Your organization’s cybersecurity team is kind of like plumbing: when it works, no one really notices, but when it doesn’t work, things get messy. If you are a C-Suite officer at a business, then you know that your network should be protected (we call that “hardened”) against the chances of cyber threats or unauthorized persons getting access to a company’s data. Your company’s data can be anything from intellectual property and financial information to client and employee information, and threats against this information are constant. Your security crew works hard to protect that data against cyber threats in a team known as a Security Operations Center, or SOC.
What Does a Security Operations Center Do?
Your organization’s SOC is the central command post that takes in hundreds of thousands of pieces of information, processes and analyzes them, and responds to potential threats, all while working diligently to prevent both internal and external incidents. They monitor your intranet, customer-facing web apps, all devices (whether printers and desktops, to work-at-home laptops), data servers, and employee activity – in other words, your entire IT infrastructure.
Your SOC’s responsibilities may include any or all of the following:
Taking stock of available resources
The SOC safeguards the entire threat landscape, including different endpoints and software on-premises and servers. If it is connected to the internet or intranet (an intranet is an internal network, cut off from the web at large), they monitor it.
Preparations and preventive maintenance
One of the most important jobs of a SOC team is to work hard to prevent attacks from happening. This is a difficult and far from foolproof task. We lock our doors to keep people from simply walking in, but this won’t prevent someone from breaking our windows with a rock. With that said, your SOC team is going to work hard, doing everything they can to make sure your network is safe, keeping an eye on trends and new attacks, and performing regular hardening and maintenance to your organization’s network.
Alert ranking and management
Your SOC will use automated software to monitor and alert for any potential threats. These tools – known as SIEMs – are growing more sophisticated, but it is still the SOC team’s responsibility to look closely at each alert, dismissing false positives and investigating legitimate (or legitimate-looking) alerts. Your SOC team will then rank legitimate alerts, so that the Tier 2 Analysts (see Roles Within a Security Operations Center below) can know which threats and attacks to deal with first.
The moment an incident is confirmed, the SOC will act as first responders. They will shut down or isolate infected endpoints, they will terminate harmful processes, and, if malicious file transfers have occurred, remove those harmful files. Bear in mind, too, that they will do all of this while maintaining business continuity as much as possible.
What Are the Components of a Security Operations Center?
All Security Operation Centers have three components: personnel, tools, and policies.
Within this industry, there are many, many automated tools. However, in our experience, no amount of automation can completely replace a person’s instincts and thought-process. The personnel on your team are the ones who will do the hard work of keeping your business, employees, and customers safe. While the size of your team will vary based on needs and budget, all SOC teams, regardless of size, have the following roles:
As in any industry, the manager leads and manages the group. He or she directs the focus of the day, assigns tasks, and – if needed – fills in for other roles and duties. He can also step into any role if need be.
Analysts do exactly as it sounds – they analyze data, mostly in the form of alerts, and triage the severity of the alert. They may also examine other data points, compiling long-term reports of threats, breaches, and successful prevention.
Just like an investigator in law enforcement, a SOC investigator looks deeply into breaches, determining how and why they happened, so as to enable the team to harden that area of the network.
Responding to a security breach is a complex job, and the responder will work closely with the investigator to find the vulnerabilities and fix them. In many cases, the Responder and Investigator are one and the same person.
The cybersecurity industry is heavily regulated, and it is the auditor’s job to make certain that your company’s network is in compliance with local and applicable international laws. If you want your official audits to go smoothly, you will want a top-notch auditor on your organization’s SOC team.
Again, how many people you have will depend on your budget. In many cases, smaller businesses will combine several of these roles into one person. In other cases, larger corporations may have multiple analysts, investigators, and responders.
Before we move on to tools, let’s examine the analysts for just a moment. SOC Analysis comes in three tiers. While an analyst in your organization may fulfill the role of one, two, or even all three of these tiers, the tiers are very important.
Tier 1 Analysts
Tier 1 Analysts are the triage nurses of your SOC team. They monitor alerts and network systems, field incoming calls, and collect and compile any data that needs to be escalated.
Tier 2 Analysts
Tier 2 Analysts evaluate internal and external attacks to determine the scope of the incident [whether it was an attempt, an advanced persistent threat (APT), or a breach of data], review event logs, and provide remediation suggestions.
Tier 3 Analysts
These are the threat hunters. They work with an in-depth knowledge of computer forensics, malware reverse engineering and network security. Threat hunters may also be involved in studying zero-day malware (in efforts to discover them on your network) and security logs, looking for the more intricate and minute incidents that the lower-tier analysts may have missed.
