A Security Operation Center (SOC) is a centralized function within a company that leverages IT security people, processes, and technology to monitor and improve an organization’s security while preventing, detecting, analyzing, and responding to cybersecurity incidents.
Today’s SOC is essentially the hub that collects log data from across an organization’s IT infrastructure, including its networks, devices, appliances, and databases and other IT assets across geographies. The increase of advanced cyber threats makes collecting data from diverse sources critical, as each piece of data may provide insight into malicious behavior on the network.
Most SOCs, unfortunately, have difficulty keeping cybercriminals—even the unsophisticated ones—out of the organization. SOC analysts and other IT Security professionals are defending against complex and constantly evolving malware, nation-states with hundreds of hackers, insider threats, and poorly trained employees who fall prey to phishing attacks.
As we consistently hear in the IT security industry, criminals need to find only one way in while the good guys in the SOC must defend countless ways in, limit damage, and most difficult of all, find and remove the malware or malicious code that infiltrated the systems.
In this blog, we’ll explore the qualities and functions of a SOC as well as how organizations can leverage these teams to increase their security maturity.
Fundamentally, the responsibility of the SOC is to defend against unauthorized activity within computer networks, including continuously monitoring activity, threat detection, threat analysis (such as trend and pattern analysis), and response and remediation responsibilities. However, the SOC, particularly incident response professionals and teams, have gone by a variety of titles and acronyms.
Let’s review:
The SOC is usually led by a SOC manager and may include incident responders, SOC Analysts (levels 1, 2 and 3), threat hunters, and incident response managers. The SOC reports to the CISO, who in turn reports to either the CIO or directly to the CEO.
SOCs are constantly evolving to deal with changes in the threat landscape, including:
Today, SOCs are built around a hub-and-spoke architecture, where Security Information and Event Management (SIEM) technology aggregates and correlates log and other data from assets and threat intelligence feeds.
The spokes of this model include a variety of technologies, including
A typical SOC’s responsibilities include the following tasks or elements:
Of these responsibilities, the most time-consuming is the collection, normalization, and analysis of data. Logs, threat intelligence feeds, and other security-related data often overwhelm the security analysts in the SOC as they collect, analyze, and archive tens or hundreds of millions of security events per day.
There are thousands of false alarm events for every legitimate incident. Further, all data breaches are security incidents, but not all security incidents are data breaches. For every breach there are typically hundreds of incidents. For every incident, there are thousands of events. In addition, Firewalls, IDS/IPS and SIEM’s are noisy, meaning they are constantly alerting analysts of security events which analysts must investigate to rule out an incident.
Let’s explore a hypothetical.
Suppose the SIEM fires off an alert that someone is trying to access a system or application that they shouldn’t be accessing. At that point, the alert becomes an event. The SOC analyst will investigate the event, trying to determine whether the act was malicious. If the analyst thinks that the IP address is suspicious, or they believe they may be under attack, the system will likely escalate the incident to a higher tier analyst or the incident response team.
Now, as we said earlier, SOC’s investigate many incidents, so they are reluctant to impose countermeasures immediately, because there are usually negative consequences, including:
Further, Watching the adversary is sometimes more effective than performing static forensic analysis on compromised systems. There are a variety of attacks, so analysts will need to gather basic information to understand the threat. Knowing whether there are suspicious entries in the network, excessive login attempts, unexplained new user accounts, or unexpected new files determines how the team should respond.
Here are four actionable recommendations for improving your SOC effectiveness.
A significant element of a SOC’s job is to maintain an understanding of the organization’s defensive posture and communicate it to the business. IT assets and challenges in most organizations are always in flux. SOCs must constantly evaluate their security risk posture as the organization’s technology evolves, threats change, and vulnerabilities surface. The bottom line is — whether they use CIS 20, ISO, NIST or another risk-based control framework, the business needs to understand their weaknesses and how to fix them.
With an understanding of the business risk, security posture, and weaknesses, the SOC can now stop patching randomly and patch by system value, application criticality, and seriousness of vulnerability. SOC personnel can then become more effective, efficient operators, because they consistently have a prioritized list of what they need to do to make the organization more secure and reduce overall risk.
Risk management and understanding security posture is more than asset inventory, vulnerability assessment, and patch prioritization. There are three areas of the business that could be considered in the risk control and security posture assessments:
After gathering the information for the risk control and security posture assessments, start with the following questions:
A SIEM brings together the log data from disparate devices into a management layer, which provides visibility and the ability to detect and respond effectively to security breaches. A SIEM triages the logs for you by analyzing all the log data, and through correlation rules, behavioral analysis, and machine learning, filters down and extracts events of interest.
A SIEM will typically alarm in the case of brute force login attempts, traffic going and coming from suspicious sources, policy violations, and so many other issues.
These false positives fall into three buckets:
The technology’s value proposition was to make the SOC analysts more productive by collecting, normalizing, assessing and reporting in an automated way so that Tier 1 analysts could deal with only important events. Unfortunately, this is not always the case. A SIEM must be properly managed and optimized by cybersecurity professionals with deep expertise.
If there are more alerts in one day than your security personnel can review, then some level of suppression must be implemented that will bring the most important items to their attention the fastest. Reducing the number of alarms that are emanating from your SIEM allows your security team to be more efficient in the use of their time and more effective in focusing on and resolving important issues quickly when they arise.
An intrusion detection system (IDS) will analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners. Note that IDS is a passive technology that can only identify an attack, not stop one like a SIEM.
An intrusion prevention system (IPS) lives in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat. The IPS can block traffic that could be malicious.
Everyday your IDS/IPS can uncover thousands of threats that get past the firewall or try to leave the network. This is a fantastic asset, but the challenge is that an analyst must proactively update the IDS/IPS with threats and policies and monitor it 24x7x365.
Depending on how often an organization is targeted, IDS/IPS devices that are not tuned properly can generate thousands or millions of false-positive alerts as well as false-negative responses to true threats. Obviously, like the alerts with the SIEM, the analyst cannot efficiently do their job and identify real threats and take immediate action with such volume.
The reality is that if your security devices continually send false alerts, analysts will likely ignore them as well as those that are true-positive alerts. Many companies have been breached, because their security teams ignored an alert.
You want alarms to be triggered in the event of malware, web attacks, and data compromise but not traffic-type or equipment-related or non-malware alarms. The Defense in Depth model which includes layers of security technology, like SIEMs and IDS/IPS, is not bulletproof. Each technology may raise an alarm, but if the analysts ignore it, the attack will succeed.
The SOC is the core security solution in your strategy, and if properly staffed and resourced, can dramatically reduce risk. The key is assembling the right technologies with the right expertise to use it effectively. Otherwise, your analysts will be drowning in false-positives and unintelligible data.
Organizations who lack the in-house skills to manage such an operation, should pursue a managed security service provider who can serve as an extension of the team. This enables companies to access the needed expertise without the significant investment in recruiting and staffing highly-coveted cybersecurity professionals.