What is a SOC?
Written by Andy Smith on 03/09/2020
What does a SOC do?
A SOC protects a corporate network by combining technologies and incorporating a variety of internal and external threat intelligence data. The SOC (or rather the SIEM technology used by the SOC - but more on that later) will detect threats via log analysis taken from a variety of endpoints across the business. These threats will be raised according to predefined rules which can be configured to suit any organisation.
These events can then be investigated by a trained security analyst to determine the true cause and extent of the problem.
First of all, the SOC must see everything that's going on within an organisation. That includes the use of devices, conducted processes, used applications, as well as all the defensive tools that are in place. Without full visibility, even the SOC service won't be effective.
The SOC is constantly updating, looking for vulnerabilities to get rid of, securing the firewall, checking applications, and more. You can support SOC services by educating yourself and your employees on the topic of cyber threats, threat intelligence, and your implemented security measures.
Then, the SOC keeps monitoring the network within your organisation, and it never really stops, using SIEM, EDR, or other monitoring tools. It ensures that any potential threat will be identified and analysed as soon as it arises so that it can be handled. The SOC's design aims for prioritising issues. Thanks to its thorough analysis, it can be determined which problems are more burning and what will be the right incident response in each, individual case.
But that's not where the SOC activities end - it will also help you in the aftermath by restoring and recovering data that may have been lost during the incident. Additionally, the unit will investigate the attack to make sure you know what happened and what you can do to prevent it in the future. After that, your SOC can update and improve.
What is a managed SOC?
A managed SOC is an external Security Operations Centre that monitors environments on behalf of other businesses. Often referred to as an outsourced SOC service, companies will pay a simple, affordable monthly retainer fee rather than build their own SOC. It is sometimes referred to as a SOC as a service SOCaaS. It takes the worries and responsibilities from the shoulders of the organisation. You, as a company, will be able to focus on your work, knowing that you are properly protected by specialists.
Why do you need a Security Operations Centre?
A Security Operations Centre is vital to maintaining a strong security posture. Loaded with powerful SIEM software, a SOC will help monitor and protect against threats. Cyber criminals are active at all times everywhere in the world, and a fully staffed SOC will help prevent hackers from compromising your environment.
More and more compliance packages are making some form of log monitoring mandatory. It’s an essential part of PCI DSS, for instance. Without a SOC gathering the right information, it will be difficult to tell if you are under attack or worse, have been breached. Dwell time, the time it takes to detect a breach, is a serious issue, and the right monitoring helps keep it to a minimum.
If you are breached, investigating the root cause will be difficult if you haven’t been gathering the right data. A SOC that has archived logs appropriately means all evidence and indicators of compromise will be preserved for digital forensic analysis.
Should I build my own SOC?
There are some benefits to building your own SOC, such as:
- The SOC will be dedicated to your organisation (analysts will be focussing purely on your environment), but it's possible with an outsourced service as well
- Analysts will work for you and be able to take immediate and direct action
- The software can be designed for your environment (if built yourself)
- It may be easier to make configurations directly
- You won't have to reply on third parties
However, building a SOC is time-consuming and expensive. Even if using off the shelf software and hardware, the most basic SOC will require a large budget. Plus there are staffing costs to consider. A worthwhile SOC will be staffed 24/7, so you will need to hire enough staff to cover round-the-clock shifts, whilst also taking a holiday and sick pay into account.
The difficulty here is that there is a huge shortage of qualified cyber security experts with nearly 3 million cyber security roles looking to be filled. Trained analysts with the skills to effectively investigate alerts are expensive assets. This means that in-house SOCs are typically the preserve of large multinational corporations only.
Outsourcing your SOC
Increasingly, organisations are following the trend of outsourcing SOC services. There are many benefits to this model, with the costs being the biggest one. Paying a monthly fee to a reputable vendor will give you access to the latest tech, along with the skilled staff needed to monitor and investigate alerts.
The difficulty here with in-house specialists is that there is a considerable shortage of qualified cyber-security experts. There are around 2.93 million unfilled cyber-security positions, and the average salary for a full-time SOC analyst (junior) is around £27,000.
With outsourcing, you can relax, knowing your business is covered by qualified experts 24/7 at a fraction of the cost of hiring in house.
The benefits of outsourcing include:
- Significantly reduced cost
- Access to qualified and experienced staff
- A wider range of threat data
- Any upgrades will usually be applied to your service automatically
- You don't need to worry!
CSIRT versus SOC
CSIRT and SOC often come up within similar contexts, but they are, in fact, different terms. A SOC, as we have established, is the Security Operations Centre. The go-to analogy is to think of the SOC as the brain of a cyber security team. A CSIRT (Computer Security Incident Response Team) is a department that may work with a SOC, but who is responsible for responding to security events, coordinating strategies and forensics investigations.
Both teams seek to detect and respond to security events, but a SOC tends to focus more on the ongoing monitoring of staff, systems and applications whereas the CSIRT team tends to take prompt action to minimise damage in the event of a security incident.
The SOC Lifestyle
The threat landscape is always changing, so SOCs need to keep up. A good SOC will constantly undergo reconfigurations to suit a business’s activity better and reduce false positives. Up-do-date threat information should be shared with a SOC to catch the latest evolving attacks - this is known as the SOC lifecycle. SOCs should always be adapting and evolving. Again, unless you’ve chosen the outsourced or managed option, this can incur significant cost in time and resources.
If you are outsourcing, it's also essential that you and your provider establish all the relevant procedures, such as initiating change requests and maintenance alerts. Failing to do this could lead to alarms being raised unnecessarily, alerting you and your staff and risking that a real threat will be ignored in the future.
Before deciding on any option, it's essential for businesses to understand:
- What's your potential vendor's precise offer? E.g. they may provide tiered services
- Poutsourced SOC teams will usually not be able to make changes in your cyber environment immediately unless stated otherwise
- Is the vendor reliant on other third parties?
Other elements, such as KPIs, SLAs and escalation processes, will need to be established at the start of any working relationship and tweaked where necessary.
Best practices for running a SOC
Running a successful SOC is a complex process that relies on having a strong and knowledgeable team. However, some of the best practices include:
- Making sure your SOC has full visibility of your data across the entire organisation (strong alignment between the SOC and other security intelligence tools is key) - only then can it protect it effectively
- Aligning the SOC with your company's objectives to ensure nothing stands in the way of the security measures
- Conducting an asset audit beforehand to make sure you identify and handle all the vulnerabilities
- Setting up the right team, which means the combination of people with various helpful skills, e.g., specialists for managing and alerting, for recommending the correct measures, a threat hunter, etc
- Making private all the services that you feel shouldn't be exposed
- Creating and testing an escalation procedure and incident response system to be sure that everything will go smoothly and ensure your company's safety in the case of an attack
- Starting to define rules to establish a pattern of the right behaviour and defining normal user behaviour - you won't really be protected if your employees don't know how to operate without making your company vulnerable
- Using devices wisely - you need to know which kinds of devices are best for your operations and if they are properly secured, plus, they need to be possible to integrate with your particular security system
- Ensuring 24/7 coverage – hackers can strike at any time
Monitor, investigate and protect
A Security Operations Centre is a vital part of any successful security strategy. Unfortunately, building an in-house, dedicated SOC is beyond the means of most businesses. But on the bright side, outsourced services are incredibly effective whilst also being affordable. Monitoring your business environment, investigating threats and conducting ongoing threat hunting will help keep your information safe from cyber criminals. If you don't have any safety measures in place, there's no time to lose - hackers wait for no one!
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.