SOC(K)? You Mean For Your Feet?
We all know socks are comfy. We wear them with shoes. What about the other SOC, the one for your business and information security. This post is about the Security Operation Center (SOC) and how to develop it successfully.
All about SOCs
What is a “SOC”? Most probably, it is in the basement of your company. A security operations center consists of a highly organized and well-trained team. Its objective is to improve the company’s security while preventing, detecting, analyzing, and responding to cybersecurity incidents. It does so by using technology through well-prepared processes and procedures. The SOC must have a clearly defined and business-specific strategy that depends on executive support and sponsorship.
The SOC addresses the company’s cybersecurity, the stronger the executive sponsorship the more successful the SOC will be.
You must carefully plan the environment of your security operation center. The layout of the SOC has to be carefully designed to be comfortable and functional. You might think stuff like lighting and acoustics don’t make a huge difference, but they do. A SOC’s role is to contain several areas, including the operating room, or ”war room”, and supervisor’s offices. Comfort, efficiency, and control are key in this scenario and every single area must be designed accordingly.
After you have that all settled, time to look at the technology you will need. Many components are necessary to build a complete tech environment within the SOC: firewalls, IPs/IDSs, breach detection solutions, SIEM, and, of course, security operation automation response (SOAR) product like CyberSponse to glue everything together.
Effective and efficient data gathering is fundamental for a successful SOC. From a security perspective, it’s important to collect, correlate, and analyze data flow, telemetry, packet captures, Syslog and several types of events. Data enrichment and information about vulnerabilities affecting the entire ecosystem have to be monitored for security reasons.
Well, you think machines can do it on their own? That is a wrong assumption. Even with the most advanced and best-equipped control, rooms are worth nothing without people bringing it to life! Moreover, if you look at the three important parts to a successful SOC, technology, people, and process are the three main columns.
How to be a successful team
To be a successful team you will need to fulfill all rules properly: leaders, engineers, analysts, and operations professionals. Teams carry out many functions, and analysts have two or three tier assignments. Primary functions provided by the team members will be the analysis of real-time monitoring of events, alerts of security incidents or data breaches. This is also followed by the response to these incidents (after the necessary triage phase) and figuring out the damages of each incident.
SOC’s organizational skills need to be at the forefront of this process. Each member must stick to the plan that the leadership put into place when incidents like that happen. The SOC manager must be able to build the team, motivate the members, retain people and make them see value in the business. The SOC manager has to make sure SOC is running 24/7 with tasks like selecting the right members for the team. SOC manager and staff are of the same importance, if not more than technology.
It’s important not to divorce a deeper analysis of the technology components supporting the SOC with a strong emphasis on security. You must look at each detail of an in-depth approach: LAN segmentation, VPN, endpoints hardening, encryption of data at rest, in use and in motion, protection through well configured and monitored IPSs/IDSs, firewalls, routers, and switches.
How CyberSponse can help
Moreover, adding CyberSponse will help control all different cybersecurity tools. Teams must carefully design collaboration tools to give the members the best user experience available.
As soon as the SOC is operational and live, the team will have to carry out its plan and will have to react to incidents. When an incident arises, a ticket is opened and a case will have to be investigated. Different levels of escalations, leading possibly to the Computer Security Incident Response Team (CSIRT), could be put in place and the team must collaborate leveraging all the available tools and procedures until the closure of the case. With a SOAR product like CyberSponse, a company can create playbooks and automate them on how to fix them and save them for future reference.
I hope all this was helpful to better understand the functions of SOC.