Increase exposure of various computer threats (more than 80% of companies have been targeted by a cyberattack), regulatory pressure reinforcement (such as the General Data Protection Regulations) … that much reasons for organizations to improve the control of the security of their information systems and to be interested in a Security Operations Center (SOC). It is a “Control Tower” designed to detect, prevent a potential risk, and determine reaction actions.
One true goal: guarantee the continuity of business activities by adapting as quickly as possible to constraints and risks.
Most of the time, a SOC involves a combination of technological tools, processes and dedicated people to collecting, sorting and investigating security incidents.
– Human resources – experts in security: operators, analysts, Pentester. Their mission: interact with the teams responsible for information systems security within the company, to best adapt the solution to the organization. Their main objective will be to analyze events to respond to incidents in a short time.
– Processes – SOC processes are specific to IS security monitoring and administration. Their objective is to ensure the monitoring of the IS, the detection and resolution of security incidents as well as making improvements to the SOC based on the evaluation of its processes, the evolution of threats and regulatory developments.
– Technologies – meaning all the technical means used to collect, correlate, store and report on security events. The SOC’s main security solution is the SIEM (Security Information and Event Management). It is an event management tool of the information system.
Services provided by a SOC
The services provided by the SOC are organized around the following activities:
- Security monitoring in connection with the Computer Security Incident Response Team (CSIRT/CERT)
- Fine tuning and maintenance tooling
- MSC (Maintenance in Safety Condition) of the tools
- Optimization of detection rules, and consideration of Indicators of Compromise (IoC) provided by CSIRT/CERT (Computer Security Incident Response Team / Computer Emergency Response Team) teams
So the SOC will identify risks, measure exposure to threats and assess the level of security in order to define a roadmap and a vigilance plan.
- Log collection and analysis
- Information correlation to analyze security events as a whole and not as a unit
- Triggering and qualification of alert on suspicious elements
- Customer company notification and communication
Inside all the different activities noise, the SOC detects security incidents as well as attempted attacks to determine company’s exposure to threats. This technical and behavioral monitoring will make it possible to be warned in a short timeframe. The security center will thus collect the events (in the form of logs in particular) reported by the security components, analyze them, detect anomalies and define reactions in the event of an alert being issued.
- Immediate processing of documented alerts and analyses
- Handling security incidents with supervisory teams
- Investigations following a security incident (Forensic)
Above all, the SOC must react with very short deadlines and provide the most appropriate responses. It is to provide emergency support, expertise and methodology when the organization needs it most.
Report / Dashboard
- Generation of regular reports on SOC activity
- Security dashboard with service indicators (alerts, incidents, investigations, etc.), technical indicators (MCO/MSC) and trend indicators (extension of the collection perimeter, new detection rules, etc.)
The different types of SOC
The implementation of a SOC is a major project, transversal with important operational impacts. The explicit support of the Management is essential to justify the recurring expenses incurred by such an organization. Still need to choose the right type of SOC depending on the organization, challenges and means:
- Virtual SOC: there is no dedicated installation, team members are part-time, activated in case of an alert or critical incident
- Dedicated SOC: dedicated installation with a dedicated team, entirely in-house
- SOC distributed / co-managed: team members are dedicated and semi-dedicated, with typically 5×8 at the operational level; when used with an MSSP, it is co-managed
- Command SOC: this type of SOC coordinates other SOCs, provides threat intelligence, provides threat expertise and is rarely directly involved in day-to-day operations.
- SOC / Network Operations Center (NOC): this is a dedicated facility with a dedicated team performing not only security but also other critical IT operations 24/7 from the same facility to reduce costs
- Next gen SOC: this type of SOC takes over traditional and new functions such as Threat Intelligence, a Computer Incident Response Team (CIRT) and Operational Technology (OT) functions.
- Outsourced SOC: this involves calling on an external service provider who will have the human and technological resources to offer the services of a SOC. While larger organizations may consider implementing the necessary resources to build an internal SOC, others may face considerable difficulties in building such an internal function not directly related to their business.
ISO27001 certification, a guarantee of quality?
Some SOCs are ISO 27001 certified. This guarantees the implementation of a management system and organizational and technical measures to ensure a good level of security. The qualification and certification of a SOC to ISO 27001 is particularly complex to obtain given the many constraints it imposes. An ISO 27001 certified SOC therefore means that it has a great deal of know-how in the field and is a guarantee of maturity.
The various technologies that constitute a SOC
The SOC will rely on various tools to correlate and analyze multiple log sources for more effective cyber protection:
- IDS / IPS
- Web Application Firewall
The various logs collected by the SOC are reported in the SIEM (Security Information and Event Management) composed of several powerful analysis tools:
- APT detection module
- Vulnerability management tool
- Compliance monitoring tool
- Log correlation module
- Behavioral analysis module
Multiply strengths against cyberthreats
Having a Security Operations Center will improve the detection of security incidents through continuous monitoring and analysis of data activity. However, setting up and operating a SOC can be complex and costly. This is why companies set up their own SOC or use an outsourced SOC in order to benefit from the following advantages:
- Reduce risks and unavailability of critical information system components
- Identify threats and prevent them: today, companies take an average of 191 days to identify a data breach (Source: Cost of Data Breach 2017). The SOC allows potential threats to be identified in real time.
- Shorten response times: in the case of a malware infection for example, the propagation time will be reduced to a minimum. Today with the GDPR (General Data Protection Regulations), it is required to notify of a data breach within 72 hours.
- Improved monitoring: a key success factor for a SOC is the establishment of an effective monitoring strategy. For this purpose, the scope, technical architecture, monitoring and maintenance processes and SOC rules will be defined in a document.
- Save time on incident investigation: you benefit from substantial efficiency gains for teams tracking the most mature threats. According to a 2018 McAfee study, a mature SOC can complete incident investigations in less than a week using the threat tracking skills of experts.