Security Operations Center (SOC)

A security operations center (SOC), also called an information security operations center (ISOC), is a centralized location where an information security team monitors, detects, analyzes and responds to cybersecurity incidents, typically on a 24/7/365 basis.

The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems for the sole purpose of pinpointing potential security threats and thwarting them as quickly as possible. They also monitor relevant external sources (such as threat lists) that may affect the organization’s security posture.

A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.

On a larger scale, there are also Global Security Operations Centers (GSOC), coordinating security offices that literally span the globe. If you have offices around the world, a GSOC (rather than establishing a SOC for each international location) can prevent each location from repeating tasks and functions, reduce overhead and ensure that the security team has a big-picture view of what’s happening across the entire organization.

Below, we’ll cover the basic functions a SOC or GSOC, in addition to key aspects of establishing a SOC.

Cyber attacks are increasingly damaging to organizations. In 2018, billions of people were affected by data breaches and cyber attacks, and consumer confidence in organizations’ ability to protect their privacy and personal information continued to erode. Nearly 70 percent of consumers believe organizations are vulnerable to hacking and cyber attacks, and say they are less likely to continue or start doing business with organizations that have been compromised.

Simply put, SOCs offer assurance that threats will be detected and prevented in real time. Looking at a big-picture perspective, SOCs can:

Respond faster: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is performing from a security standpoint, even if you have several locations and thousands of endpoints. You can detect, identify, prevent and resolve issues before they cause too much trouble for the business.

Protect consumer and customer trust: Consumers are already skeptical of most companies and are worried about their privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization. And of course, preventing breaches protects that trust.

Minimize costs: While many organizations think establishing a SOC is cost prohibitive, the cost associated with a breach — including the loss of data, corrupted data or customer defection — are much higher. Additionally, SOC personnel will ensure that you’re using the right tools for your business to their full potential, so you won’t waste money on ineffective tools.

These benefits are hard to put a price on because they quite literally keep your business running. But do you absolutely need a SOC? If you’re subject to government or industry regulations, have suffered a security breach or are in the business of storing sensitive data — like customer information — the answer is yes.

The SOC leads real-time incident response and drives ongoing security improvements to protect the organization from cyber threats. By using a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC will provide:

• Proactive, around-the-clock surveillance of networks, hardware and software for threat and breach detection, and incident response.
• Expertise on all the tools your organization uses, including third-party vendors, to ensure they can easily resolve security issues.
• Installation, updating and troubleshooting of application software.
• Monitoring and managing of firewall and intrusion prevention systems.
• Scanning and remediation of antivirus, malware and ransomware solutions.
• Email, voice and video traffic management.
• Patch management and whitelisting.
• Deep analysis of security log data from various sources.
• Analysis, investigation and documentation of security trends.
• Investigation of security breaches to understand the root cause of attacks and prevent future breaches.
• Enforcement of security policies and procedures.
• Backup, storage and recovery.

The SOC uses a range of tools that collect data from across the network and various devices, monitors for anomalies and alerts staff of potential threats. However, the SOC does more than just handle problems as they pop up.

What does a SOC do when it’s not detecting threats? The SOC is tasked with finding weaknesses — both outside and within the organization — through ongoing software and hardware vulnerability analysis, as well as actively gathering threat intelligence on known risks. So even when there are seemingly no active threats (which may be rare, given that hacker attacks happen about every 39 seconds), SOC staff are proactively looking at ways to improve security. Vulnerability assessment includes actively trying to hack their own system to find weaknesses, which is known as penetration testing. Additionally, a core role of SOC personnel is security analysis: ensuring that the organization is using the correct security tools, optimally, and assessing what is and isn’t working.

Who works in a SOC?

The SOC is made up of highly skilled security analysts and engineers, along with supervisors who ensure everything is running smoothly. These are professionals trained specifically to monitor and manage security threats. Not only are they skilled in using a variety of security tools, they know specific processes to follow in the event that the infrastructure is breached.

Most SOCs adopt a hierarchical approach to manage security issues, where analysts and engineers are categorized based on their skill set and experience. A typical team might be structured something like this:

Level 1: The first line of incident responders. These security professionals watch for alerts and determine each alert’s urgency as well as when to move it up to Level 2. Level 1 personnel may also manage security tools and run regular reports.

Level 2: These personnel usually have more expertise, so they can quickly get to the root of the problem and assess which part of the infrastructure is under attack. They will follow procedures to remediate the problem and repair any fallout, as well as flag issues for additional investigation.

Level 3: At this level, personnel consist of high-level expert security analysts who are actively searching for vulnerabilities within the network. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for improving the organization’s overall security. Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts.

Level 4: This level consists of high-level managers and chief officers with the most years of experience. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance. Level 4s step in during crises, and, specifically, serve as the liaison between the SOC team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.

While the SOC is focused on monitoring, detecting and analyzing an organization’s security health 24/7/365, the main objective of the NOC, or network operations center, is to ensure that the network performance and speed are up to par and that downtime is limited.

SOC engineers and analysts search for cyberthreats and attempted attacks, and respond before an organization’s data or systems are compromised. NOC personnel search for any issues that could slow network speed or cause downtime. Both proactively monitor in real-time, with the goal of preventing problems before customers or employees are affected, and search for ways to make continual improvements so that similar issues don’t crop up again.

