Demystifying The SOC
By Gorka Sadowski, Exabeam
During my time as an analyst covering security operations centers (SOCs), I had hundreds of discussions with organizations that were reluctantly looking to build a SOC after a breach was declared, or to buy a security information and event management (SIEM) solution after failing an audit.
They often would ask if it was a waste simply because they came from a mid-market company selling widgets. They didn’t understand why hackers would be interested in them due to their small size, but as you’ll see, it’s very dangerous to assume you’re not a target.
You must have a SOC, regardless of your size. The good news is that you don’t need a Pentagon-style war room filled with scores of full-time screen monitoring security experts to have a SOC. In fact, you likely already have a SOC.
The mission of a SOC is to keep the organization in a known good state, operating securely on a clean infrastructure. If, or rather when, the organization suffers a security incident, such as an insider threat, malware attack, or data exfiltration attempt, the SOC is responsible for detecting, investigating, and remediating the threat (TDIR) until it returns the infrastructure to that known, good state.
Prevention Is Not Enough – You Need Proactive Detection And Response
Not long ago, the industry was focused almost exclusively on prevention via firewalls and network proxies aiming to create the so-called “network perimeter.” Inside the perimeter was the “trusted zone” of the corporate LAN, where everyone went about their work safely, and there was little need for airtight security. Outside the perimeter was the Wild West of the “untrusted zone,” full of villains attempting to knock down the walls to try to get in.
The illusion of the protected perimeter was dashed over time as more and more firewall-protected organizations suffered massive security breaches costing them millions of dollars in damages.
The truth is, no organization – no matter the size – is safe from a breach. That’s why it’s assumed today it’s only a matter of time before a breach happens, despite the firewalls, proxies, intrusion prevention systems, and numerous other security tools and applications. When a breach does happen, the SOC must detect, investigate, and remediate it as quickly as possible before it spreads and wreaks havoc on the business.
The Perimeter Is Gone – Identity Is The New Perimeter
Then there’s the added complexity of mobile, cloud computing, SaaS applications, bring your own device programs, and the Internet of Things, which are common today at most organizations—not to mention COVID-19, a human virus that has forced everyone to work at home on who knows what. All these trends have burst the perimeter wide open, such that there are no longer trusted and untrusted zones. It’s all the wild west. In fact, it is widely accepted that “identity is the new perimeter”.
Security firms have devised numerous tools and strategies for protecting all these devices and their users, but it’s a much tougher job than it used to be and a cat and mouse game between the security industry and hackers constantly finding ways to thwart each other.
Better Together (With A SOC)
As previously discussed, the SOC’s mission is to keep the organization’s infrastructure operating securely in a known clean state. Today, it’s assumed that it’s only a matter of time before an organization suffers a security breach. When it does, the SOC acts as a last safety net via its mission on threat detection, investigation, and remediation (TDIR), returning the organization to a known good state as quickly as possible.
But what does a SOC do from day to day?
- Monitors events and logs and consumes key context information to inform and feed analytics engines that detect an in-progress breach
- Performs investigations to understand the root cause of a breach once detected
- Coordinates with IT to make sure the right steps are taken to address the breach and prevent the issues from happening again
- If the expertise of internal staff can’t remediate the incidents, the SOC may work with an outside incident response firm to coordinate activities with your organization
- Informs senior management about the organization’s security posture and any security-related events that may have an impact on the business
How To Build A SOC
Any organization looking to build a SOC from scratch or formalize its existing approach should begin by assessing its current resources and capabilities. Key questions to consider from the outset should cover the business objectives for the SOC and which systems are critical to support operations so the security team can optimize protection. Also, ensure there is a framework for SOC duties so its responsibilities can be set apart from those the IT help desk has responsibility for.
The security team should be organized so it can deliver a seamless service and escalate its capabilities in the event of a surge in security events, with the option of working with external third parties. This will dictate the choice of SOC model, and irrespective of whether it’s hybrid, virtual, or in-house, team members should be certified and familiar with a range of security scenarios, suitably vetted, and capable of agile thinking. The variety of roles and responsibilities inherent in a SOC also will require people with specialist skills - recruitment is by no means a one size fits all process
Choosing the right technology solution is vital and can be the difference between productive and overwhelmed staff. For instance, consider investing in tools and technology solutions that will help the SOC team detect and act more quickly in the event of an attack. Automation and orchestration security solutions can streamline time-consuming tasks such as sifting through alerts and allow security specialists to focus on more important priorities.
Building a modern security operations center (SOC) is much more than assembling the latest equipment and then hiring a team of analysts. It’s an ongoing effort to stay on top of threats, be current with emerging technology and trends, and hire and keep the right talent.
Your SOC – Not A Center Anymore, But Rather A Construct
A SOC used to be one or more rooms where a team of security analysts would collaborate in close physical proximity, monitoring screens, and TDIR tools, and working together to address security issues. With remote access, virtual collaboration tools, and COVID-19, that is no longer the case. Today, many people, including SOC teams, still use TDIR tools but now work from home and collaborate via productivity tools such as Slack, Microsoft Teams, and Instant Messenger. And a SOC does not necessarily mean a large team.
SOCs today aren’t simply a thing but more of a concept, a construct. There are no longer any specific requirements in terms of the number of people staffing a SOC or a physical location where SOC activities happen.
Are you a one-person team that has some security knowledge and is the go-to person for anything security related? That’s your SOC. Maybe you’re the only security member in your entire company? Guess what, you are the SOC! And you’re extremely valuable.
About The Author
Gorka Sadowski is chief strategy officer at Exabeam.