Security Operation Center (SOC)



I have previously written on SIEM before, which is a main part of a SOC. Todays’ post dive in to details of a SOC which makes use of a SIEM system. To get clarified the relationship between the two, let’s get in to the business without any further ado.

What is a SOC?


Image Source: https://cybrhawk.com/security-operations-center/

SOC stands for Security Operation Center, which is a centralized unit that deals with security on an organizational level. This centralized unit includes people, processes and technologies in continually monitoring organizations’ security posture. SOC has its objectives as preventing, analyzing, and responding to cybersecurity incidents.
SOC brings the organizations’ IT security monitoring and incident response activities in to a single location and hold the responsibility of handling internal breaches and cyber-attacks.

The Importance of Having a SOC

Organizations, regardless of their size is always subjected to cyberattacks, malware infections and data breaches which lead to the hindrances for ensuring the three most important aspects of information security (CIA) :

  • Confidentiality
  • Integrity
  • Availability

With the rapid development of cyber attacks in this information driven era, organizations are focusing more on solving these security issues, providing rapid solutions by setting up a SOC, either by the organization itself or through a security services provider.

How Does a SOC Operate?

A SOC acts as a central command post with the aid of a combination of technology solutions and a strong set of processes. Typically, a SOC is comprised of a skillful team led by a SOC manager. The team may comprise of incident responders, security analysts, engineers and incident response manager(s) to provide ongoing, operational enterprise wide information security. SOC takes in telemetry from networks, servers, endpoints, databases, applications, websites, and other systems. When an attack takes place, SOC incident response team perform advance forensic analysis, carry out malware reverse engineering, cryptanalysis and sometimes collect forensic evidence and analyze in a legally sound manner.
As the first step in establishing an organizations’ SOC, the strategy needs to be clearly defined. This strategy needs to be aligned with organizations’ business goals. The second step is to set up the infrastructure supporting the strategy. A typical SOC infrastructure includes firewalls, IPS/IDS, breach detection solutions, probes, and a security information and event management (SIEM) system. SIEM aggregates and correlates data from security feeds.
SOC is built adopting the hub-and-spoke architecture. Hub of the model is the SIEM while Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).

Responsibilities of a SOC Team

Taking Stock of Available Resources

The SOC is responsible of safeguarding assets such as devices, processes and applications. In order to do that it is vital to keep track of all the assets that need to be secured. Ensuring visibility and control from device to the cloud SOC’s goal is to gain a complete view of the business’ threat landscape, including not only the various types of endpoints, servers and software on premises, but also third-party services and traffic flowing between these assets.

Implement and Manage Security Tools

As mentioned above, the SOC makes use of tools to gain the insights in to the organizations’ security environment. The selection of appropriate tools considering the system integration requirements, develop solution trials and demos, and assess interoperability with current infrastructure is expected to be performed by the skillful staff of the SOC.

Preparation, Investigation, Containment and Prevention of Incidents

It is vital for the SOC team members to be on the know of newest security innovations and the latest trends in cybercrimes. Creation of security roadmap and a disaster recovery plan is of utmost importance.

With the insights taken from SIEM system, the SOC team looks into suspicious activity within IT systems and networks. The SOC should correlate and validate alerts. SOC staff can contextualize these events within the network environment of the business, and coordinate response activities with key staff in real time.

Reduce Downtime and Ensure Business Continuity

Even though the most desired state of no interruptions of downtimes is far from being possible, organizations need to operate under minimal or no downtime to carry out business processes smoothly and intact. In an instance of a breach, it is mandatory for the SOC to inform the stakeholders of the event proactively, while acting to keep critical infrastructure from the security events. SOC has to make sure that the redundancy is in place to guarantee the business continuity.

Security Strategy

The security strategy should be in line with the business strategies, including all the departments like IT, IR, HR, legal, compliance and other groups.

Alert Ranking and Management

The number of false alerts is about 80% of the total alerts reported. Since the SOC is operating on tool issued alerts, it is mandatory to keep close eye on those and discard the false positives. It is the job of SOC staff to determine how sever the actual threats are and what their true targets.
Prioritizing the threats, so that the most urgent ones are handled first, is a crucial task expected to be performed by SOC.

Threat Response

It is the responsibility of specialized team in SOC to figure out what actions to be taken in an event of a security breach, which will have minimal impact on the business continuity.

Recovery and Remediation

SOC works to restore the systems and recover any lost data once an incident has taken place. Upon the success of this remediable steps, the network will return to the state it was in prior to the incident.