SOCs and NOCs should collaborate to work through major incidents and resolve crisis situations, and in some cases the SOC functions will be housed within the NOC. NOCs can detect and respond to some security threats, specifically as they pertain to network performance, if the team is properly trained and looking for those threats. A typical SOC wouldn’t have the capability to detect and respond to network performance issues without investing in different tools and skill sets.

Best practices for running a SOC include: developing a strategy, getting organization-wide visibility, investing in the right tools, hiring and training the right staff, maximizing efficiency and designing your SOC according to your specific needs and risks.

Develop a strategy: A SOC is an important investment; there’s a lot riding on your security planning. To create a strategy that covers your security needs, consider the following:

• What do you need to secure? A single on-premises network, or global? Cloud or hybrid? How many endpoints? Are you protecting highly confidential data or consumer information? What data is most valuable, and most likely to be targeted?

• Will you merge your SOC with your NOC or create two separate departments? Again, the capabilities are very different, and merging them requires different tools and personnel skills.

• Do you need 24/7/365 availability from your SOC staff? This affects staffing, cost and logistics.

• Will you build the SOC entirely in-house, or outsource some or all functions to a third-party vendor? A careful cost-benefit analysis will help define the trade-offs.

Make sure you have visibility across your entire organization: It’s imperative that your SOC has access to everything, no matter how small or seemingly insignificant, that could impact security. In addition to the larger infrastructure, that includes device endpoints, systems controlled by third parties and encrypted data.

Invest in the right tools and services: As you think about building your SOC, focus first on the tools. The sheer number of security events will be overwhelming without the right automated tools to deal with the “noise” and subsequently elevate significant threats. Specifically, you need to invest in:

• Security information and event management (SIEM): This single security management system offers full visibility into activity within your network, collecting, parsing and categorizing machine data from a wide range of sources on the network and analyzing that data so you can act on it in real time.
• Endpoint protection systems: Every device that connects to your network is vulnerable to attack. An endpoint security tool protects your network when said devices access it.
• Firewall: It will monitor incoming and outgoing network traffic and automatically block traffic based on security rules you establish.
• Automated application security: Automates the testing process across all software and provides the security team with real-time feedback about vulnerabilities.
• Asset discovery system: Tracks the active and inactive tools, devices and software being used on your network so you can evaluate risk and address weaknesses.
• Data monitoring tool: Allows you to track and evaluate data to ensure its security and integrity.
• Governance, risk and compliance (GRC) system: Helps you to ensure you’re compliant with various rules and regulations where and when you need to be.
• Vulnerability scanners and penetration testing: Lets your security analysts search for vulnerabilities and find undiscovered weaknesses within your network.
• Log management system: Allows you to log all those messages that come from every piece of software, hardware and endpoint device running on your network.

Hire the best and train them well: Hiring talented staff and continually improving their skills is central to success. The market for security talent is competitive. Once you get people hired, continually invest in training to improve their skills; this not only enhances security, it improves engagement and retention. Your team must understand application and network security, firewalls, information assurance, Linux, UNIX, SIEM, and security engineering and architecture. Your highest-level security analysts should possess these skills:

• Ethical hacking: You want one of your people actively trying to hack your system to uncover vulnerabilities within your system.
• Cyber forensics: Analysts must investigate issues and apply analysis techniques to both understand and preserve evidence from the investigations. If a case were to go to court, the security analyst must be able to provide a documented chain of evidence to show what occurred and why.
• Reverse engineering: This is the process of deconstructing software or rebuilding it to understand how it works and, more importantly, where it’s vulnerable to attacks so that the team can take preventive measures.
• Intrusion prevention system expertise: Monitoring network traffic for threats would be impossible without tools. Your SOCs need to know the ins and outs of how to use them properly.

Consider all your options: The most common types of SOC include:

• Internal SOCs, usually with a full-time staff based on-premises. The internal SOC comprises a physical room where all the action takes place.
• Virtual SOCs are not on-premises, and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization.
• Outsourced SOCs, in which some or all functions are managed by an external managed security service provider (MSSP) that specializes in security analysis and response. Sometimes these companies provide specific services to support an internal SOC, and sometimes they handle everything .

SIEM makes the SOC more effective at securing your organization. Top security analysts — even those with the most advanced setups — can’t review the endless stream of data line by line to discover malicious activities, and that’s where SIEM can be a game changer.

As we’ve mentioned, a SIEM collects and organizes all the data coming from various sources within your network and offers your SOC team insights so that they can quickly detect and respond to internal and external attacks, simplify threat management, minimize risk, and gain organization-wide visibility and security intelligence.

SIEM is critical for SOC tasks, such as monitoring, incident response, log management, compliance reporting and policy enforcement. Its log management capabilities alone make it a necessary tool for any SOC. SIEM can parse through huge batches of security data coming from thousands of sources — in mere seconds — to find unusual behavior and malicious activity and stop it automatically. Much of that activity goes undetected without the SIEM.

The SIEM helps the SOC pull the logs together and make rules that enable automation and can drastically reduce false alerts. Security analysts are freed up to focus their attention on the real threats. Additionally, the SIEM can offer robust reporting that helps with both forensic investigations and compliance requirements.