Security Operation Center (SOC)

Planning on setting up a Security Operation Center commonly known as SOC, Let’s take a deep dive on what it entails…

SOC, Security Operation Center is an is an in-house or outsourced team of cybersecurity professionals that monitors, detects, analyzes and responds to cybersecurity incidents, typically on a 24/7/365 basis. A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.

What are the types of SOCs…

• Internal SOCs: usually with a full-time staff based on-premises. The internal SOC comprises of a physical room where all the action takes place.
• Virtual SOCs: are not on-premises, and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization.
• Outsourced/External SOCs: in which some or all functions are managed by an external managed security service provider (MSSP) that specializes in security analysis and response. Sometimes these companies provide specific services to support an internal SOC, and sometimes they handle everything .
• Co-managed SOCs: provide clients with collaborative service components to ensure preventive and ongoing real-time operational measures.
• Global SOCs (GSOCS): they do integrate intelligence and analytics with technology to monitor security and improve incident response. GSOCs are the core component to mitigate economic risks, protect corporate assets, maintain situational awareness and safeguard all personnel.

What is the importance of a SOC…

The chief benefit of operating or outsourcing a SOC is that it unifies and coordinates an organization’s security tools, practices, and response to security incidents. This usually results in improved preventative measures and security policies, faster threat detection, and faster, more effective and more cost-effective response to security threats. A SOC can also improve customer confidence, and simplify and strengthen an organization’s compliance with industry, national and global privacy regulations. Other importance of having a SOC include;

• Faster response: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is performing from a security standpoint, even if you have several locations and thousands of endpoints. You can detect, identify, prevent and resolve issues before they cause too much trouble for the business.
• Protection of consumer and customer trust: Consumers are already skeptical of most companies and are worried about their privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization. And of course, preventing breaches protects that trust.
• Minimize costs: While many organizations think establishing a SOC is cost prohibitive, the cost associated with a breach — including the loss of data, corrupted data or customer defection — are much higher. Additionally, SOC personnel will ensure that you’re using the right tools for your business to their full potential, so you won’t waste money on ineffective tools.

Who works in a SOC…

Most SOCs adopt a hierarchical approach to manage security issues, where analysts and engineers are categorized based on their skill set and experience. A typical team might be structured something like this:

• Tier 1 :The first line of incident responders. These security professionals watch for alerts and determine each alert’s urgency as well as when to move it up to Level 2. Level 1 personnel may also manage security tools and run regular reports.
• Tier 2 :These personnel usually have more expertise, so they can quickly get to the root of the problem and assess which part of the infrastructure is under attack. They will follow procedures to remediate the problem and repair any fallout, as well as flag issues for additional investigation.
• Tier 3. At this level, personnel consist of high-level expert security analysts who are actively searching for vulnerabilities within the network. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for improving the organization’s overall security. Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts.
• Tier 4: This level consists of high-level managers and chief information security officers (CISOs) with the most years of experience. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance. Level 4s step in during crisis, and, specifically, serve as the liaison between the SOC team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.

What does a SOC do…

SOC activities and responsibilities fall into three categories…

Preparation, planning and prevention

Asset inventory. A SOC needs to maintain an exhaustive inventory of everything that needs to be protected, inside or outside the data center (e.g. applications, databases, servers, cloud services, endpoints, etc.) and all the tools used to protect them (firewalls, antivirus/anti-malware/anti-ransomware tools, monitoring software, etc). Many SOCs will use an asset discovery solution for this task.

Routine maintenance and preparation. To maximize the effectiveness of security tools and measures in place, the SOC performs preventative maintenance such as applying software patches and upgrades, and continually updating firewalls, whitelists and blacklists, and security policies and procedures. The SOC may also create system back-ups — or assist in creating back-up policy or procedures — to ensure business continuity in the event of a data breach, ransomware attack or other cybersecurity incident.

Incident response planning. The SOC is responsible for developing the organization’s incident response plan, which defines activities, roles, responsibilities in the event of a threat or incident — and the metrics by which the success of any incident response will be measured.

Regular testing. The SOC team performs vulnerability assessments — comprehensive assessments that identify each resource’s vulnerability to potential threats, and the associate costs. It also conducts penetration tests that simulate specific attacks on one or more systems. The team remediates or fine-tunes applications, security policies, best practices and incident response plans based on the results of these tests.

