Security Operations Center and Their Role in Keeping Organizations Safe Pt.2
In our last post, we talked about the benefits, functions, and tasks of the Security Operations Center (SOC). We are continuing to share our ideas about the benefits of a well-developed SOC.
SOC’s main task indications that something is wrong in the network and stop them quickly. Efficiency and well-streamlined operations are essential to guide remediation. The SOC would consist of layers like 1) level 2) analysts, 3) engineers, 4) management.
One of the main tool used at SOC is sensors. The sensors provide logging i.e. firewall, routers, ACLs, HUBs, etc. Collectors gather information from different sensors and translate them into a standard format for having a homogeneous format. For the best efficiency, SOCs must create custom parsers in order to troubleshoot log sources.
The SIEM solutions have to be tuned to accommodate the unique needs and use cases. The used cases must be defined and are typically the events that require SOC’s intervention or monitoring. For example, finding, containing, and removing malware not detected by antivirus software from our network involves some steps. There are several rules in this used case that will alert the SOC to perform an investigation. Other typical use cases are SMTP traffic from an unauthorized host, antivirus failed to clean, repeated attack from an IP, excessive outbound SMTP traffic, excessive outbound web or email traffic, access to a malicious website, exploit traffic from a single IP, and etc.
The policies and well-described procedures are essential to an effective and efficient incident response. The SOC has to have developed internal policy on controls, governance, the configurations of the devices it manages. Modifications will be made to ensure the devices are in alignment with policy and doing the expected job.
Communication is one of the most important parts of well-developed policy and procedures. A SOC needs to make sure that information system security incidents are promptly reported, security events and weaknesses are promptly communicated to the appropriate system administrators, and timely corrective actions are taken.
Additionally, the SOC must establish a formal information security event reporting procedure so it can perform incident response effectively. In order to take action, the SOC must analyze the data and turn it into information.
Decision: In-house SOC vs. Outsourced Managed Security Service Provider (MSSP)
A question often asked is what is a better choice between an in-house SOC and Outsourced MSSP. Initially, setting up a SOC could cost you around $750k for tools and infrastructure. Additional costs include a team of 5-9 FTEs (depending on size, volume, complexity), maintenance, depreciation, training would need a further investment of $800k annually. In contrast, an MSSP would charge an initial setup of $500k yearly subsequently. The advantages of an in-house SOC is having a dedicated team, a better organization creating sensitive log data, known environment, easy customization, efficient correlations between groups, logs stored locally, but the disadvantage is higher costs up-front. The advantages of MSSP SOC is fewer capital expenses, access to security expertise, research and threat intelligence of MSSP, scalability, and flexibility, experiences of MSSP.
The MSSP would monitor security logs and additionally make changes to the environment based on event analysis and security intelligence. An MSSP delivers greater cost efficiency and more effective security monitoring. Many organizations use the MSSP service, so the infrastructure and processes have been built. Intelligence gathering and usage are also how a SOC can begin to become proactive in the IT security fight and this will be brought in. The proactive methods include information from partners and databases. The quality of the intelligence and evaluation of that information into SIEM tools would be continuously matured.
The SOC should be process-driven. The run book then documents in advance these processes and SOC functions. It is also important to assess or audit a SOC. Information Technology Infrastructure Library (ITIL) methodology could be one baseline for service strategy, service design, define key performance indicators (KPI), service functions, service level agreements (SLA), transitions, change management, operations, continual improvement.
With well-managed operations and team, an enterprise can ensure service quality and feels confident of the response to security events.