In today’s business environment – where organizations are increasingly aware of the cyber security threats to their businesses – having the capabilities of an advanced SOC (security operations center) is considered an important part of establishing a safe perimeter for your business.
But setting up and maintaining an SOC requires a wide range of expertise, processes and technologies – the magic mix necessary to ensure the SOC operates at an optimal level, and provides the necessary response to protect key assets and act rapidly and effectively post-breach.
The following are some of the elements and challenges of building an SOC:
Find the Right People
An SOC is only as good as the threat intelligence team that runs it. And it’s not just a question of hiring people with experience, because the truth is that having the right mentality is more important than coming in with experience. A person can always gain skills or experience – but if someone comes in with the wrong approach, it’s just not going to be a good fit.
Working in an SOC requires having a different attitude than that of an IT professional or a developer. It requires looking at each situation from the perspective of a hacker – and figuring out how to protect an organization effectively according to its business risk profile, i.e., the level of protection commensurate with its business needs.
Rather than seeing just the existing data, an SOC team has to look beyond the actual data and ask, “What else do we need to do?” Sometimes this involves figuring out where the malware came from, then thinking creatively about the broader environment: Where else might the malware have caused damage, even if that damage hasn’t been felt yet?
The best SOC professionals are those who, on the one hand, know how to follow the Playbooks, methodologies and cyber security strategies in place – while, on the other hand, they are creative, out-of-the-box problem solvers who excel at lateral thinking.
You’ll want to decide about how large a team you need. Just as an example: To make sure you have coverage for unexpected situations, you need a minimum of 12 people for a 24 x 7 operation, allowing for training, vacations, and sick days.
The thing is this: Most organizations hire people for the SOC team who have low levels of knowledge and experience. Frequently, students are hired for what is viewed, more or less, as an entry-level position. The problem is that this limits the kind of work they do: Generally, these SOCs only handle Tier 1 and 2, and outsource more severe incidents. An alternative approach involves hiring fewer people, but only taking individuals who have the professional background to operate at a higher level – a method that has the advantage of leading to higher levels of cooperation, better results, quicker turnaround, and greater resilience.
Determine Overt and Covert SOC Operations
When you design an SOC, you need to keep your eye on the crown jewels – your most sensitive assets – ensuring the SOC is designed to meet security needs and allows you to manage risk in your organization. No more, no less.
To do this requires taking the time “up front” to determine clear and appropriate processes, and to establish approaches to decision making.
An obvious question related to SOC processes is its operational coverage. Is it operating 24/7? Or is it operational only during business hours? In many organizations, a decision is made to outsource SOC support during the night hours.
Regardless of what your decision is, everyone needs to be on board regarding what to do if an event requires escalation. Who should be contacted if it happens after hours? When should senior management be brought into the loop? Transparency between SOC operations and the relevant client stakeholders is crucial so that all relevant parties can communicate and collaborate in real time.
Another issue relates to each team member’s area of responsibility. In some SOCs, each individual has a very specific area of responsibility. Problems are passed along, for example:
- Tier 1 or 2 threat intelligence analysts who recognize a severe problem convey this information to a higher-level analyst, perhaps Tier 3 or 4.
- Tier 3 or 4 threat intelligence analysts might then make a recommendation to the SIEM integrator, who is asked to make changes to settings or configuration.
This division of labor can be time consuming; and where it’s possible to design the SOC such that cyber threat intelligence analysts (both Tier 1/2 and Tier 3/4) have SIEM knowledge, the response is quicker – saving time and money.
A third aspect of SOC processes that needs to be determined relates to continuous iteration and improvement. The SOC platform should always be adapting to the cyber security threat landscape; Playbooks should continuously iterate. It is important to establish a clear process for iteration and improvement right from the beginning.
Use SOC Technology that Supports Orchestration, Automation, and AI
Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents. As pointed out in this Gartner paper, IT risk and security and leaders must move away from trying to prevent every threat – and instead, they should accept as inevitable that perfect protection is impossible. The question is not if, but when – and more importantly, how – that is, how to handle an incident optimally, when it occurs.
But SOCs work with so many different technologies. So how do you develop an SOC that can respond accurately and effectively in real time?
If you are investigating an incident and need to use each technology separately, it takes more time and requires greater expertise to identify the problem. Say, for example, there is a virus alert. To investigate it, the SOC must use the SIEM, the EDR (Endpoint Detection and Response), and network forensics technologies designed to provide advanced detection for cyber security threats.
An advanced SOC uses sophisticated technologies to maximize efficiency and avoid error. It enriches data that’s available through orchestration, bringing in data from multiple security products – thereby improving the quality of the investigative process. Through automation, an advanced SOC reduces the “noise” – false positive results – and allows SOC members to focus on the most important alerts that require human attention.
Maintaining the necessary degree of integration, orchestration, and automation requires constant upgrades and updates. Unfortunately, many SOCs integrate a SIEM but do not continue to improve it, and it quickly becomes outdated and loses its relevance. Companies that do not have the resources to continue to maintain and improve SOC processes should consider opting to partner with an MSSP (managed security services provider) like CyberProof that can do this work for them.
AI (artificial intelligence) and ML (machine learning) are also part of the picture. An advanced SOC leverages the power of AI and ML, to create smart insights that correlate and enrich log alerts and turn them into contextual “smart alerts.” The data provided through AI and ML allows detection and remediation to happen much more quickly – generally a matter of hours, rather than weeks. Furthermore, AI – together with big data analytics – helps predict and automate detection and remediation workflows, facilitating quicker, more accurate incident response and recovery.
Pull It All Together
In developing an SOC, it’s really a question of how to balance the components – the people, processes, and technology – to generate an SOC that prevents any cyber attacks from harming your organization or its customers, is developed within budget, and is available all day, every day.
Having a single platform where all alerts and incidents are managed centrally in real time facilitates collaboration between all team members, and between the SOC and other client teams. This allows for quick incident response by providing direct access to the SIEM, threat intelligence, UBA (user behavior analytics), EDR, and other tools. This “single pane of glass” capability provides a complete picture of the security surface of an organization, providing the correct response to an identified threat accurately and quickly. The platform forms a solid technological base for an effective SOC.
Because building an SOC that operates optimally is such a complicated mission, many organizations opt to use an MSSP.
Interested in working with CyberProof for your security operations instead of developing your own? Contact us for details!