As most businesses are now well aware, technology alone is not enough to protect businesses against increasingly sophisticated cyber threats.
Modern, effective cyber security demands a strategic combination of technology, intelligence and human expertise. A Security Operations Centre (SOC) is an effective way to strike this balance, providing the right level of support required to prevent, detect and respond to threats 24/7.
What is a SOC?
A Security Operations Centre (SOC) is a facility that houses a dedicated team responsible for overseeing and enhancing an organisation’s cyber security. This team, typically comprising of security analysts, engineers and incident responders, is tasked with cyber incident prevention, round-the-clock security event management, as well as the configuration and maintenance of all deployed security technologies.
However, the SOC does not always have to be a physical facility. In some cases it operates as a virtual SOC function. In organisations that are less mature or more resource-constrained, staff members can be engaged to perform security operational functions on a remote or ad-hoc basis. A SOC may be referred to as a ‘cyber security operations centre’.
What functions does a SOC perform?
A SOC is focused on threat prevention, detection and response. Typical functions performed by a SOC team include:
- System deployment and management
- Log management and monitoring
- Threat intelligence analysis
- Vulnerability management
- Event investigation and triage
- Threat hunting
- Use case development
- Incident response
- Root cause analysis
- Breach notification
- Compliance reporting
- Employee security training
What technologies does a SOC need to protect an organisation?
Harnessing a combination of prevention, detection and deception technologies, as well as a range of in-house and external threat intelligence sources, a SOC is designed to detect threats across an organisation’s networks and endpoints.
The security technologies managed by SOCs include:
- Endpoint Detection and Response (EDR)
- Security Information and Event Management (SIEM)
- Extended Detection and Response (XDR)
- Security Orchestration, Automation and response (SOAR)
- Intrusion Detection System (IDS)
- Network Traffic Analysis (NTA)
- Next-Generation Antivirus (NGAV)
- Next-Generation Firewalls (NGFW)
- Vulnerability Management and Assessment
Which personnel are needed to run a SOC?
Aa wide range of staff with diverse skillsets is needed to ensure that a SOC has both the capacity and capability to function all day, every day.
Key personnel within a SOC include:
Cyber security analysts
Cyber security analysts are vital to every SOC, as they conduct 24/7 security event monitoring, incident analysis and triage, as well as performing essential response.
In a larger SOC, it is not uncommon to find senior security analysts focused on specific responsibilities such as threat intelligence, proactive threat hunting and forensics.
Cyber security engineers
Cyber security engineers work closely with cyber security analysts to deploy and configure an organisation’s security technologies, such as firewalls and network monitoring tools like SIEM, intrusion detection, and endpoint detection and response platforms.
Another key responsibility is tuning all technologies to ensure that they are as effective as possible and generate fewer false positives. This involves baselining technologies to more easily identify deviations from typical activity, as well as setting up threat detection rules, or use cases, to detect specific types of suspicious activity and trigger automated responses.
Cyber incident responders
Cyber incident responders are responsible for helping to address and manage security incidents when they occur, by building an understanding of the incident, taking control and coordinating quick and effective response to protect the organisation’s assets, operations, and reputation. Cyber incident responders also conduct forensics to identify the root cause of a problem and help to prevent similar incidents from happening again.
The SOC also requires a manager and team leads to coordinate shift rotas, training and onboarding, perform KPI monitoring, drive continuous improvement and oversee day-to-day SOC management.
What should a modern SOC look like?
Threat hunting and offensive capabilities are becoming increasingly critical for SOCs. Modern SOCs are under more pressure than ever to be proactive in their approach to threat detection and response – not just waiting for alerts and passing them on to a network operations centre (NOC) or, in smaller organisations, to an individual IT owner or Managed IT Service Provider, to take action.
Cyber threat hunting facilitates the early detection of attacks that bypass traditional network defences, using root cause and forensic analysis to reduce the impact of active threats and prevent intrusions from happening in the future.
SOCs are now expected to be able to take swift action to disrupt, contain and remediate cyber breaches, for example using endpoint management tools to isolate affected machines from the network.
Including incident response as part of the SOC enables tighter integration between detection and response, and is an essential factor to maintain a robust security posture.
Threat intelligence also plays an increasingly important role in ensuring systems are tuned and use cases are developed to identify the latest threats.
