A Security Operation Center (SOC) is a central function within an organization that deploys people, processes, and tech to continuously monitor and improve an organization’s security while preventing, detecting, analyzing, and responding to cybersecurity incidents.
A SOC acts like the hub or central command post, ingesting telemetry from across an organization’s IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places great emphasis on gathering context from multiple sources. Essentially, the SOC is the correlation point for every event logged in the organization being monitored. For each of these events, the SOC must decide how to manage and handle them.
Security operations staffing and organizational structure
The function of a security operations team, and often a security operations center (SOC), is to monitor, detect, investigate and respond to cyber threats 24/7. Security teams are tasked with monitoring and protecting many assets such as intellectual property, personnel data, business systems, and brand integrity. As an implementation component of an organization’s overall cybersecurity framework, security operations teams act as a focal point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.
SoCs are typically based on a hub-and-spoke architecture in which a security information and event management (SIEM) system aggregate and correlates data from security feeds. Spokes of this model can integrate a variety of systems, such as vulnerability assessment solutions; governance, risk and compliance (GRC) systems; application and database scanners; intrusion prevention systems (IPS); user and entity behavior analytics (UEBA); endpoint detection and remediation (EDR); and threat intelligence platforms (TIP).
The SOC is typically led by a SOC Manager and may include Incident Responders, SOC Analysts (Level 1, 2, and 3), Threat Hunters, and Incident Response Manager(s). The SOC reports to the CISO, who in turn reports either to the CIO or directly to the CEO.
Ten key functions of the SOC
Inventory of available resources.
The SOC is responsible for two kinds of assets-the various devices, processes, and applications it is responsible for protecting and the defensive tools it has at its disposal to provide that protection.
– What The SOC Protects
The SOC cannot protect devices and data that it cannot see. Without visibility and control from the device to the cloud, there are likely blind spots in the network security posture that can be found and exploited. The SOC’s goal, therefore, is to gain a complete view of the organization’s threat landscape, including not only the various types of endpoints, servers, and software on-premises but also third-party services and the traffic between those assets.
– How the SOC protects
The SOC should also have a complete understanding of all available cybersecurity tools and all workflows used in the SOC. This increases agility and allows the SOC to operate at maximum efficiency.
Preparedness and predictive maintenance
Even the best-equipped and most agile response processes cannot prevent problems from occurring. To keep attackers at bay, the SOC implements preventive measures that can be divided into two main categories.
– Preparation
Team members should stay informed about the latest security innovations, the latest trends in cybercrime, and the evolution of new threats on the horizon. This research can help create a security roadmap that guides the organization’s cybersecurity efforts into the future and a disaster recovery plan that serves as a guide in the worst-case scenario.
– Preventive maintenance
This step includes all actions taken to make successful attacks more difficult, including regularly maintaining and updating existing systems, updating firewall policies, fixing vulnerabilities, and whitelisting, blacklisting, and securing applications.
Continuous, Proactive Monitoring
Tools used by the SOC scan the network around the clock to identify anomalies or suspicious activity. By monitoring the network around the clock, the SOC can be immediately alerted to emerging threats, giving it the best chance to prevent or mitigate damage. Monitoring tools can include a SIEM or an EDR, the most advanced of which can use behavioral analytics to teach systems the difference between normal daily operations and actual threat behavior, minimizing the amount of triage and analysis that must be performed by humans.
Alert ranking and management
When monitoring tools issue alerts, it is the SOC’s responsibility to look closely at each one, discard false positives, and determine how actual aggressive threats are and what threats they might be targeting. This allows them to appropriately triage emerging threats and address the most pressing issues first.
Threat Response
These are the actions most people think of when they think of the SOC. Once an incident is confirmed, the SOC acts as a first responder, performing actions such as shutting down or isolating endpoints, killing malicious processes (or preventing them from running), deleting files, and more. The goal is to respond at the required scale while minimizing business continuity impact.
