In the past, large corporations have implemented traditional security operations centers (SOC) as a means to maintain vigilance regarding their information security posture. The most popular model has centered on building large command centers, where numerous analysts work side by side to assess real-time security data and manually respond to it. This is what we at Forrester Research call SOC 1.0. Although this model has proven effective, the days of SOC 1.0 are numbered.
Given today's economy, building or maintaining a SOC is a difficult budgetary proposition. In fact, one of the ironies of SOC costs is that these centers were originally designed to reduce the cost of security incidents by bringing numerous security engineers and analysts into a single space. But times change, threats evolve, new technologies arise, and there are better ways to accomplish the SOC tasks without building one physically. Forrester calls this new model SOC 2.0.
Several factors are driving the evolution of the SOC, including the transformation of the network operations center (NOC). The traditional NOC is designed to monitor network-level events and provide level-one triage and troubleshooting for corporate networks. But as companies begin to build more robust, ITIL-based unified operations centers that will support and supplant some security operations functions, it means tier-one and tier-two security operations can be collapsed and handled in the operations center. As a result, its staff needs only escalate the highest-level events to security operations.
As the function of the NOC and the SOC continue to evolve over time, Forrester anticipates the operations center of the future will become a consumer of SOC services. As events escalate beyond the skill level of the operations center, skilled security engineers will be assembled virtually to temporarily deal with higher-level security events.
What's the result? The metamorphosis of the NOC into the operations center will be highly beneficial to security operations and will drive the creation of a future-state SOC that will be virtual -- brought together on an as-needed basic via collaboration technology -- and not tied to a particular place. The outcome of this virtualization is that security operations will become a service provider to all of IT, leveraging the people skills, information and technology that are aggregated in this new virtual SOC or VSOC. The biggest benefit will be in overall operational cost reductions: Virtual SOC operations mean that security operations will become a part-time job. The highest skilled operators can be assigned part-time responsibility and pulled into the VSOC as needed to respond to a particular incident.
In SOC 2.0, any incidents that get post newer proactive network controls can be escalated to these part-time VSOC engineers, who will be able to morph into their role without being dedicated to watching a set of monitors for an entire shift. This new model makes it possible to have a larger number of skilled professionals distributed throughout the organization available to respond within a virtual collaborative environment to begin to deal with any security incident.
By adding this new virtual element, SOC 2.0 becomes highly dependent on the people who are called upon to staff it in times of crisis or need, as well as on the tools and technology that will provide visibility into incidents and that will help lead to quicker incident resolution.
To ensure success, however, it will be essential to consider these three steps when building your SOC 2.0:
Identify the core people. The virtual team makeup will not be the traditional SOC 1.0 engineers, but rather highly trained and experienced security and risk professionals. These VSOC operators must be more experienced and better trained than NOC engineers. They must be security specialists with specific hands-on skills, such as firewalls, VPNs, and IDS/IPS, and security architects who are domain-specific designers working on the overall information security strategy. Training and experience have increased priority. Also, this provides an incentive that benefits employee retention initiates, as VSOC engineers still get to be involved in InfoSec trench warfare while continuing their career advancement.
Identify the core technologies. Security information management (SIM) tools will be the core technical component of SOC 2.0, acting as the information repository necessary for delivering on the VSOC vision. It's important for these information management tools to be easy to use and intuitive; they must also have a Web interface that can be accessed from any browser in the world, as a VSOC engineer could be based anywhere in the world at the time of an incident.
Other tools that will be important to SOC 2.0 are network monitoring tools, which provide insight into the state of the network and computer forensic tools to provide deep investigation into incidents that have moved beyond the service center. Forrester is now defining this toolset as NAV or Network Analysis and Visibility.
- Identify the core responsibilities and processes. The success of SOC 2.0 and the transition from the traditional SOC to the VSOC depends on the ability to transfer day-to-day security tasks to the operations center. The command center within the operations center must be able to mitigate tier-one and tier-two security incidents and recognize when to escalate tier-three incidents to the VSOC. It's therefore imperative to identify the core responsibilities of the VSOC vs. the operations center, and to come to an agreement on how responsibilities are to be divided between IT security management and IT operations.
A final recommendation surrounding the virtual SOC: "Go social." In other words, organizations should extend the capabilities of the VSOC using social networking tools. Forrester imagines a future where VSOC functions will be connected between companies so they can share pertinent information about the current state of security incidents and assist peers in mitigating attacks. Companies will further benefit from heightened situational awareness, improved visibility and access to a vast knowledge base. The social aspect of SOC 2.0 will make it scale-free and will drive down security operations costs for all participants.
About the author:
John Kindervag is Senior Analyst at Forrester Research. Serving security & risk professionals, he is a leading expert on wireless security, network security, security information management, and PCI data security.
This was first published in December 2010