The modern SOC will also have standardised incident response playbooks that provide mutually agreed decisions on the appropriate actions that should be taken in various attack scenarios. With threat detection use cases set up to identify specific sets of malicious behaviours, SOCs can then automate some of these responses to enable swifter remediation.
What are the indicators of a successful SOC?
With the significant investment involved in the set-up and running of a SOC, it needs to be able to demonstrate to stakeholders, internal or external, that it is helping to improve an organisations’ cyber security. This means measuring key metrics and having processes and procedures in place to report them.
Consistent measurements will be required to review the essential functions and overall performance of a SOC. It is important to remember that the success of the technology deployed will not be judged by the implementation itself, but by how it adds value to the organisation.
Mean time to detect (MTTD) is the average time it takes to identify that a cyber breach has taken place. When an organisation suffers multiple breach incidents over time, it is possible to use the data to calculate an average time of how long each discovery takes.
Another popular metric is mean time to respond (MTTR), sometimes called mean time to resolve. Instead of the average time to detection, this is the average length of time an organisation has taken action to fix the discovered breach or vulnerability.
These measurements alone cannot be relied upon as true indicators of success, and an accompanying programme of testing is important to gauge effectiveness, rather than just efficiency. Scenario-based testing is an effective way to achieve this – simulating a wide range of adversarial techniques and providing recommendations to enhance the protection of key assets.
What are the challenges of running a SOC?
There is a growing need across many industries for businesses to proactively hunt for and eliminate threats before they cause serious financial and reputational damage. However, the cost of setting up an in-house SOC to perform these vital functions is often out of reach to all but the largest organisations.
Protecting businesses against the latest cyber threats demands a range of technologies to prevent and gain visibility of malicious activity across an IT environment. However, many security systems generate a large volume of alerts, and without a specialist team dedicated to investigating them, it can be easy to get buried in the noise. It is also common for stretched security teams to suffer cyber security alert fatigue.
Shortage of specialist staff
Talented, cyber security educated staff are required, but it isn’t always easy to find the specialist staff for continuous monitoring, comprehensive data analysis and incident response.
In light of the global security skills shortage, reportedly up to 4 million, it can be expensive to recruit, retain and continuously train staff for the successful operation of a SOC. To ensure round-the-clock protection, organisations need a minimum of 10 employees to cover three 8-hour shifts a day, 24/7/365. For very large enterprises this figure can rise to upwards of 30 or more.
High staff turnover
Even when they do find and hire the right people, organisations are also under pressure through high SOC staff turnover caused by burnout and stress, particularly when coordinating a 24/7 shift rota.
With ever-growing IT estates, simply having the right technology is not sufficient. Monitoring multiple disparate tools is complex and an in-house SOC also requires a significant investment in people, training and processes. Being successful also comes at a price, with research showing that the more effective the SOC, and the more complete its security coverage, the higher the cost.
Lack of return on investment
Despite the significant investment required, just 50% of organisations rate their in-house SOC as being effective, according to research by Devo and the Ponemon Institute, with only 24% of organizations saying they can resolve security incidents within hours or even days.
What are the advantages of outsourcing a SOC?
SOC-as-a-service is a hassle-free and cost-effective option for organisations that lack the necessary budget and resources to build an in-house operation, and many businesses are now looking to outsource part or all of their SOC capability.
An outsourced SOC reduces the complexity of managing disparate security technologies by deploying, configuring and managing chosen security tools around-the-clock. Its advantages include:
- Combined automation and human expertise
- Organisation-wide visibility
- Reduced breach impact through the use of threat intelligence
- Continually updated security insight and practices
- No pressure to find, hire and train staff and continually address high turnover
What does a successful SOC look like?
A successful SOC is one that not only meets an organisation’s security needs but also stays up to date with changing security challenges. It is set up to respond quickly and effectively to new and emerging threats, with the flexibility to scale up and down as required.
As part of ensuring their own security success, many organisations are now opting for advanced detection and response capabilities from providers of Managed Detection and Response (MDR). This type of service provides a complete turnkey approach – supplying the people, tools and intelligence needed to hunt for, disrupt and contain cyber threats – and can include the support of an external SOC, staffed by security experts, 24/7/365.
The advantages of MDR are being increasingly recognised, with Gartner predicting that by 2024 , 25% of organisations will be using MDR services, up from less than 5% in 2020.