There is no arguing the fact that networks are continually growing in complexity and the cyberattack surface is constantly expanding. A critical step in building a stronger security posture and more robust data protection strategy is a 24×7 facility whose mission is to monitor, detect, investigate and resolve active threats. When the inevitable attack happens, timely identification, reaction and collaboration is everything, and a business with a successful SOC will be far quicker and coordinated in its response than one without.
According to Ernst & Young’s Global Information Security Survey 2018-19, the average cost of a data breach is $3.62 million, yet more than half of companies report they have no program (or an obsolete one) for one or more of the following areas: threat intelligence, vulnerability identification, breach detection, incidence response, data protection and identity and access management – disciplines which all originate or are closely tied to the SOC.
A Siemplify study, The Road to Security Operations Maturity, conducted by the Cyentia Institute, found that “the majority of (security operations) programs are just starting their maturity journey or midway through it. Only 16% claim to have reached peak maturity.” How can you create a cybersecurity hub within your organization? Here is a primer to designing, building and maintaining a successful SOC.
What is a security operations center?
SOCs act as the front line to your cybersecurity efforts. SANS defines them as “a combination of people, processes and technologies protecting the information systems of an organization through proactive design and configuration.”
That means design and configuration must be carefully considered across each of these axes: staff, technology and the processes and workflows used for both, plus the intricacies of how these all work together for optimal performance.
A SOC is typically housed in a single location on-site, although some organizations have multiple distributed SOCs for global coverage.
What does the SOC do?
Within the SOC, the team’s job is to (with the help of technology and repeatable processes) monitor the state of the IT systems across the organization, detect any incoming threats and internal security events, and mitigate the effects of any security incidents that occur.
Which businesses need an on-site SOC?
If you’re a mid-to-large enterprise, then you should be thinking about building an internal SOC. You likely already have a security team, but you may not have pooled resources to make them as effective as possible.
Smaller organizations with particularly sensitive or valuable data that need safeguarding should also consider an on-premises SOC, but the option exists to outsource security operations functions to a managed security services provider (MSSP). Some larger companies also choose to delegate all or a portion of their security operations needs to an MSSP.
Who should staff your SOC?
Your team should be made up of a mix of people, including experienced analysts, engineers and managers. A round-the-clock team is needed, since cyber attackers don’t follow a 9-to-5 schedule. The number of employees needed for each shift will depend on your company size; however, make sure that there is always at least one manager on hand, and experience across both engineering and analyst roles. How resources are allocated at different times of the day will be dependent on multiple factors. It’s up to you to decide the mix of experience and roles each person on the team fulfills, while still ensuring adequate staffing at all times.
For risk management purposes, it’s a good idea to have an MSSP on call to augment your team in cases of staff illness or large incidents. This amplified staff component will also need to be well-versed in your how your systems are configured if they’re to be on-site.
What equipment is essential for a successful SOC?
In terms of hardware – aside from the obvious multi-screen workstations for the team – you should have a wall of monitors set up to provide an overview of the current state of systems, as well as recent historical data. This way, your SOC staff has an overview of all system information, always available at a glance.
Your SOC should be one of, if not the most, secure rooms in your facility. This means physical barrier systems, such as swipe card access, biometrics and PIN code access, to guard it. For best practices on physical security, you can reference ISO 27001 – Annex A.11: Physical & Environmental Security.
What technology a must-have?
A comprehensive combination of tools is needed to provide full security coverage of your information systems. The essential components of any successful SOC include a security information and event (SIEM) system, an incident tracking and management system, a threat intelligence platform, packet capture and analysis tools and automation tools.
Combined, these will help deliver:
- Network monitoring
- Endpoint management
- Asset discovery
- Threat intelligence
- Behavioral monitoring
- Data loss prevention
- Ticketing systems
- Policy compliance
- Incident response
However, generating meaningful alerts for your analyst is only the beginning. SOCs need to define the processes by which they handle the various alerts from initial triage through investigation, containment and response. Furthermore, to avoid alert overload and analyst burnout, these processes should be automated as much as possible. For these reasons, both new and existing SOCs are increasingly implementing a security orchestration, automation and response (SOAR) platform.
SOAR solutions help build and automate consistent response processes (commonly referred to as “playbooks” or “runbooks”) that bring together individual security tools, allowing SOC teams to orchestrate and manage them more efficiently from a single platform. In addition, SOAR helps to mitigate alert overload by helping teams automatically close false positives and zero in on threats that truly need analyst attention.
What processes/workflows does a successful SOC need?
The processes and workflows that your SOC follows need to be optimized because manual checklists can introduce human error.
Incident response playbooks are fundamental to the work of the SOC. They are needed to cover common use cases, like phishing or malware events, in a repeatable manner. Playbooks are typically coded for automation and can include recipes like creating tickets on actionable events, notifying teams after incidents, and more.
The aim of the majority of playbooks is to automate tedious Tier 1 tasks (detecting and identifying events) that would usually be done by analysts. This means you have more resources to dedicate to Tier 2 (mitigating attacks) and Tier 3 tasks (optimizing operations).
How to attract internal support for a SOC
Wondering how to sell the idea of a successful SOC to organizational stakeholders? Start by conveying, in understandable terms, the serious and evolving nature of the threat landscape with facts and figures. Consider the following:
- A total of 16,555 new vulnerabilities were discovered in 2018, as opposed to 6,447 in 2016 (Source: CVE Details).
- Web attacks are up 56%, and supply chain attacks up 48% from 2017 to 2018 (Source: Symantec).
- Regulatory compliance (made manageable by orchestration) is more important than ever with ever-changing data privacy legislation, including GDPR and HIPAA.
- Penetration testing that evaluates the weaknesses of your IT environment will surely turn up findings that make you second guess your ability to stave off attacks and breaches.
The basic idea behind stakeholder buy-in is to convince others that cyberthreats are on the rise and always evolving, a particularly scary thought when fueled by the prospect of artificial intelligence. It’s hard to argue when it’s the truth. The value of business data, reputation and potentially ongoing viability of a company is at stake when it comes to significant and/or ongoing security incidents. The better organized you are to fight these threats, both now and in the future, the better chance you have to protect systems, hence the need for a successful SOC.
Going down the MSSP route
If you decide to use an MSSP for your SOC, you have to evaluate whether it can meet your needs. They should fit the requirements outlined above for a SOC (and then some!), as they’re offering services to multiple clients.
Your service-level agreement should cover round-the-clock monitoring and an always open line (preferably multiple lines) of communication. The MSSP should be experienced in protecting organizations of your size and network complexity, plus have advanced threat monitoring capabilities that are easily demonstrable to you. You should receive daily reports, plus more comprehensive weekly and monthly reports, as well as any relevant threat information as it comes to hand.
A look at the next steps
Your next steps should be to develop a formal plan and budget strategy, highlighting the increasing threat that cyberattacks pose to business information (as well as the threat from malicious insiders). Be sure to include how you plan to orchestrate all of your detection tools and automate alert and case handling from a single platform. Doing so will lead to a more efficient and successful SOC, and happier analysts.