Staying current. The SOC stays up to date on the latest security solutions and technologies, and on the latest threat intelligence — news and information about cyberattacks and the hackers’ Tactics, Techniques and Procedures (TTPs), gathered from social media, industry sources, and the dark web.

Monitoring, detection and response

Continuous, around-the-clock security monitoring. The SOC monitors the entire extended IT infrastructure — applications, servers, system software, computing devices, cloud workloads, the network — 24/7/365 for signs of known exploits and for any suspicious activity.

Log management. The collection and analysis of log data generated by every network event is a subset of monitoring that’s important enough to get its own paragraph. While most IT departments collect log data, it’s the analysis that establishes normal or baseline activity, and reveals anomalies that indicate suspicious activity. In fact, many hackers count on the fact that companies don’t always analyze log data, which can allow their viruses and malware to run undetected for weeks or even months on the victim’s systems.

Threat detection. The SOC team sorts the signals from the noise — the indications of actual cyberthreats and hacker exploits from the false positives — and then triages the threats by severity. Modern Security Information and Event Management, SIEM, solutions include artificial intelligence (AI) that automates these processes ‘learns’ from the data to get better at spotting suspicious activity over time.

Incident response. In response to a threat or actual incident, the SOC moves to limit the damage. Actions can include:

• Root cause investigation, to determine the technical vulnerabilities that gave hackers access to the system, as well as other factors (such as bad password hygiene or poor enforcement of policies) that contributed to the incident

• Shutting down compromised endpoints or disconnecting them from the network

• Isolating compromised areas of the network or rerouting network traffic

• Pausing or stopping compromised applications or processes

• Deleting damaged or infected files

• Running antivirus or anti-malware software

• Decommissioning passwords for internal and external users.

Recovery, refinement and compliance

Recovery and remediation. Once an incident is contained, the SOC eradicates the threat, then works to the impacted assets to their original state before the incident (e.g. wiping, restoring and reconnecting disks, end-user devices and other endpoints; restoring network traffic; restarting applications and processes). In the event of a data breach or ransomware attack, recovery may also involve cutting over to backup systems, and resetting passwords and authentication credentials.

Post-mortem and refinement. To prevent a recurrence, the SOC uses any new intelligence gained from the incident to better address vulnerabilities, update processes and policies, choose new cybersecurity tools or revise the incident response plan. At a higher level, SOC team may also try to determine if the incident reveals a new or changing cybersecurity trend for which the team needs to prepare.

Compliance management. It’s the SOC’s job to ensure all applications, systems, and security tools and processes comply with data privacy regulations such as GDPR (Global Data Protection Regulation), The Kenya Data Protection Act, 2019 (DPA), PCI DSS (Payment Card Industry Data Security Standard, and HIPAA (Health Insurance Portability and Accountability Act) just to mention a few. Following an incident, the SOC makes sure that users, regulators, law enforcement and other parties are notified in accordance with regulations, and that the required incident data is retained for evidence and auditing.

What tools can be used in a SOC (this list is not exhaustive)…

SIEM Tools:

Opensource: Security Onion, ELK Stack (Elasticsearch, Logstash, Kibana), Wazuh

Proprietary: IBM Qradar, McAfee Enterprise Security Manager, Solarwinds Security Event Manager, Splunk Enterprise Security, TrendMicro Vision One

Forensic Tools: Open Source: Sleuth Kit, Autopsy, USB Write Blocker, Volatility, ExifTool, Wireshark, Network Miner, FTK Imager, Maltego

Intrusion Detection and Prevention System tools: Suricata, Snort

Network Security Monitoring Tools: Zeek, NagiosCore, Zabbix, TrendMicro Deep Discovery

Endpoint Detection and Response (EDR): TrendMicro Apex One, Wazuh

Ticketing System tools: UVDesk, Osticket, Zammad, Security Onions’ Case Management Platform

Log management tools: Sysmon, Logstash (part of the ELK stack)

Malware sandbox tools: Cuckoo sandbox, anyrun, joesandbox, hybrid analysis.

These benefits of having a SOC are hard to put a price on because they quite literally keep your business running. But do you absolutely need a SOC? If you’re subject to government or industry regulations, have suffered a security breach or are in the business of storing sensitive data — like customer information — the answer is yes.

This article has been written by Ann Rotich, a Cyber Security Specialist who believes that a secure cyberspace is a result of individual contributions.