What is a Security Operations Center (SOC)?
Security Operations Center (SOC) Definition

1. Take Stock of Available Resources

The SOC manages two resource categories. One encompasses the devices, applications, and processes they have to protect. The other involves the tools the SOC uses to safeguard these assets.

The asset landscape the SOC is charged with protecting can be vast, depending on the organization’s IT needs. It includes every component that comprises the network—typically, a variety of endpoints, both mobile and desktop. It may also involve cloud resources that either serve the organization's customers or support internal operations and applications. In some situations, the SOC devises protections for Internet-of-Things (IoT) devices, which may include everything from kitchen microwaves to warehouse scanners.

Key to protecting the network is adequate visibility. Without it, there may be potentially dangerous blind spots that attackers can take advantage of. Therefore, one of the SOC's primary objectives is to gain full visibility of all endpoints, software, and servers. This includes in-house components and anything that connects to the organization’s network. At times, it means taking into account the endpoints clients and partners may use to interface with the network for meetings or professional collaboration.

How These Resources Are Protected and Used

To adequately protect this vast array of systems and devices, an SOC must have a broad and deep understanding of the tools at its disposal. It is similar to a carpenter who needs to not only know which type of hammer is best for driving a certain kind of nail but also the best way to swing it, take advantage of the weight of the hammer’s head, and how far down the handle to hold it while striking the nail.

Additionally, the SOC needs a deep understanding of the workflows within the organization, including how individual departments and teams work and how threats are addressed on a day-to-day basis.

2. Preparation and Preventative Maintenance

No matter how well-prepared an IT team is, it is virtually impossible to prevent all problems. Threats are bound to inundate the system in one way or another—and from various angles. However, the SOC can do a lot to mitigate the efforts of attackers, often vanquishing them completely. This is done using preparation and preventative maintenance.

Preparation

The first step to preparedness is for the SOC to keep abreast of the security innovations at their disposal. This is crucial because the latest threats are often best handled using the latest threat detection and response technologies. In addition, with IoT device usage growing rapidly, the protection landscape is ever expanding. Therefore, a thorough understanding of how each IoT device category works and its vulnerabilities is a must.

Preparation involves taking stock of the tools available and the threats that could arise, and then devising a roadmap that details how to meet each challenge. This plan should be thorough yet flexible, particularly because new threats arise constantly.

Included in the roadmap should be disaster recovery measures. If the system is infiltrated and an attack is successful, these measures can make the difference between hours and days of downtime. The disaster recovery roadmap must also take into account the different types of disasters that impact your IT infrastructure in unpredictable, asymmetrical ways. For example, one attack may infect mobile endpoints, while another may cripple on-premises user workstations. It is prudent to formulate plans for both situations.

Preventative Maintenance

Preventative maintenance is not so much about preventing attacks because attacks are going to happen. It focuses more on making sure attacks fail—or limiting the damage they inflict. Integral to preventative maintenance is regularity. Your security system must be constantly updated so it can keep up with ever-evolving attack methodologies. This involves ensuring your network firewall policies are up to date, identifying vulnerabilities and then patching them, and choosing which sites you want to whitelist and blacklist, then regularly adding and subtracting sites from both categories.

Preventative maintenance also involves making sure the applications that interact with your network are secure. Applications have become an increasingly popular attack surface, but by securing the application or its environment, you can limit the effectiveness of the attacks.

3. Continuous Proactive Monitoring

Constant monitoring is key to maximizing visibility. To ensure your monitoring system is effective, the SOC team implements tools that scan your network, looking for anything that pops up as suspicious.

This includes obvious threats and abnormal activity that may or may not pose a danger. Some activity will be easy to identify as malicious because the data fits a pre-identified threat profile. Other activity may be suspicious but not overtly dangerous. Proactively handling even mildly suspicious threats may involve sandboxing the data or enacting security protocols to protect exposed devices.

To make this possible, tools like a SIEM or endpoint detection and response (EDR) system can be the centerpieces of the SOC team’s approach. Advanced SIEM and EDR systems incorporate artificial intelligence (AI) to help them “learn” the behavior of both users and the endpoints themselves. If something seems out of the ordinary, preventative steps can be taken to contain or eliminate the danger.

Within the monitoring process should be systems that automatically—and immediately—alert the SOC team of emerging threats. Because it is not uncommon to get hundreds or thousands of alerts every day, the alerts themselves have to be managed.

4. Alert Ranking and Management

System-generated alerts have to be vetted to prevent wasting the IT team's time or unnecessarily disrupting the workflow of employees or management. The SOC team shoulders the responsibility of examining each alert. Then, the team filters the false positives that could unnecessarily consume time and resources.

