apinan - Fotolia

Manage Learn to apply best practices and optimize your operations.

Building an effective security operations center framework

An effective security operations center framework includes more than just monitoring and analysis. AI and machine learning can also play a role.

The security operations center, or SOC, is the heart of any functional cybersecurity organization. While other groups focus on security architecture and strategy, policy development and risk assessment, the SOC is where the rubber meets the road in terms of implementing these strategies.

Today, 68% of organizations have a SOC, and successful organizations -- those with a mean total time to contain (MTTC) at the 80th percentile or above -- are significantly more likely to have a strong, comprehensive security operations center framework. Successful cybersecurity organizations are able to detect an incursion, understand that the incursion is an attack and contain the attack within 20 minutes or less, according to Nemertes Research. These companies are 52% more likely than less successful organizations to contain an attack.

What's more, organizations with a SOC can improve their MTTC from a median of 180 minutes to a median of 102 minutes, a 43% improvement.

So, having a SOC is a critical step in ensuring an organization's cybersecurity.

SOC monitoring and analysis

Highly functional SOCs have several operational capabilities, which include the following:

  • The most fundamental function a viable security operations center framework can provide is to monitor activity. The goal of such monitoring, of course, is to determine whether a breach has occurred or is underway. But, before cybersecurity professionals can make that determination, they need to be aware of what's going on. Automated tools and technologies can help with monitoring, including SIEM tools, behavioral threat analytics and cloud access security brokers. These tools may, but not necessarily, use technologies such as AI and machine learning. Cybersecurity analysts typically provide the top layer of such monitoring, reviewing the status of the alarms and alerts.
  • The next function a SOC should provide is analysis. The goal of the analysis is to determine, based on enterprise activity, whether a breach has occurred or a vulnerability is present. As part of the examination function, SOC analysts review alarms and alerts generated by the monitoring system to see if they correlate with known patterns of attack or vulnerability exploits. Once again, AI and machine learning come into play, along with human intelligence. The aforementioned tools may also provide some degree of analysis.
SOC deployment status
The status of SOC deployments based on Nemertes Research's study of 335 organizations in 11 countries

What are a SOC's next steps?

The real question is: What happens after monitoring and analysis? The answer depends in part on whether the SOC is internally operated by the enterprise or is delivered as an outsourced service. If the latter, the cybersecurity team may have contracted for one of two versions of support: alert notification or full-service incident response.

Precisely how to handle the incident depends on the incident's type, scope and severity. A companywide ransomware attack obviously requires a different response than the compromise of a single server.

Alert notification simply means the SOC notifies enterprise cybersecurity professionals when there's an incident or vulnerability. At that point, the cybersecurity incident response policy should go into effect. If the SOC is internally operated, the SOC team should participate in incident response management. If the SOC is provided by an external company, the provider may consider its work done when it hands off notification of a vulnerability or breach. That's fine as long as the organization's cybersecurity professionals understand that's what they've contracted for and have an incident response policy that takes into consideration how the internal team and the SOC team will interact following the notification.

Incident response and containment. If the SOC is internal or if the enterprise's agreement with an outsourced SOC provider calls for assistance beyond alert notification, the next function the security operations center framework delivers is incident response -- precisely how to handle the incident depends on the incident's type, scope and severity. A companywide ransomware attack obviously requires a different response than the compromise of a single server. This is where security orchestration, automation and response (SOAR) tools can help.

Incident response and containment include not only the immediate fire drill responses -- isolating affected systems and applications and notifying relevant stakeholders -- but, ultimately, the longer process of remediation. Effective remediation goes beyond fixing the immediate problem; it also addresses the policies, processes and technical issues that fueled the problem in the first place. Although the SOC doesn't always have a direct role to play in remediation, it's a useful source of detailed information that can be reviewed to determine the root causes of the security incident. And, of course, any policy, process or technology change may affect SOC operations.

nternal vs. outsourced SOCs
The breakdown of internal vs. external SOCs from Nemertes Research's study of 335 organizations in 11 countries.

Auditing and logging. As noted, the SOC has an often important, though often overlooked, role to play in logging and auditing: to verify compliance and to document the response to security incidents that may be used as part of a post-mortem assessment. Many SOAR tools contain an impressive array of timestamped documentation, which can be of value both to cybersecurity analysts and compliance professionals.

Threat hunting. Even when systems are operating normally -- that is, no significant incidents are detected in the environment -- SOC analysts have other responsibilities. They monitor and assess threats in the outside environment by reviewing threat intelligence services and, if they are third parties with multiple customers, scan and analyze cross-customer data to determine patterns of attack and vulnerability. By proactively hunting for threats, SOC providers -- whether internal or external -- can stay a step ahead of the attackers and take protective steps in the event an attack occurs.

In summary, a well-designed security operations center framework should do far more than merely track alarms and alerts. When properly configured and managed, the SOC can assist in incident containment, provide invaluable insight into incident post-mortems and deliver proactive protection.

This was last published in January 2020

Dig Deeper on Information security policies, procedures and guidelines

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How would you fortify your security operations center foundation?