What is a SOC?
A Security Operations Center (SOC) is an organized and highly skilled team whose mission is to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security incidents with the aid of both technology and well-defined processes and procedures.
As the SOC strategy must be both clearly defined and business-specific, said strategy is strictly dependent on executive levels’ support and sponsorship, otherwise, the SOC itself will not be able to work properly, and it will not be perceived as a critical asset by the rest of the organization.The SOC must aim at addressing the company’s needs, and a strong executive sponsorship is necessary for it to be successful.
The establishment of a SOC requires careful planning; its physical security must be taken into consideration; also the layout of the operations center has to be carefully designed to be both comfortable and functional – lighting and acoustics issues must not be overlooked. A SOC is expected to contain several areas, including an operational room, a “war room” and the supervisors’ offices. Comfort, visibility, the efficiency and control are key terms in this scenario and every single area must be designed accordingly.
Once the mission and the scope of the SOC have been defined, its underpinning infrastructure must be designed; many components are necessary to build a complete technological environment: firewalls, IPSs/IDSs, breach detection solutions, probes and obviously a SIEM, just to name a few. Effective and efficient data collection is fundamental for a successful SOC. Data flows, telemetry, packet captures, syslog and several types of events must be collected, correlated and analyzed from a security perspective. Data enrichment and information about vulnerabilities affecting the entire ecosystem to be monitored are of great importance as well.
People and processes
While technical requirements are of the greatest importance, the most advanced and best-equipped control room would be worthless without people and procedures bringing it to life! Besides technology, people and processes are the pillars of a successful SOC.
As stated above, a SOC is a team; and as in every winning team, all rules must be fulfilled properly. Leaders (and leadership) will be needed, while engineering roles, analyst roles, and operations roles will have to be covered. Many functions must be carried out and analysts will be assigned to two or three tiers. The primary functions provided by the team members will be the analysis grounded on the real-monitoring of events, the detection of security incidents or data breaches, the response to these incidents (after the necessary triage phase) and, at last, the remediation of the consequences of every detected incident. All of the actions must be coordinated: collaboration, timing, and efficiency must be paramount for the SOC overall organization. Each member of the team must be fully aware of both the mission and the strategy of the SOC; therefore, an effective leadership has an enormous impact. The SOC manager must be able to build the team, motivate the members, retain people and make them willing to create value for the business and for themselves. It is not an easy task for a SOC manager: the “machine” must run 7 seven days a week, 24 hours a day, so stress will be a likely risk factor. Selecting the right team members for the right tasks is a highly challenging assignment, as the range of required competences is quite wide, spacing from vulnerability management to computer forensics through malware analysis. Establishing the proper number of staff members is another hard and demanding charge; while no unnecessary workers should be hired and a defined level of budget will have to be respected, the risk of being undermanned – and therefore inefficient – must be avoided.
In this scenario, the adoption of a hybrid model envisioning the cooperation between the internal and outsourced managed service providers is a viable choice.
Security tools and technology components
A deeper analysis of the technology components supporting the SOC cannot be divorced from a strong emphasis on security; every single detail of an in-depth approach must not be overlooked: LAN segmentation, NAC, VPN, endpoints hardening, encryption of data at rest, in use and in motion, protection through well configured and monitored IPSs/IDSs, firewalls, routers and switches. Since the SOC is a team, collaboration tools have to be carefully designed to give the members the best user experience available, which would in turn give the SOC the best ability to produce value for the business: this goal must be accomplished with all the security assurance requirements needed for a Security Operations Center. Mobile devices (and their security) are another aspect that cannot be neglected while designing and building a SOC. A particular emphasis must be placed on Data Loss Prevention measures, spanning from endpoint to servers and from e-mails to smartphones.
Without meaning to be exhaustive, many further technology components that contribute to complete the entire SOC ecosystem should be mentioned: Web Proxies, sandboxes, endpoint breach detection solutions and forensics tools. All of the involved systems generate events, logs, flows and telemetry data that must be ingested, processed and analyzed by a machine and, eventually, by a human being. In this phase of ingestion, processing and correlation, it is worth to remember – once again – the pivotal role of the SIEM for the Security Operations Center.
Methodology and intelligence
To improve the security posture of the organization, a SOC must be both active and proactive while carrying out the Vulnerability Management process. Risk assessment and a sound approach to vulnerability handling is a priority for a SOC (OWASP methodology in this case can be an option). Furthermore, a context aware threat intelligence approach has to be taken to deliver more value and to be more effective in detecting/preventing the breaches and in damage containment.
The team at work
As soon as the SOC is operational in the live environment, the team will have to carry out its mission and will have to react to incidents. This is the phase where the SOC has the opportunity to show the value it provides the business with.. When an incident arises, a ticket is opened and a case will be investigated. Many parts of the team will be involved, maybe someone external to the SOC (part of the same organization or even a third party actor) will be concerned, depending on the nature, extent and the severity of the incident. Different levels of escalations, leading possibly to the CSIRT, could be put in place and the team must collaborate leveraging all the available tools and procedures until the closure of the case.
To be successful, security incident detection and monitoring and the subsequent phase of the incident response, require the right mix of sound technologies, clearly defined (and repeatable) processes and procedures, together with highly specialized skills. Intuition, ability to react quickly and precisely even under stressful conditions and relying on previously learned lessons are key points for an effective SOC team.
The manager view
Building and operating a SOC it’s a high demanding mission, to accomplish this challenging task many best practice, frameworks and standards might prove to be useful (e.g.: ITIL and COBIT) and others could be mandatory to comply with (e.g.: PCI DSS and ISO/IEC 27001:2013).
ITIL deserves special mention as a potentially unparalleled source of advice and guidance talking about service strategy and design, service level management (SLA and KPI have to be clearly stated, measured and monitored) and in creating an interface between organization’s incident/problem management processes and SOC specific processes.
On the other hand, COBIT – and specifically COBIT MM (Maturity Model) – could be taken as a paramount guideline for measuring the maturity of the SOC.
Generally speaking, the performance of the SOC must be carefully measured in all its aspects, the clear definition of KPIs is mandatory and a wise application of continual service improvement (ITIL, again, must be taken into consideration) could give to the SOC the best results in being successful and being perceived as a value for the organization.
The wide range – maybe one can say the complete range – of cyber security aspects to be considered, the high specialized competences and skills needed to run an effective SOC, the tight relationships with the business strategy and processes make the task of designing and managing a Security Operations Center a paradigmatic example of applied and holistic information security.
Leadership, motivation and team leading skills are mandatory for a SOC manager willing to create a great team. Continuous training and engagement is necessary to keep the pace of the SOC aligned with the relentless development of threats and the tireless, increasingly highly sophisticated efforts by attackers. Running a SOC is as complex endeavor, as it has to address the equally wide, pervasive and borderless problem of granting information security nowadays.
I also suggest cybersecurity enthusiasts should deepen their knowledge of the matter, because I see it as an excellent and comprehensive topic to deal with; it will give them a complete vision of what information security is and what value, if wisely applied, it can produce in any organization.
ICT Security and Network Specialist Network and VoIP Team Leader at Cedecra Informatica Bancaria, a data processing center that serves a group of Cooperative Banks in Emilia-Romagna. He obtained a master’s degree (cum laude) in Computer Science at the University of Bologna. Over the years, he accrued interest and passion for computer security issues, with the conviction that security issues should be shared and discussed not only among professionals, but brought to the attention of the widest possible audience.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – SOC, Security Operations Center)