Security Operations Center (SOC)

What Does a SOC Do?

A SOC does many security-related tasks, including continuously monitoring security operations and incidents and responding to issues that may arise. The various responsibilities within a cybersecurity team can be extremely complex, and a SOC not only serves as the tactical console to empower team members to perform their day-to-day tasks, but also as a strategic center to keep the team aware of bigger, longer-term security trends.

A typical SOC tracks any number of security alerts that an organization might encounter, including potential threat notifications via technologies and tools, as well as employees, partners, and external sources.

The SOC then typically investigates and validates the reported threat to ensure it's not a false positive (i.e. a reported threat that's actually harmless). If the security incident is deemed to be valid and requires a response, the SOC hands it over to the appropriate persons or teams for response and recovery.

It takes a sophisticated combination of expertise, process, and organization to effectively run a SOC as part of an overall threat detection and response program. That's why every organization may not be able to support or resource a SOC in-house. Instead, many opt to have their SOC managed by an outside agency, known as Security Operations Center as a Service (SOCaaS).

What are the Components in a SOC? 

The components in a SOC are many in number and must be structured and in place before a SOC is a viable option. Let's take a look at a few: 

• Attack Surface Management Program: This includes threat prevention technology for all threat ingress and egress avenues, regular vulnerability scanning (and associated patching), penetration testing, user authentication and authorization, asset management, external application testing (with associated patching), and remote access management. 
• Incident Response Plan: Typically, one of the main goals of introducing a SOC into an IDR program is increasing the effectiveness of detecting threats in the organization's environment. If the incident response processes that follow a breach's discovery are not in place and tested regularly, you're only addressing some components of an effective IDR program. 
• Disaster Recovery Plan: A breach is simply one specific example of a disaster from which organizations need to recover. Once the detected breach has been fully scoped and the affected assets, applications, and users have been contained, there needs to be a plan in place to restore normal business operating processes. This will take time and be easier said than done, but it’s necessary to get essential systems up and running as close to normal as possible and as quickly as possible – returning to something close to normal will also help organizational morale.

What is Needed for SOC Setup? 

Three main elements are needed for SOC setup. Regardless of whether the SOC is created in-house or outsourced to a managed provider, preparing these core functions is essential to success.

People

Understanding SOC analysts’ roles and responsibilities is an important precursor to selecting the technology that will run your SOC. The teams you create and the tasks you give them will be dependent on your organization’s existing structure. For example, if you’re building a SOC to augment existing threat detection and response capabilities, you’ll want to consider which specific tasks the SOC team members are responsible for and which fall on the non-SOC IDR teams.

You’ll also want to divide responsibilities between SOC analysts – and potentially consider SOC automation where possible – so there’s a clear understanding of who handles high-fidelity alerts, who validates low-fidelity alerts, who escalates alerts, who hunts for emergent threats, etc. Many SOCs operate within a tiered-staffing framework to establish clear responsibilities and hierarchy.

Technology

Deciding what technology the SOC uses is where time spent establishing the roles and responsibilities mentioned above will pay off. What technology will they use? Likely, they’ll need to combine tools for log aggregation, user behavior analytics (UBA), endpoint interrogation, real-time search, and more. It’ll be important to look at how SOC analysts are using your technology and determine whether the existing technology is helping or hindering processes – and whether new tech will need to replace it. It’s also important to have communication tools in place to enable collaboration among analysts. Other important considerations:

• The environment you operate in (cloud, on-premise, or hybrid) 
• The type of threats you face (malware, phishing, etc.)
• The compliance mandates you're required to uphold (HIPAA, SOC2, ISO 27001, etc.) 

Processes

Establishing processes that the people and technology outlined above will follow is the final component you’ll need to consider when getting started with a SOC. What happens if a security incident needs to be validated, reported on, escalated, or handed off to another team? How will you collect and analyze metrics?

These processes must act as a framework precise enough to ensure investigative leads are handled in order of criticality, but loose enough as to not dictate analysis processes. Processes can make or break the effectiveness of a SOC, so incident management workflows should be established from the start to ensure each step in the process is part of a larger strategy.

The points above still apply when working with an managed SOC provider. A SOC will be a trusted organizational partner, and as such it’s essential they’re proactive and regular in their communications, transparency, feedback, and collaboration with you to make sure your SOC is as successful and effective as possible.

Read More About SOC Strategy

• Intro to the SOC Visibility Triad
• SOC Series: How to Structure and Build a Security Operations Center
• The Future of the SOC Is XDR
• SOC: Latest News from the Blog