What is a SOC (Security Operations Center)?
What is a SOC (Security Operations Center)?
A Security Operations Center (SOC) is a centralized team that organizes processes and technology to continuously monitor and improve an organization’s security or maturity posture. The goal of the SOC is to prevent a data breach by monitoring, detecting, analyzing and responding to cybersecurity incidents to ensure confidential data and critical infrastructure is protected.
As cybersecurity is dynamic and constantly evolving, the SOC will use a variety of systems and tools, including data lakes, information stores, network feeds, end-point and device and appliance protection systems to monitor and adjust for malicious activity wherever protected assets reside. Essentially, the SOC is the hub that correlates logged events within the organization and decides how these events will be managed and acted upon.
Security Operations Staffing and Organizational Structure
Regardless of its size, a SOC has three essential components: People, Process, and Technology (PPT).
People: A SOC is typically led by a manager with titles such as VP Data & Security Engineering, Director of Cybersecurity, Director of Information and Security Operations, Operational Risk Manager, Security Risk Management, among others. The SOC manager typically reports to the CISO who in turn may report to the CIO or directly to the CEO.
The SOC personnel monitor for threat alerts, identify internal and external security breaches, conduct incident response and analysis and perform other related functions.
The organization will typically be staffed by SOC analysts organized into three tiers, each with more advanced levels of expertise, and will include incident responders, threat hunters and incident response managers.
- Tier 1 analysts are the front-line staff of the security operations center. They monitor IT systems, field incoming calls, triage threat alerts and collect data needed to escalate an event to tier 2
- Tier 2 analysts are the primary incident responders. They review event logs, evaluate possible cyber attacks or internal breaches, determine the scope of a threat and suggest remediation tactics. An incident responder can remediate some incidents, but may escalate some cyberthreats to tier 3
- Tier 3 analysts are threat hunters and subject matter experts with in-depth expertise in areas such as network security, computer forensics, and malware reverse engineering. While they can respond to the most difficult threats, they often work proactively, studying logs and other data to identify potential security breaches.
Process: Security Operations Center Analysts rely on processes to do their jobs, supported by policies and standards that typically describe the responsibilities of each team member. These policies and standards will define the frameworks to detect, respond and triage threats and the hand-off procedures between team members to ensure that security coverage is maintained. Process will also describe the operation procedures for threat monitoring and detection, incident logging, threat escalation, analysis, incident response, compliance monitoring, and reporting. Oftentimes organizations will use standards defined by NIST, MITRE ATT&CK and Kill Chain Frameworks, and ISACA’s Control Objectives for Information and Related Technology (COBIT) 5 to establish guidelines.
Technology: Security Operations teams will typically use a security information and event management system (SIEM) to aggregate and correlate data from security events from a variety of the organization's infrastructure and threat detection components, which lends itself to a hub-and-spoke architecture. The spokes can be made up of a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR) and threat intelligence platforms (TIP). All of this is used to monitor and assess data from firewalls, network routers, PCs, and other IT assets.
SOC personnel also require collaboration tools to share information and insights from the organization’s infrastructure and threat detection components, including the firewall, database server, file server, email, web servers, active directory, endpoint monitoring software, and others.
While fairly new to the SOC arsenal, Anvilogic will pull information in from the SIEM and other systems, providing real-time analysis of the incoming data and seeks correlations that might indicate a cyberattack or security breach.
KPIs and Core Functions Performed by the SOC
Key performance indicators (KPIs) can inform the SOC staff of the SOC's effectiveness and improvement over time. SOC metrics include the following:
- Average incident detection time or Mean Time to Detect (MTTD)
- Average time from discovery to remediation or Mean Time to Respond (MTTR), by threat type, analyst, or by time of day
- Map to MITRE to measure effective detection
- Number of incidents per analyst
- Incidents by device or application type or by type of threat
- Time between threats or incidents
Top 5 functions performed by the SOC:
Monitoring and Analysis of Data: The SOC team is constantly monitoring and analyzing data to identify potential malicious activity. Since breaches many times happen over a series of events, the security analysts must correlate seemingly unrelated activities to ensure their organization is protected. They are looking for potential system failures, infections, malware attacks and all types of digital threats. The SOC is responsible for two areas: 1) the devices, processes, and applications they are tasked with protecting and 2) the tools they use to ensure protection
- Threat Detection Intelligence and Prioritization: Prevention and preparation comes into play as the SOC team continually monitors and analyzes risks and vulnerabilities to protect against potential threats. They provide intelligence to the organization leaders so they are aware of the threats, and sort through thousands of alerts to address the most immediate threats.
- Security Incident Response: Response time is critical to minimizing the impact of a cybersecurity event, and the SOC team is quick to implement solutions, taking corrective actions and preparing to respond to future events.
- Recovery: When an incident is confirmed, the SOC acts as the first responder, performing actions like shutting down or isolating endpoints, terminating harmful processes, deleting code, and more. The goal is to respond to the extent necessary while having as small an impact on business continuity as possible.
- Remediation: After responding to the incident, the SOC will work to restore systems and recover lost or compromised data. This may include wiping and restarting endpoints, reconfiguring systems, or in the case of ransomware attacks, deploying viable backups in order to circumvent ransomware.
The Importance of Building a Modern SOC
Data breaches, malware infections, ransomware and cyberattacks like DDoS (Distributed Denial of Service) are common occurrences for organizations both large and small. Detecting and eradicating these threats before they cause adverse effects is the daily priority for a SOC.
One of the biggest challenges security operations teams face is the amount of time it takes to sort through all the noise generated by the different security tools, with some organizations dealing with thousands of alerts at any given time. A carefully designed approach to threat detection and incident response is critical to safeguarding valuable digital assets and minimizing the chances of a data breach.
Read more about challenges driving changes in modern security operations
You May Also Like
Ready to learn more about Anvilogic?
Kickstart your security operations
Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.