In today’s rapidly changing digital landscape, technology alone is insufficient to protect businesses. Modern, effective cyber security requires a calculated combination of technology, intelligence and human expertise. A Security Operations Centre (SOC) is an effective way to strike this balance, providing the level of support needed to prevent, detect and respond to threats 24/7.
What is a SOC?
A Security Operations Centre (SOC) is a facility that houses a dedicated team responsible for overseeing and enhancing an organisation’s cyber security. This team, typically comprising of security analysts, engineers and incident responders, is tasked with cyber incident prevention, around-the-clock security event management, as well as the configuration and maintenance of all deployed security technologies.
However, the SOC does not always have to be a physical facility, in some cases it operates as a virtual SOC function. In organisations that are less mature or resource-constrained, staff members can be engaged to perform security operational functions on a remote or ad-hoc basis. Sometimes a SOC can be referred to as a ‘cyber security operations centre’ or a ‘cyber fusion centre’.
What functions does a SOC perform?
A SOC is concerned with threat prevention, detection and response. Typical functions performed by a SOC team include:
- System deployment and management
- Log management and monitoring
- Threat intelligence management
- Vulnerability management
- Event investigation and triage
- Incident management
- Root cause analysis
- Compliance reporting
- Employee security training
What technologies does a SOC need to protect an organisation?
Using a combination of prevention, detection and deception technologies, as well as a range of in-house and external threat intelligence sources, a SOC is designed to detect threats across an organisation’s networks and endpoints.
The security technologies managed by SOCs include:
- Intrusion Detection System (IDS)
- Next-Generation Antivirus (NGAV)
- Security Information and Event Management (SIEM)
- Network Traffic Analysis (NTA)
- Endpoint Detection and Response (EDR)
- Vulnerability Management and Assessment
What personnel are needed to run a SOC?
To ensure that a SOC has both the capacity and capability to function all day, every day, a wide range of staff with diverse skillsets, is needed.
Key personnel within a SOC include:
Cyber security analysts
Key to any SOC is cyber security analysts, who conduct 24/7 security event monitoring, incident analysis and triage, plus perform basic response.
In a larger SOC, it is not uncommon to find senior security analysts focused on specific responsibilities such as threat intelligence, proactive threat hunting and forensics.
Cyber security engineers
Cyber security engineers work closely alongside cyber security analysts to deploy and configure an organisation’s security technologies, such as firewalls and network monitoring tools like SIEM, intrusion detection, and endpoint detection and response platforms.
Another key responsibility is tuning all technologies to ensure that they are as effective as possible and generate fewer false positives. This involves baselining technologies to ensure that deviations from typical activity can be more easily identified.
Cyber incident responders
Cyber incident responders are charged with helping to address and manage security incidents when they occur. Cyber incident responders will also conduct forensics to identify the root cause of a problem and help to prevent similar incidents from happening again.
Finally, the SOC will need a manager and team leads to perform KPI monitoring, drive continuous improvement and oversee the management of the SOC team.
What should a modern SOC look like?
Gartner has reported that by 2022, 50% of all SOCs will transform into modern SOCs with threat intelligence, threat hunting capabilities and integrated incident response.
The biggest trend in threat intelligence right now is Security Orchestration, Automation and Response (SOAR). SOAR technologies enable SOCs to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This assists human and machine-led analysis, as well as the standardisation and automation of threat detection and remediation.
Threat hunting and offensive capabilities are becoming increasingly common for SOCs. A modern SOC has more responsibility than ever before to be proactive in its approach to threat detection and response – not just waiting for alerts and passing them on to a network operations centre (NOC) or, in smaller organisations, an individual IT owner or Managed IT Service Provider to take action.
Cyber threat hunting helps with the early detection of attacks that bypass traditional network defences, using root cause and forensic analysis to reduce the impact of active threats and prevent intrusions from happening in the future.
Modern SOCs are expected to be able to take swift action to disrupt, contain and remediate cyber breaches. For example, endpoint management tools can be used to isolate affected machines from the network.
Encompassing incident response as part of the SOC allows tighter integration between detection and response, and is an essential factor needed for the security operational success of an organisation.
The modern SOC will also have standardised incident response playbooks that provide mutually agreed decisions on the appropriate actions that should be taken in various attack scenarios. Driven by SOAR technologies, SOCs can then automate some of these responses to enable swifter remediation.
What are the indicators of a successful SOC?
With the significant investment involved in the set-up and running of a SOC, it needs to be able to demonstrate to stakeholders, be they internal or external, that it is helping to improve an organisations’ cyber security. This means measuring key metrics and having process and procedures in place to report them.
Consistent measurements will be required to review the essential functions and the overall performance of a SOC. It is important to remember that the success of the technology deployed will not be measured by the implementation itself, but how it adds value to the organisation.
Mean time to detect (MTTD) is the average time it takes to realise that a cyber breach has taken place. When an organisation suffers multiple breach incidents over time, it is possible to use the data to calculate an average time of how long each discovery takes.
Another popular metric is mean time to respond (MTTR), sometimes called mean time to resolve. Instead of the average time to detection, this time the measurement is until the organisation has taken action to fix the discovered breach or vulnerability.
Critics of these measurements will say that they don’t really measure success, the way they are calculated is open to abuse and there are more important questions to be asked. However, they are still widely used as indicators of a successful SOC.
What are the challenges of running a SOC?
Across industries, there is a growing need for businesses to proactively hunt for and eliminate threats before they cause serious financial and reputational damage. However, the cost of setting up an in-house SOC to perform these vital functions is often out of reach to all but the largest organisations.
Protecting businesses against the latest cyber threats demands a range of technologies to prevent and gain visibility of malicious activity across an IT environment. However, many security systems generate a large volume of alerts, and without a specialist team dedicated to investigating them, it can be easy to get buried in the noise. It is also common for stretched security teams to suffer cyber security alert fatigue.
Talented, cyber security educated staff are required and it is not always easy to find the right people for continuous monitoring and comprehensive data analysis to control the high volumes of false positive alerts.
In light of the global security skills shortage, reportedly up to 3 million, it can be expensive to recruit, retain and continuously train staff for the successful operation of a SOC. To ensure round-the-clock protection, organisations need a minimum of 10 staff to cover three 8-hour shifts a day, 24/7/365. For very large enterprises this figure can rise to upwards of 30 or more staff.
With ever-growing IT estates, simply having the right technology is not sufficient. Monitoring multiple disparate tools is complex and an in-house SOC therefore also requires a significant investment in people, training and processes.
What are the advantages of outsourcing a SOC?
SOC-as-a-service is a hassle-free and cost-effective option for organisations that lack the necessary budget and resources to build an in-house operation, and many businesses are now looking to outsource part or all of their SOC capability.
An outsourced SOC reduces the complexity of managing disparate security technologies by deploying, configuring and managing chosen security tools around-the-clock.
For advanced detection and response capabilities, many organisations are now deciding to work with providers of Managed Detection and Response – a type of service which provides a complete turnkey approach – supplying the people, tools and intelligence needed to hunt for, disrupt and contain cyber threats.
Gartner predicts that by 2024, 25% of organisations will be using MDR services, up from less than 5% today.