SOC - everything you need to know about Security Operations Centers

There is no such thing as 100 per cent cyber protection. That's why organisations need a strategy for detecting and stopping the threats that get past their protective measures. This is where a SOC comes in.

What is a SOC?

SOC stands for Security Operations Center and is a kind of security department, or monitoring center, consisting of IT security experts working around the clock to monitor and protect an organisation against cyber threats. A Security Operations Center can be built up internally within an organisation, or purchased as a function from a third-party provider. Most companies choose to buy it as a feature, as it is both costly and time-consuming to build their own SOC.

The SOC team monitors an organisation's IT infrastructure 25/7/365 to detect, analyse and respond to security incidents in real-time. When a threat or attack is detected, the team implements measures to protect the organisation and prevent further damage. In addition, the SOC is responsible for continuously analysing threat data and keeping abreast of new attack methods - all to maintain the strongest possible cyber protection.

A SOC consists of several roles with different responsibilities. The team mainly consists of three different roles:

• Security Analysts: whose responsibility is to correlate, analyse and classify incidents.
• Security Researchers: whose responsibility is to continuously analyse the changing threat landscape, and provide input to detection development and threat hunting.
• Incident Responders: whose responsibility is to work on resolving complex incidents.

A SOC may also be responsible for monitoring and classifying all of the organisation's assets and vulnerabilities, as well as strategising and implementing various protective measures to reduce the risk of intrusion. Where these functions do not lie within the responsibilities of the SOC, close co-operation with the department responsible is required.

The work is led by a SOC manager, who in turn usually reports to a CISO (Chief Information Security Officer) or a CIO (Chief Information Officer).

What does a Security Operations Center do?

A Security Operations Center works on cybersecurity from a holistic perspective. This means both addressing incidents when they occur, and minimising the risks of new attacks and threats.

The SOC team's responsibilities are many and include;

• Asset inventory: the SOC team performs, or works closely with the team performing, inventories of all the organisation's assets that need to be protected. This includes e.g. applications, databases, servers, cloud services, endpoints, etc. They also inventory all the tools used to protect them such as firewalls, antivirus and anti-malware tools, monitoring software, etc.
• Incident response planning: the SOC is responsible for developing the organisation's incident response plan, which defines the activities, roles and responsibilities in the event of a threat or breach, as well as the metrics to be used to measure the success of incident response.
• Regular testing: the SOC team performs vulnerability assessments of potential threats, the impact they would have on the organisation, and the costs associated with them. In some cases, the SOC also performs penetration tests to simulate specific attacks on one or more systems. The team then fixes or fine-tunes applications, security policies, and incident response plans based on the results of these tests.
• 24/7 continuous security monitoring: The SOC monitors the organisation's entire IT infrastructure - applications, servers, system software, computing devices, cloud-based services and networks - 24/7, year-round, to detect anomalies, known exploits and other suspicious activity. The SOC uses centralised monitoring, detection and response technologies such as SIEM (Security Information and Event Management) and EDR. These technologies allow the SOC team to monitor and collate alerts of anomalies from software and hardware on the network in real time. The data is then analysed to identify potential threats.
• Data collection: The SOC collects information in real time. This is mainly done in three different ways;
  
  
• by monitoring activation on endpoints (EDR)
• by monitoring activities based on log information (SIEM)
• by monitoring network activity (NDR)

Of these, most organisations start with EDR, as it is quick to implement and provides both a good detection capability and a good ability to perform response actions. Once EDR is in place, you can move on to NDR and SIEM for strong protection.

• Log management: The SOC collects log data of activities that occur on the network or applications and analyses them. This analysis can determine what is normal activity and can detect anomalous behaviours that indicate suspicious activity. Since most companies are unable to monitor log data themselves, hackers generally expect their viruses and malware to run undetected for weeks or even months. Through effective log management, a Security Operations Centre can detect abnormalities in real time and put measures in place to stop the attack from progressing.
• Threat detection: the SOC team sorts the alerts generated by the SIEM tools to infer actual cyber threats against positive false alarms and then ranks the threats by severity. Using artificial intelligence (AI) and machine learning (ML), the SOC can automate some of these processes by allowing the tools to ‘learn’ from the data to better detect suspicious activity over time.
• Evaluation and improvement: To prevent incidents from happening again, the SOC uses the insights gained from the incident to refine its security work. At a more holistic level, the SOC team also looks at whether the incident is part of a larger trend and whether attackers' approaches are changing - this is to ensure that it is prepared, and has the right tools and processes in place, to face the changing threat landscape. 
• Incident response: When an incident in the form of a cyber threat or attack occurs, the SOC team takes action to stop the attack and limit the damage. Actions may include, among others:
  
  
• Investigating the root cause of the attack to determine how the attacker gained entry.
• Shutting down or disconnecting compromised devices from the network.
• Isolating parts of the network or redirecting network traffic.
• Pause affected applications and processes.
• Delete corrupted or infected files.

• MDR - an introduction to Managed Detection and Response and its key components

• Evaluation and improvement: To prevent incidents from happening again, the SOC uses the insights gained from the incident to refine its security work. At a more holistic level, the SOC team also looks at whether the incident is part of a larger trend and whether attackers' approaches are changing - this is to ensure that it is prepared, and has the right tools and processes in place, to face the changing threat landscape.

When is a Security Operations Center needed?

Knowing that a breach or attack has occurred only weeks after it happened is not enough for most organisations now that an organisation's most important assets are digital. Strong cyber protection requires someone to react to the alarm when something happens, spot potential weaknesses, and coordinate security so that threats and attacks can be thwarted before they reach the critical parts of an organisation. A Security Operations Centre is no longer a luxury for large companies, but is now a necessity for organisations of all sizes.

Without a SOC monitoring an organisation's IT infrastructure, intruders can move undetected for weeks, and even months, before encountering patrols. During this time, a lot of damage can be done to a business. In the analogy that describes the IT security work that organisations do themselves as moats, fences and locks, a Security Operations Centre can be likened to a patrolling guard force, using surveillance cameras, motion detectors and access controls to monitor the environment around the clock. In other words, a Security Operations Centre greatly enhances an organisation's IT security.

Want to know more about Iver SOC? Contact us via the form!