time the SOC takes to detect an incident
How effective the SOC is at processing important alerts and identifying real incidents
Mean Time to Resolution (MTTR)
Average time that transpires until the SOC takes action and neutralizes the threat
How effective the SOC is at gathering relevant data, coordinating a response and taking action
Total cases per month
Number of security incidents detected and processed by the SOC
How busy the security environment is and the scale of action the SOC is managing
Types of cases
Number of incidents by type—web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc.
The main types of activity managed by the SOC and where security preventative measures should be focused
Number of units processed per analyst—alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3
How effective analysts are at covering maximum possible alerts and threats
Case escalation breakdown
Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents
The effective capacity of the SOC at each level and the workload expected for different analyst groups
The Security Operations Center is undergoing an exciting transformation. It is integrating with ops and development departments, and is empowered by powerful new technologies, while retaining its traditional command structure and roles—to identify and respond to critical security incidents.
We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning and SOC automation, open up new possibilities for security analysts.
The impact of a next-gen SIEM on the SOC can be significant:
Exabeam is an example of a next-generation SIEM which combines data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder and a threat hunting module with powerful data querying and visualization.
If you’d like to see more content like this, visit the Exabeam Information Security Blog
Components, best practices, and next-gen capabilitiesRead More
How SIEMs are built, how they generate insights, and how they are changingRead More
SIEM under the hood - the anatomy of security events and system logsRead More
User and Entity Behavioral Analytics detects threats other tools can’t seeRead More
Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoTRead More
From correlation rules and attack signatures to automated detection via machine learningRead More
Security Automation and Orchestration (SOAR) - the future of incident responseRead More
A comprehensive guide to the modern SOC - SecOps and next-gen techRead More
Evaluation criteria, build vs. buy, cost considerations and complianceRead More
SIEM Essentials QuizRead More