If an actual threat is identified, the SOC team has to figure out how aggressive it is and the type of threat. It also has to ascertain which areas of the network the threat is targeting. This makes it easier for the SOC to handle each potential threat in the most efficient way possible. It also gives them a means of ranking the threats in terms of urgency. They can then figure out how to best apportion resources to handle them.

5. Threat Response

Addressing an emerging threat is one of the most pivotal activities of an SOC. When a threat has been identified, it is the SOC that serves as the boots on the ground, and they are the first on the scene, taking appropriate action to protect the network and its users. This may involve shutting down endpoints completely or disconnecting them from the network.

In some cases, they have to isolate an endpoint to ensure the threat does not spread. The SOC's threat response can also involve identifying affected processes and terminating them. With some threats, processes can be used by malicious software to execute attacks on other connected devices, so termination can protect an array of other endpoints on the network. In other situations, files may have to be deleted from specific components of the network to protect other users.

As the SOC responds to the threat, they are focused on providing a comprehensive solution while minimizing user activity disruption. In this way, business continuity can be maintained while keeping the organization safe.

6. Recovery and Remediation

After the dust settles following an incident, the SOC has to get things back up and running again. This may involve recovering lost data or examining data that may have been compromised. The process is necessarily thorough. Each endpoint that may have been within the attack vector needs to be carefully examined to make sure it is safe, as are any areas of the network that connect to it.

In the case of a ransomware attack, the SOC may have to identify backups made prior to when the attack occurred. These can then be used to restore the devices after a wipe has been performed, which effectively sends the device “back in time” to how it was before the incident.

7. Log Management

Although logs are often automatically generated and overlooked much of the time, they contain a plethora of useful information about the system, including anything that may have infiltrated it. The SOC team therefore must carefully collect, maintain, and review log activity. Within a log, you see a baseline snapshot of the system in a healthy state. If two logs are compared side by side, the presence of a threat may be revealed because the second log differs from the baseline snapshot.

In addition, the logs can be used to remediate after a security incident. Primary to remediation is engaging in a forensic examination of log data, which often reveals important information about the nature of a threat and its targets.

Of course, several logs are rendered simultaneously by different endpoints, firewalls, and operating systems connected to the network. Because each of these produces its own log, an SOC may use a SIEM tool for the aggregation and correlation of the data. This streamlines the log analysis process.

8. Root-Cause Analysis

After an incident, it is the SOC that has to answer the questions central to the incident. What happened? How was it accomplished? Why did it happen? Log data also plays an important role in this process. It helps figure out how the threat penetrated the system, as well as where it entered and from where it came. When this information is collected and correlated, it can be used to prevent similar threats from getting through in the future.

With some systems, the SOC can take information about the threat and enter it into the prevention system so it can be added to a list of dangers. This helps stop future threats for both the organization itself and others that may make use of the same protection mechanisms.

9. Security Refinement and Improvement

Because cyber criminals constantly refine and update how they operate, an SOC needs to do the same. This involves more than just updating a threat-detection database. The SOC must make continual improvements to its security measures and technology to stay on top of and ahead of the latest tools used by hackers and other bad actors.

Effective refinement and improvement involves making changes—whether small or large—to the security roadmap. If this is done in a unified way, on a global level, everyone in the organization can benefit.

10. Compliance Management

Compliance requirements come in two forms: those that are dictated by external governmental agencies and those that constitute best practices for an organization. Compliance stemming from governmental regulations is common in a variety of industries, particularly the medical, financial, legal, and law enforcement arenas.

Some regulations that commonly affect the compliance considerations of organizations include the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). Complying with these regulations protects both the system from dangers and the organization from potentially expensive litigation. An effective SOC takes control of these measures, making sure everything is done in agreement with legislative standards.

Compliance stemming from best practices established by the organization is common to virtually any company. The SOC is tasked with taking existing measures and implementing them according to organizational policy. Also, if an organization's compliance framework is as yet incomplete, the SOC may assume the responsibility of determining what the organization's best practices are and then translating these into replicable, actionable protocol.

SOC Challenges

SOC teams face the ongoing challenge of staying ahead of hackers and other cybersecurity threats. As the threat landscape changes and expands, this challenge has gotten more complicated. Here are three specific obstacles an SOC needs to overstep as it makes organizations more secure.

1. Shortage of Cybersecurity Skills

According to a report by ISC, there is a global shortage of cybersecurity personnel, and this has hit SOC as well. The skills gap may result in SOC teams being understaffed and less effective, thereby exposing the organizations they serve to increased risk.

2. Too Many Alerts

With a more complete suite of threat-detection tools, the number of alerts invariably goes up. This results in a preponderance of alerts, many of which are false positives that could waste time and energy.

3. Operational Overhead

Often, organizations implement a range of security tools that—and because these are not unified—the security operations become inefficient. This results in wasted money and higher-than-necessary operational overhead.

Optimizing a Security Operational Model -- SOC Best Practices