SOC – or Security Operations Centre - is a widely used term, but for clarity, our definition is a one-stop-shop for managing cybersecurity related incidents within an organisation and ensuring they are properly identified, investigated, remediated and reported. To firstly understand the requirements of a SOC, it is important to consider the threat landscape and ask yourself a few questions, such as what information would be of interest to attackers, who are they and what they may be capable of. But the primary focus is on understanding what your weaknesses and vulnerabilities are and identifying the risks and how to prepare, protect, detect and respond to attacks.
Nation states and advanced criminal groups will have a different style of attack and business impact to that of hacktivists and script kiddies. You also need to take into account previous compromises and those experienced by peer organisations and then ascertain the risk appetite of the business, as some threats may be acceptable and not worth the cost of defending. By evaluating threat and risk, an organisation gains a vital insight into any future attacks and will be able to make informed decisions about where to best focus SOC resources.
Based on this, work out the business drivers and alignment within the business to help build a picture of the capabilities the SOC will need to have. Next, map your existing resources and identify the SOC’s level of maturity for each capability, using this to prioritise the changes and investment that need to take place. Also, it is worth establishing what skills the current team members have and look at existing processes and technology. Ask what areas can be improved in the short term through little effort and cost.
People, process and technology
There are three key areas which need investing in the early stages to start building a capable and efficient SOC. Over time things change and you need to avoid becoming stagnant; instead focus on continual improvement towards preventing, detecting and responding to threats in the ever-evolving threat landscape.
A fully functioning SOC requires access to people with a range of specialist skills, from platform engineering, network and forensic analysts to software developers and threat intelligence researchers. For existing staff, external training and knowledge sharing can be useful. It is also worth noting that it may not be practical to fill all of these roles on a full-time basis, so outsourcing specialist skills can be used in the event of an incident.
The SOC must also run like a well-oiled machine, ready to make decisions and take appropriate actions quickly in a high-pressure environment. It therefore needs documented processes to ensure incidents are managed in the most consistent and efficient way, but at the same time these processes must be flexible enough to be quickly adapted to new technologies or attack methods.
When it comes to the actual physical technology needed, it’s all too easy to throw money at well-advertised out-of-the-box tools, but these are only as effective as the people who use them. One useful tool for developing a SOC may simply be a log management platform, which collates various log sources in the same place and facilitates the querying of large amounts of data.
The following key elements of a model which aligns with business objectives usually include advanced analytics, threat intelligence and hunting, machine learning, end point detection and response, automation and orchestration tools and incident responsibilities.
It is notoriously difficult to measure the success or effectiveness of a preventative capability and that can be problematic when justifying the need for investment. So, how can an organisation measure the value and success of its SOC? Statistics such as ‘number of incidents detected’ are misleading, particularly while a SOC is new and growing, because new technology and people will have different views on what is considered to be an incident and results will vary significantly depending on the threat landscape at the time.
Similarly, measures such as ‘time from incident detection to closure’ will vary, depending on severity, who is investigating and the processes followed. KPIs like these may have a detrimental effect on performance, because staff should not be encouraged to close an alert or incident quickly without a thorough investigation.
It could be best to measure success by communicating with peer organisations within the same industry and/or of a similar size and see if there are any similar attacks. So, stay up to date with security news of attacks in your sector.
Overall, an effective SOC must not only identify threats, but be able to analyse and investigate them, report the vulnerabilities discovered and plan to identify and prevent similar occurrences in the future. With this, a mature SOC will have increased visibility and understanding of the business when dealing with security problems and continually work to improve its security posture. The impact of this will benefit the prevention, detection and response to cybersecurity issues in order to minimise impact and improve business reputation in the event of an incident.
Michael Cormack, senior consultant, Context Information Security