The security operations center, or SOC, is the heart of any functional cybersecurity organization. While other groups focus on security architecture and strategy, policy development and risk assessment, the SOC is where the rubber meets the road in terms of implementing these strategies.
An estimated 68% of organizations have a SOC, and successful organizations -- those with a mean total time to contain (MTTC) at the 80th percentile or above -- are significantly more likely to have a strong, comprehensive security operations center framework. Successful cybersecurity organizations are able to detect an incursion, understand that the incursion is an attack and contain the attack within 20 minutes or less, according to Nemertes Research. These companies are 52% more likely than less successful organizations to contain an attack.
So, having a SOC is a critical step in ensuring an organization's cybersecurity.
What is a SOC framework?
A SOC framework is the overarching architecture that defines the components delivering SOC functionality and how they interoperate. In other words, a SOC framework should be based on a monitoring platform that tracks and records security events (see figure). An analytics platform provides the ability to analyze these events and determine which combinations of events might indicate an attack or incident. The analytics platform can be either manual -- human beings running various analytics to determine what's going on -- or automated via AI and machine learning algorithms -- the system itself detects attacks and security incidents.
It's not enough to determine that an attack has occurred or is underway; there has to be a response. Depending on whether the SOC is internal or external, the response may be as simple as an alert to inform the client or as complex as automatically executing a full-on incident response process.
Most SOCs have multiple platforms for detection and monitoring, which may or may not be integrated. The SOC framework also may include other functionality, such as threat hunting. These main components should serve as the starting point for a complete SOC framework. Finally, the components should be integrated with ongoing threat intelligence services to ensure detection, analysis and response to attacks are in line with the best available information.
5 core principles of a SOC framework
Highly effective SOC frameworks have several operational capabilities that include the following:
- Monitoring. The most fundamental function a viable security operations center framework can provide is to monitor activity. The goal of such monitoring, of course, is to determine whether a breach has occurred or is underway. But, before cybersecurity professionals can make that determination, they need to be aware of what's going on. Automated tools and technologies can help with monitoring, including SIEM tools, behavioral threat analytics and cloud access security brokers. These tools may, but not necessarily, use technologies such as AI and machine learning. Cybersecurity analysts typically provide the top layer of such monitoring, reviewing the status of the alarms and alerts.
- Analysis. The next function a SOC should provide is analysis. The goal of the analysis is to determine, based on enterprise activity, whether a breach has occurred or a vulnerability is present. As part of the examination function, SOC analysts review alarms and alerts generated by the monitoring system to see if they correlate with known patterns of attack or vulnerability exploits. Once again, AI and machine learning come into play, along with human intelligence. The aforementioned tools may also provide some degree of analysis.
- Incident response and containment. If the SOC is internal or if the enterprise's agreement with an outsourced SOC provider calls for assistance beyond alert notification, the next function the security operations center framework delivers is incident response -- precisely how to handle the incident depends on the incident's type, scope and severity. A companywide ransomware attack obviously requires a different response than the compromise of a single server. This is where security orchestration, automation and response (SOAR) tools can help.
Incident response and containment include not only the immediate fire drill responses -- isolating affected systems and applications and notifying relevant stakeholders -- but, ultimately, the longer process of remediation. Effective remediation goes beyond fixing the immediate problem; it also addresses the policies, processes and technical issues that fueled the problem in the first place. Although the SOC doesn't always have a direct role to play in remediation, it's a useful source of detailed information that can be reviewed to determine the root causes of the security incident. And, of course, any policy, process or technology change may affect SOC operations.
- Auditing and logging. As noted, the SOC has an important, though often overlooked, role to play in logging and auditing: to verify compliance and to document the response to security incidents that may be used as part of a post-mortem assessment. Many SOAR tools contain an impressive array of timestamped documentation, which can be of value both to cybersecurity analysts and compliance professionals.
- Threat hunting. Even when systems are operating normally -- that is, no significant incidents are detected in the environment -- SOC analysts have other responsibilities. They monitor and assess threats in the outside environment by reviewing threat intelligence services and, if they are third parties with multiple customers, scan and analyze cross-customer data to determine patterns of attack and vulnerability. By proactively hunting for threats, SOC providers -- whether internal or external -- can stay a step ahead of the attackers and take protective steps in the event an attack occurs.
Next steps for SOC frameworks
What happens after monitoring and analysis? The answer depends in part on whether the SOC is internally operated by the enterprise or is delivered as an outsourced service. If the latter, the cybersecurity team may have contracted for one of two versions of support: alert notification or full-service incident response.
Alert notification simply means the SOC notifies enterprise cybersecurity professionals when there's an incident or vulnerability. At that point, the cybersecurity incident response policy should go into effect. If the SOC is internally operated, the SOC team should participate in incident response management. If the SOC is provided by an external company, the provider may consider its work done when it hands off notification of a vulnerability or breach. That's fine as long as the organization's cybersecurity professionals understand that's what they've contracted for and have an incident response policy that takes into consideration how the internal team and the SOC team will interact following the notification.
In summary, a well-designed security operations center framework should do far more than merely track alarms and alerts. When properly configured and managed, the SOC can assist in incident containment, provide invaluable insight into incident post-mortems and deliver proactive protection.