Security operations centers (SOCs) have been growing in need and popularity. Michael Hill explores the SOC options organizations have at their disposal and outlines how to get the most out of a SOC investment
A Security Operations Center (SOC) is a dedicated function that identifies and analyzes security issues on an organizational and technical level. Its purpose is to provide an organization with a centralized, actionable view of threat events across its IT environment. If implemented correctly, a SOC function can increase visibility of suspicious and malicious activity, raise awareness of potential risks and ultimately help a business prevent, detect and respond to cyber-attacks.
Traditionally, investing in a SOC was really only a viable option for a few very large, mature organizations handling vast amount of data or processing high value transactions. However, things have changed in recent years. Threat actors are targeting an increasingly diverse range of organizations across different industries, going after various types of data and taking advantage of an ever widening and difficult-to-secure enterprise attack surface. This has meant that a capability to effectively detect security threats and initiate timely responses has become progressively important for more and more companies with varying profiles. SOCs, therefore, have been growing in both usage and popularity.
"An effective SOC is vital for those organizations that embrace a proactive approach to risk management,” says Emma Bickerstaffe, senior research analyst at the Information Security Forum (ISF).
"An effective SOC is vital for those organizations that embrace a proactive approach to risk management"
Whereas, in the past, a SOC was an option for the few and not the many, it is increasingly becoming a part of everyday life for organizations whose productivity relies not on their size or scale, but on their ability to process digital information securely and quickly – and there aren’t many businesses in the world that don’t fall into that category.
David Orr, SOC manager at NCC Group, adds: “Given the high financial cost of breaches, it is not an overstatement to say that a mature SOC can prevent millions of pounds worth of damage to an organization. It is a common misconception that attacks are always highly targeted. Many are not, so it’s vital for organizations of all sizes and sectors to protect themselves from both collateral damage and targeted attacks with an effective SOC.”
However, implementing a SOC requires careful planning and coordination. “If the SOC is not effective, anomalies will be missed, information security weaknesses will remain undetected and threats will continue unabated, which will cause the business to query whether the SOC is providing the expected return on investment,” warns Bickerstaffe.
Should a company’s SOC be ineffective, continues Sam Temple, managing director of JUMPSEC, “the cost to the organization can be catastrophic in terms of its operations, financial or legal situation, brand or reputation and even fines on top of the cost of running its SOC.”
To put it simply, if you want to benefit from a well-functioning, worthwhile SOC, it needs to be a SOC that is right for your business.
I Wanna SOC
So what are a security leader’s SOC options for their organization, what makes a SOC effective and how can a business ensure they get the most from a SOC investment? The first important thing to consider is that modern SOCs come in a variety of guises.
One of these is the internal SOC – an in-house, dedicated team made up of security experts that sits within and is managed by the organization itself. It could be argued that, in an ideal world, this would be the SOC of choice for all companies, because it allows for the best internal visibility of the environment, technology ownership and control, quicker escalation of threats, greater fidelity of employees and it is more easily customized. However, running a fully-fledged internal SOC is a significant undertaking, with high upfront and ongoing costs, substantial implementation/scale-up time and staffing challenges. It may be the ideal option, but it will not be realistic for companies that do not have the scale or resources to support it.
Another option is an entirely outsourced SOC, or a ‘SOC-as-a-Service’ offering. This takes advantage of an external, specialized service that is quicker and cheaper to implement, providing a high-level of SOC expertise without the strain of trying to run one without the resources needed to make it work. On the downside, there can be a notable reduction of internal visibility compared with an internal SOC, with longer escalation times and a lack of customization opportunities, not to mention the fact that an outsourced SOC requires a third party to handle an organization’s data, which is always a significant risk factor to consider.
Then there is the option of a hybrid SOC; one that combines a blend of internal/external SOC teams, offering a certain degree of control to the contracting organization, without the need to take total ownership of the SOC function. It’s easy to see why a Hybrid SOC would be a popular option for organizations of varying sizes; it allows for internal management and development, with the added support of the outsourced provider who can also normally offer additional services such as penetration testing, for example.
A SOC-seeking security leader needs to think long and hard about which of those options is going to be the right choice for their company, but regardless of what they opt for, there are some key requirements that any SOC must fulfill to be effective.
“The SOC needs the full support of both business and IT stakeholders to succeed"
SOC With You
One of these is a SOC’s ability to align itself and work in cohesion with the wider business, and vice-versa.
“The SOC needs the full support of both business and IT stakeholders to succeed,” says Bickerstaffe. Equally, its mission and long-term vision must be closely aligned with the business and IT strategy, Bickerstaffe adds. “It is essential to engage early with the business, pinpointing the relevant stakeholders to explain the value of a SOC, demonstrate its potential and secure their ongoing support throughout the lifetime of the SOC.”
Michael Cormack, senior consultant at Context Information Security, concurs: “If a SOC is not integrated into the wider business, it may fall into a static state, not improve and inevitably fail to provide value to the business. It is so important to focus on what the business’ mission is for a SOC and to have a key understanding of what it delivers.”
