A SOC is a security operations centre managed by a cybersecurity company to protect their clients.
A SOC, also referred to as an information security operations centre (ISOC) can be also be located in a company’s own internal IT department and is where the information security team does monitoring, analysis, detection, and quick responses to cybersecurity incidents.
This happens every day, around the clock 24/7/365.
The security analysts and engineers who make up the security team are involved in monitoring and overseeing all activities in the company’s IT infrastructure: databases, servers, system applications, websites, endpoint devices, and networks. All this is done to ensure potential security threats are detected early enough and are prevented to ensure no security breach occurs.
The work of the security operations centre is to ensure the company’s security posture remains stable. A security operations centre not only identifies threats. The team in this department ensures threats are properly analysed and their source is identified.
In addition, they come up with a report on how to prevent such similar future occurrences. Companies that may have several offices around the world have a Global Security Operations Centre. With a GSOC, all activities are controlled from here, meaning tasks will not be repeated and the head office will have a better picture of what is happening in the company’s other branches.
Key Functions Performed by the SOC
A SOC performs activities mostly related to the information security of businesses and companies. Here is a breakdown list of some crucial functions of a SOC.
1. Proactive monitoring
The SOC uses tools that scan the system and the network for vulnerabilities and suspicious activities 24/7/365. Through this active monitoring, the SOC is notified immediately the system detects suspicious activity. This allows the SOC team to act swiftly and can prevent the threat entirely or mitigate the vulnerability if it has already been exploited.
The SOC systems provides alerts when they experience abnormal activities. This is through security tools like EDR and SIEM which work through studying activities considered as threats and comparing them to the normal day-to-day activities and behaviours on the company systems.
This reduces the involvement of humans which makes the process smoother and more efficient. If the monitoring tools detect any anomalous behavior, it sends an alert signal to the SOC team so they can being investigating the threat.
2. Preparation and preventative maintenance
A company may have the best incident response model but some attacks may still occur since no model is 100% threat proof. This means that organisations should have reliable preventative measures in place too.
Instead of waiting for attacks to happen, the SOC team is responsible for coming up with measures to prevent attackers and any security incident. The preventative measures are further broken down into these two parts;
a. Preparation
The SOC team should always be across that latest and upcoming cyber-crime trends, new security inventions, and innovations. They should also be aware of how emerging cyber-attacks will open doors to new threats in the future.
With this research and readiness, the team will come up with a reliable cybersecurity model that will aid in developing a roadmap for efforts to be made along with an incident response plan (IRP).
Organisations will also consider worst-case scenarios and have a proper disaster recovery plan for the situation. Preparation brings about readiness for any threat or incident that might occur and ensures small businesses go back to their initial state before cyber-attacks without a great deal of effort.
b. Preventative maintenance
The SOC team will do everything to ensure that attacks are more difficult to make and even if a cyber-attack is successful, the companies inner systems and networks are threat-proof or hard to get through.
Some activities to ensure this include regularly patching vulnerabilities, updating the organisation’s existing systems and maintaining them, ensuring regular firewall updates, performing blacklisting and whitelisting, and securing the operations that the organisation relies on.
3. Taking stock of the available company resources
This stage involves the business assets. Cybersecurity assets include the applications the company uses, its processes, and the devices. These assets should be safeguarded.
The tools used for defending these systems should also be well safeguarded. The SOC team aims at having a great understanding of the company’s threat landscape. The team cannot protect what they cannot see or don’t know about. They need to be aware of all processes and those that can be exploited.
They also need to be aware of the vulnerabilities that can be easily exploited. The threat landscape includes and is not limited to the servers, endpoints, software on-premises.
In addition third-party, companies should closely monitor vendor services and the traffic flow between vendor assets.
There has also been a recent trend where cyber-criminals use vendors systems to get access to company systems. A good example of this would be the SolarWinds attack. The attacker found a vulnerability in the vendor’s software and made some malicious changes to the software the company was providing and when the users made updates to the software application, their systems were trojanised. This is why your small business needs to be careful when dealing with vendors and making any changes or updates.
4. Responding to threats
The goal of the SOC is to respond to security incidences immediately after they are confirmed. Some activities that the SOC does in responding include isolating endpoints, shutting down endpoints, stopping execution or terminating harmful processes, deleting files that could be harmful, and others.
The goal of threat response is to prevent a large extent of damage which in due course ensures business continuity.
5. Performing recovery and remediation
In the case where a security incident unfortunately occurs, the SOC works to fully recover and restore the systems. The SOC team will recover any data that has been lost or compromised.
In the case of ransomware attacks, the team will work on circumventing the ransomware or keeping backups of all data and information.
They may also reconfigure a company’s systems or restart the endpoints. They do this to ensure the system and the network is back to where it was before the security incident happened.
6. Ranking and managing alerts
The SOC relies on device and system monitoring tools. When a tool issues an alarm of anomalous activity in the system, the SOC team is supposed to analyse each alert closely and determine the impact the found threat would have if it was exploited.
They should also find out the exact target of the threat and ensure that any false positives are discarded. The team should arrange the threats from the most urgent and also take note of the emerging threats.
7. Refining and improving security
Each year cyber-criminals come up with new tactics of maliciously accessing systems and networks.
For each innovation they make, the SOC needs to make improvements in their incident response and handling techniques. Improvements in handling security incidents are an activity that should be continuous.
The red team and the purple team (SOC staff acting as hackers to test systems) come together to find new attacks and new ways of mitigating them and ensuring they have stronger controls in case they happen in the future.
