What Makes a Modern SOC
Every organization–regardless of size, budget or area of focus–should have some form of a security operations center (SOC). When I use the term “security operations center,” many people imagine a dedicated team with expensive tools and a room full of monitors. SOCs do sometimes look like that, but not always. A SOC can just be one person or multiple groups of people spread across the globe. A SOC can be outsourced to a service provider, composed of internal resources or something in between. In short, a SOC is having a dedicated person or team focused on cybersecurity services for an organization, which means a SOC is obtainable by all organizations.
Now that you know your organization should have a SOC, what should be expected of that SOC? A SOC is responsible for providing services, and those services need to be aligned with the goals of the organization the SOC protects. The best way to view what is expected of a SOC is within the SOC’s mission statement and scope of work. I have seen people with security responsibilities become recognized as a formal SOC by obtaining executive support of a SOC mission statement and scope of work. These fundamental components separate a SOC from random security-related services.
Regarding SOC services, I believe every SOC should have some form of the following services, which I call the foundational SOC services.
- Risk management: Identifying and making decisions to deal with organizational risk. This pertains to managing any type of risk, from physically securing assets to patching digital vulnerabilities that exist within software.
- Vulnerability management: Identifying and managing risk from technical vulnerabilities. This commonly involves targeting vulnerabilities within software found on servers, laptops and IoT devices. Most SOCs use vulnerability scanners and outside threat intelligence to identify vulnerabilities.
- Incident management: Responding to security-related events. This covers what actions the SOC takes when certain events occur, such as isolating systems, alerting team members and implementing remediation steps to resolve the issue.
- Analysis: Analyzing various types of artifacts. This includes identifying characteristics, reverse engineering, vulnerability/exploitation analysis, root-cause analysis, remediation and mitigation analysis.
- Compliance: Assessing and maintaining organizational compliance requirements.
- Digital forensics: Gathering evidence post-incident to determine the cause of the incident and prepare for legal action.
- Situational and security awareness: Providing the organization with awareness of its operational environment and potential threats.
- Research and development: Researching the ever-evolving threat landscape, developing new tools and techniques, and modifying existing tools to improve effectiveness.
Some of these services can be outsourced, while others could be on-demand. For example, a small business will likely not have a digital forensics expert on staff; however, they should know who to call in if legal action needs to be taken due to a cyber-related incident.
It is important to point out that a SOC doesn’t buy a tool and assume they have a service, and having a service doesn’t mean you have an effective service. The security industry uses maturity models as a way to validate the quality of a service. Using vulnerability management as an example, buying a vulnerability scanner would move your organization from a maturity of zero to 1 by demonstrating that you can provide ad-hoc vulnerability scanning. Higher maturity requires developing repeatable processes that are converted into policies and procedures enforced by SOC management.
Improving maturity leads to answering a question I often receive: “What do I need to do to function as a modern security operation center?” My answer is one word: DevOps. In the DevOps model, programing is used to make things work with things. This is a critical element for deploying orchestration and automation—or, the ability to automate parts of a SOC service. As technology becomes more advanced, data grows and attacks become more sophisticated, a SOC can’t simply “peddle faster” and hope to keep up. There is a breaking point for every SOC service that separates a modern and mature SOC from one that is very reactive and unable to keep up with the pace of work. I’m often asked during classes I teach, “What skillset should I focus on to get hired in the cybersecurity field.” My answer always includes some form of DevOps. Click on Page 2 to continue reading…
- Page 1
- Page 2