Your SOC team is going to rely heavily on a number of tools, including firewalls, Active Directory (if your organization is using Windows), Endpoint Detection and response software (EDR), and many others. One of the most important tools at your SOC’s disposal is a security incident and event management (SIEM) tool, which assesses and monitors data from across the network. It compiles and analyzes the data in real-time, and offers your SOC team the ability to set threshold alerts for any potential threats (for example, if your typical web app traffic has 400 hits per hour, and you suddenly spike to 20,000, this could indicate a number of problems).
Other tools your SOC team may use include:
- A sandbox for malware quarantine and analysis
- User- and entity-behaviour analytics (UEBA)
- Security orchestration, automation and response (SOAR), and
- Ticketing software
Procedures and policies
Security operations center personnel rely on policies and procedures to keep your network safe. These can include detailed responsibilities for each member of the team, security policies such as password requirements and least-privilege practices, and procedures for alert analysis, threat detection, and compliance monitoring. Now, your SOC should also be making efforts to adapt and update policies and procedures often, making sure that they are working efficiently and to the best of their abilities. One valuable tool that your SOC can use to help revamp policies is the use of Key Performance Indicators (KPIs). There are several parameters that these KPIs can measure, but some of them include:
- The time between incidents and threats (How vulnerable is the network? Where can it be strengthened?)
- Average incident detection time (Meant Time to Detection, or MTTD)
- Average time from discovery to remediation (Mean Time to Recovery, or MTTR)
- Incidents by device (which may indicate an insider threat)
- Number of incidents per analyst (is your team understaffed? Can they take on more responsibilities?)
What’s the Difference Between a SOC and a NOC?
It is very easy to confuse your Network Operations Center (NOC) with your Security Operations Center (SOC). Though they will often work together, they are not the same thing. Here are some of their differences:
- Your NOC is tasked with keeping your network up and running, while your SOC is tasked with keeping the network secure.
Your NOC is important and vital to your organization, but the SOC is far more specialized in what they do. It is the difference between a family doctor and a neurologist.
Shortage of Cybersecurity Skills
The need for cybersecurity professionals is rapidly outgrowing the number of cybersecurity professionals who are entering the field. This is confirmed when recent studies have shown that not only are SOCs understaffed, but unemployment within the cybersecurity industry is almost zero. Understaffed organizations aren’t having trouble finding good employees, they are having trouble finding any employees.
Too Many Alerts
This shortage of staff is a problem in and of itself, but couple this with the rapidly-evolving threats and attacks that are out there, and SOCs are finding that their SIEM alerts are coming in at an overwhelming pace. This is leading to lengthened MTTDs (see “Procedures and Policies” above), longer MTTRs, and something known as “alert fatigue” – simply employee burnout.
Another challenge facing the SOC is the challenge that faces all aspects of a business: the budget. Cybersecurity networks in an organization experience different and many threats, and funding all of them at a go can be challenging. Most organizations have difficulty in obtaining the funds needed to maintain an adequate capability.
The final challenge we will touch on briefly is compliance requirements. The cybersecurity industry must adhere to legislation and regulation requirements, requirements which are often made by people who do not work in the industry. This is a challenge because, while many of these regulations are good (for example, protecting credit card information), regulations also run the risk of slowing things down and tying hands.
Automating SOC operations with SIEM + SOAR solutions
SIEM tools are some of the most powerful tools at your organization’s disposal. They collect and compile data from different sources within your network, offering insight for your SOC team to quickly detect and respond to external and internal attacks, gather more intelligence, minimize risks, and in general offer more network visibility to your team.
Evolve Security Automation
One solution to all of this – budget constraints, automation, reducing alert fatigue – is to invest in our Evolve security automation system. It offers on-demand security capabilities with flexible pay-as-you-go pricing models, while automating and streamlining security operations. It delivers a new level of deep security expertise, without blowing up your security budget. Request a demo here.
Every organization needs tight security. Incorporating SIEM and outsourcing most of your SOC functionality to staff or third-party service providers can certainly help your in-house team, but in order to make sure you have the best SOC to suit your needs, you must identify what your security needs are, address the important security questions a SOC is supposed to answer, and then find the solution that your organization needs. Please feel free to contact us. We’d be happy to help you get started on this journey of giving you the piece of mind that your network is secure, and your SOC team is perfectly-chosen to meet your needs.