Apart from above, SOC is responsible for root cause investigation, security refinement and improvement and compliance management.

References

https://www.mcafee.com/enterprise/en-us/security-awareness/operations/what-is-soc.html
https://www.mcafee.com/enterprise/en-us/security-awareness/operations/building-a-soc.html
https://digitalguardian.com/blog/what-security-operations-center-soc
https://resources.infosecinstitute.com/topic/security-operations-center/
https://www.exabeam.com/security-operations-center/security-operations-center-roles-and-responsibilities/


 

 

 

 

 

 

 

 

 

Comments

  1. Santhoopa JayawardhanaDecember 6, 2020 at 11:46 AM

    In the modern digital world it is critical for the organizations to ensure the information security. This article gives a good understanding about how the modern enterprises can use SOCs to protect against cyber attacks. Good work.

    ReplyDelete
  2. Ruvy RathnayakeDecember 10, 2020 at 8:23 PM

    You have explained everything with a nice flow Pramodi. Keep it up!

    ReplyDelete
  3. Chamal DemelDecember 11, 2020 at 11:06 AM

    Good article Pramodi. Are there any criteria when selecting a soc team?

    ReplyDelete
    Replies
    1. Pramodi HerathDecember 11, 2020 at 1:29 PM

      Yes Chamal. Usually a SOC team is comprised of three tiers of analysts and SOC manager. 1st tier is support security analyst who receives and looks into alerts daily. Reviews the most recent SIEM alerts to see their relevance and urgency. Carries out triage to ensure that a genuine security incident is occurring. Oversees and configures security monitoring tools.
      The second tier is security analyst addresses real security incidents. They can be identified as incident responders. They evaluate incidents identified by tier 1 analysts. Uses threat intelligence such as updated rules and Indicators of Compromise (IOCs) to pinpoint affected systems and the extent of the attack. Analyzes running processes and configs on affected systems. Carries out in-depth threat intelligence analysis to find the perpetrator, the type of attack, and the data or systems impacted. Creates and implements a strategy for containment and recovery.
      Third tier deals with critical incidents. Carries out vulnerability assessments and penetration tests to assess the resilience of the organization and to isolate areas of weakness that need attention. Reviews alerts, threat intelligence, and security data.
      There is no firm structure as such, one that fits for all. Based on the organizations' budget and requirements, team can be structured. Even option for outsourcing is available.

      Delete
  4. Rajitha GamageDecember 11, 2020 at 4:17 PM

    Good read pramodi! As SOC has many features and benefits, nearly how much cost will it be?

    ReplyDelete
    Replies
    1. Pramodi HerathDecember 15, 2020 at 6:08 PM

      It definitely is a highly subjective matter Rajitha. It depends on whether you are going to adopt a fully in house SOC or a hybrid one or going for a MSSP. Then again, what SIEM your organization choose (Since there is a wide array of options with different cost plans), and other technologies you decide to go for evaluating the context of the organization in terms of business needs. The staffing model is going to account for most of the allocated budget for the SOC, and the model depends on the context of the business we are focusing on. I think it's a tough job to come up with a rough value without the context given.

      Delete

Post a Comment

Popular posts from this blog

CYBER SECURITY IN PANDEMIC TIMES

Image
  With the rise of the pandemic Covid-19 from the early months of 2020, the whole world is adopting a new norm of working online, let that be business community or academic community. The world is compelled to carry out the day to day lives online, making information the most valuable and precious asset than any other time in the history. The work from home approach, the companies adopted has led for many cyber-attacks. This turn of events has brought more weight to the security of information stored and transmitted in cyber space. Thus, comes the topic of cyber security under the lime light, shining brighter than ever before. What is Cyber Security? According to Cisco, Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. It would definitely sound unbelievable if one ...
Read more

SIEM

Image
  SIEM stands for Security Information and Event Management which refers to a set of tools and services that aids security professionals with getting a helicopter view of an organizations’ information security. SIEM facilitates two aspects of security: Collection of data from multiple log files, analysis and report supplication on security threats and events – Security Information Management (SIM) Real time system monitoring, threat monitoring, event correlation and incident response – Security Event Management (SEM) SIEM tools which play an important role in an organizations’ information security eco system, collects security data from organizations’ security infrastructure, host systems, applications, network and security devices such as firewalls and antivirus filters.   SIEM Work Break Down The processes carried out by the SIEM software can be observed in following steps: Collection of data from various sources Security data from sources of network security infor...
Read more