Recovery and remediation
After an incident, the SOC recovers systems and restores lost or compromised data. This may include wiping and rebooting endpoints, reconfiguring systems, or, in the case of ransomware attacks, deploying viable backups to bypass the ransomware. If this step is successful, the network returns to the state it was in before the incident.
Log management
The SOC is responsible for collecting, managing, and regularly reviewing the log of all network activity and communications for the entire organization. This data helps define a baseline for “normal” network activity, can reveal the presence of threats, and can be used for remediation and forensics after an incident. Many SoCs use a SIEM to aggregate and correlate data feeds from applications, firewalls, operating systems, and endpoints, all of which create their own internal logs.
Investigate the root cause
After an incident, the SOC is responsible for finding out exactly what happened, when, how, and why. During this investigation, the SOC uses log data and other information to trace the problem to its source to prevent similar issues from occurring in the future.
Security refinement and improvement
Cybercriminals are constantly refining their tools and tactics-and to stay ahead of them, and the SOC must continually implement improvements. During this step, the plans outlined in the security roadmap come to life, but this refinement can also include practical practices such as red-teaming and purple-teaming.
Compliance Management
Many of the SOC’s processes are guided by best practices, but some are subject to compliance requirements. The SOC is responsible for regularly reviewing its systems to ensure compliance with such regulations that may be issued by its organization, industry, or governing bodies. Examples of these regulations include the GDPR, HIPAA, and PCI DSS. Compliance with these regulations not only helps protect the sensitive data with which the company has been entrusted but can also protect the company from reputational damage and legal challenges resulting from a breach.
Optimizing a security operations model
While incident handling monopolizes much of the SOC’s resources, the chief information security officer (CISO) is responsible for the big picture of risk and compliance. To bridge operational and data silos across these functions, an effective strategy requires an adaptive security architecture that enables organizations to execute optimized security operations. This approach increases efficiency through integration, automation, and orchestration, reducing workload while improving your information security management.
An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into daily processes. SOC tools such as centralized and actionable dashboards help integrate threat data into security monitoring dashboards and reports to keep operations and management informed of evolving events and activities. By linking threat management to other risk and compliance management systems, SOC teams can better manage the overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency in security operations. Centralized capabilities reduce the burden of manual data sharing, monitoring, and reporting.
Operationalizing threat management should begin with a thoughtful assessment. In addition to defenses, an organization should assess processes and policies. Where is the organization strong? What are the gaps? What is the risk posture? What data is being collected, and how much of it is being used?
While every organization is different, certain core functions and best practices for security operations today represent due diligence. A sound threat management process begins with a plan and includes detection (including baseline calculation to drive anomaly detection, normalization, and correlation), triage (based on risk and asset), analysis (including contextualization), and scoping (including iterative investigation). Threat management processes feed prioritized and characterized cases into incident response programs. A well-defined response plan is a key to containing a threat or minimizing the damage from a data breach.
Threat management plan for a security operations center (SOC).
Figure 1. threat management plans integrate and structure many security and IT operations processes.
Effective visibility and threat management rely on many data sources, but it can be difficult to sort through useful and timely information. The most valuable data has been shown to be event data generated by countermeasures and IT assets, indicators of compromise (IOCs) generated internally (via malware analysis) and externally (via threat intelligence feeds), and system data available from sensors (e.g., host, network, database, etc.).
Data sources like these are not just input to threat management. They add context and make the information valuable and actionable for more precise, accurate, and rapid assessment throughout the iterative and interactive threat management process. Access to and effective use of the right data to support plans and procedures is a measure of organizational maturity. A “mature” scenario would include a workflow that delivers the right information or enables direct action within operational consoles and across products. This workflow integrates IT operations and security teams and tools into incident response when a critical event occurs.
All of these assessments will help prioritize where to increase investment or reduce friction to ensure threat management implementation meets objectives. Consultants and penetration testing can help compare strategy and organizational maturity and review security responses against attacks to provide an up-to-date measure of an organization’s ability to detect and mitigate harmful events. By comparing to peer organizations, this verified review can help justify and explain the need to redirect or invest resources in cybersecurity operations.