8. Managing logs
The SOC collects and maintains logs of network activities and systems for the company. They also review the logs to identify any anomalous activity, any threats and also identify the source.
Log management is crucial since it can come in handy in case a security incident occurs and the forensics team needs to perform a remediation and aftermath analysis.
To perform log management, the SOC team uses security tools like SIEM. This tool helps in correlating data traffic from different applications, operating systems, firewalls, and endpoints (as ll network assets produce different logs).
9. Investigating security root causes
When a security incident unfortunately occurs, the SOC team is responsible for analysing how the breach occurred and what exactly caused the security breach. They will then come up with a report explaining the criteria the attack might have used and the technology the cyber-criminals used.
After this, they will also come up with improvement mechanisms and practices. Log data is used for forensic investigation. The logs help in tracing the problem and pointing to a possible source. With this information, it is easier to put in place measures and controls to prevent future incidences.
10. Compliance management
Some SOC processes are compliance requirements. The organisation’s SOC team is responsible for auditing systems and ensuring all compliance requirements are met. Some governing bodies include the Privacy Act, NDBS, PCI DSS, GDPR, and HIPAA. Organisations should ensure they are compliant with these governing laws to safeguard customer data and prevent any cybersecurity breach.
The SOC Team
Who works in a SOC? The security operations centre team consists of security engineers, analysts, and their supervisors. This team is professionally trained to handle security incidences. The team follows a hierarchical approach when dealing with security issues. The team is categorised according to skill level. The different levels may include but not limited to;
First Level
The first level team manages cybersecurity tools and may come up with regular reports on cybersecurity. They are poised ready to catch any alert and also determine if the alert is urgent. According to the urgency of the alert, it will be escalated to the second level.
Second Level
The second level team is more experienced to handle higher complexity incidents. This means they can quickly determine the root cause of the alert and also determine where the alert has been affected.
They have formally laid down procedures they follow to ensure the confidentiality and privacy of user data. They will also try and mitigate the damage of the attack while noting down other issues that need further investigation.
Third Level
The third level team has the one of the highest levels and expertise in cybersecurity. These analysts actively search for vulnerabilities within the network.
The analysts employ advanced threat detection tools to scan for weaknesses. They also advise on ways and procedures to take to improve the organisation’s cybersecurity posture.
Specialists like compliance auditors, cybersecurity analysts, and forensic investigators may also form part of this group.
Fourth Level
The fourth level team comprises individuals who have many years of cybersecurity experience. They may include chief information officers and high-level managers. They oversee and monitor all operations for the entire SOC team.
This team is also responsible for training and hiring individuals within the SOC and evaluating the performance of the SOC team members.
This team is the liaison between the entire organisation and the SOC team, and leads the team and the business during security crises.
As organisations also need to comply with different industry, government, and company regulations the fourth level team ensures this happens.
Best Practices for Building a SOC
When building your own SOC, or evaluating using the services of a SOC, here are some best practices to ensure maximum benefits. Some of the best practices include;
1.Having a clear strategy- to develop a clear strategy, you should know what you need to secure, whether you need 24/7/365 surveillance by your team, whether you will merge your SOC to your NOC (Network Operations Centre), and whether your SOC will be in-house or whether some functions will require outsourcing from a vendor.
Ensuring you carefully consider these requirements will adequately cater to all your security needs.
2.Ensuring you have visibility of the whole organisation- the SOC team needs to have access to everything in the organisation. You should consider everything that affects security. You should also consider the larger assets and infrastructure like encrypted data or systems controlled by vendors.
3.Ensuring you invest in the right security tools- your SOC will not work without the necessary automated security tools. This will reduce the workload on the team and ensure easy monitoring.
You should invest in firewalls, security information and event management (SIEM), data monitoring tools, log management systems, asset discovery systems, vulnerability scanners, and penetration testing tools, endpoint protection systems, and governance risk and compliance systems (GRC).
4. Ensuring you hire and always train the right SOC team – every employee in the SOC team requires frequent training. Talented and well-trained staff is a recipe for success. Once you hire SOC employees, you should ensure they improve their skills through training.
Through this, you will improve their retention level and engagement. You should ensure your staff properly understand security engineering, network security, security architecture, information assurance, and different operating systems.
For the high-level staff, they should have different expertise including, intrusion prevention system analysis, cyber forensics, reverse engineering, and ethical hacking.
5. Designing your organisation’s SOC according to your business needs and specific risks to maximise efficiency – you should design your SOC according to the security needs of your organisation. You can choose to have an internal SOC which normally has staff working full time in the organisation’s premises.
All actions take place in a physical room in the organisation. An outsourced SOC is managed by a security service provider (MSSP) which is external to the organisation’s physical buildings. An MSSP specialises in security response and analysis. At times, the MSSP only provides secondary support whilst at other times may handle all SOC activities for the business.
A virtual security operations centre (VSOC) comprises contract workers who work part-time and not on the physical premises of the organisation. The VSOC provider and the organisation first agree on how their relationship will work in practice day-to-day operationally, what services will be offered (and those the organisation needs).
Every organisation needs maximum cybersecurity. Whether your SOC is outsourced or in-house, you should ensure it is fully functional. Information security is crucial for all businesses. You should know what your organisation needs to be secure and ensure you have the right availability processing integrity confidentiality tools.
If you’re unsure of whether a SOC is right for your business, or whether in-house or outsourced suits best, contact Kaesim Cybersecurity today for a free cybersecurity health check.
It’s a 30 minute Zoom call that walks through a checklist to assess your current cybersecurity and provide a short report with some advice and recommendations, including whether a SOC is relevant for your business.