This means that a succinct understanding and seamlessness between the SOC function and the business is paramount. There must be clearly defined and mutually understood processes in place to ensure all stakeholders know how security issues are raised (and to whom) and definite plans laid out to establish what actions are to be taken and when (and again, by whom). Successful business alignment also means that the SOC focusses on monitoring the right scenarios – not everything is equally important to a business, so business critical assets need to be correctly prioritized to avoid alert fatigue and allow the SOC to best serve the business.
These things can be slightly more straightforward to achieve with an internal SOC which is considered part of the same business, and require more work to perfect if the function is completely outsourced, but the business benefits are worth the additional effort.
SOC ‘n’ Roll Star(s)
As is the case with any organizational function, an effective SOC needs a talented team to operate it. Of course, if you are outsourcing entirely, that responsibility sits with the SOC service you are working with. However, it’s worth noting that if you are looking to run an internal SOC, or at least to internalize part of the SOC team, one of the biggest challenges you will face is filling it with the right people and resources.
“This can be difficult in an industry where the skills gap is well-publicized,” points out Orr. “However, maintaining the right blend of skills and experience across your analysts and engineers is the most important aspect to get right,” he adds.
"This challenge can be mitigated by starting with an experienced SOC manager and looking for internal appointments to fill gaps in the SOC alongside some experienced hires,” advises Bickerstaffe. “Internally recruited staff members will already be engaged, familiar with the business and invested in its success. Regular training and mentoring is essential for retention of staff and to develop the skills necessary for SOC analysts to excel.”
This human factor should be complemented by a blend of advanced tools and bespoke detection capabilities across the kill chain to ensure maximum coverage at all stages of an attack, adds Orr.
"Maintaining the right blend of skills and experience across your analysts and engineers is the most important aspect to get right"
SOC Around the Clock
Another key element of an effective SOC is its ability to work around the clock – chiefly, ensuring the SOC is fully-operational during ALL the hours that it is actually needed.
Raef Meeuwisse, CISM, CISA, author of Cybersecurity for Beginners and director of Cyber Simplicity Ltd, divulges further: “I am always amazed by things like a 20/5 SOC, when an organization works 24/7, or by SOC closure times that align exactly with the most vulnerable and likely points for a cyber-attack,” he explains.
Even if a business does not operate every hour of every day, its technologies are likely to be running all hours, Meeuwisse adds. “The staff may be switched off, but the technologies rarely are. The best time for any hacker to attack is when the defenses are at their lowest level, which is, in many cases, when all the regular staff, including the most senior staff, have gone home.”
There’s even the possibility of cyber-criminals purposely targeting a company with attacks when they know it is at its weakest – i.e. doing a bit of homework to see if it has SOC downtime.
“In many cases, it is possible for hackers to do some reconnaissance and find this out either through internet searches, social media or social engineering. They could also just do a set of preliminary attack runs at different times and find out when the detection and recovery rates are slower.”
Therefore, whether an organization is looking to create and run its own SOC, outsourcing to a third party or hoping to operate somewhere in the middle, it would be futile to invest in any approach that does not (or cannot) operate around the clock. This is a particularly important consideration for any organization seeking to run an in-house SOC, because it means having a certain number of dedicated staff working through the night.
“That is an example of why a suitable outsourced SOC service can prove beneficial in some circumstances, although ultimately, the actions required to halt an attack and recover systems will most likely require needing to have some regular staff on-call,” – so even if you are outsourcing, that’s another important factor to take into account.
“In many ways, if running technology is like sailing on the sea, then the SOC is the equivalent of a life jacket,” Meeuwisse says, and you don’t want to be struggling to put it on after most of the crew have already drowned.
We Will SOC You
The above advice will put any CISO looking to kick-start a SOC initiative in good stead, but what if you are already implementing an effective SOC and you feel that it ticks all the boxes, is the hard work over? Not according to the experts.
“For organizations that already have an operational SOC, a significant challenge revolves around keeping up-to-date with the ever changing cyber-threat landscape,” warns Temple.
Bickerstaffe therefore believes that SOC success is an ongoing, progressive exercise, and “it is crucial that it is treated as a program, not a project. A phased, iterative approach to implementation should be taken. Above all, a SOC must never be stagnant but continuously improving.”
So how do you go about gauging whether your SOC investment is capable of doing that on an ongoing basis? Luckily, as SOCs become more necessary and widely-adopted functions, industry standards and guidance are helping businesses in their initiatives.
For example, CREST provides an accreditation scheme for SOC facilities, which enables both providers and internal SOCs to demonstrate that they are able to deliver a quality level of service. Likewise, as Orr adds, “by using the MITRE ATT&CK framework, we have seen organizations grow from 15% coverage to more than 90% following the implementation of a well scoped SOC.”
Clearly, there is much to consider when it comes to making a success of a SOC, and whilst Orr admits that “no solution provides guaranteed protection from a cyber-attack,” a well-functioning SOC’s holistic approach means that it is one of the most effective methods of reducing the risk of significant damage and expense