What's a Security Operations Centre (SOC) and why should I care?
By John Higginson, 12 July 2017
My previous blog post talked about cyber security risk management. This post explains the relevance and importance of a SOC and how this capability can reduce the risk to your network.
As we have been receiving increasing numbers of requests to assist clients in either setting up or advising on current SOC capabilities and procedures, it would seem prudent to explain the purpose and increasing need for this capability.
So what is a SOC?
The function of a SOC is to maintain situational awareness of events on the computer systems and networks that it monitors. Events occurring on computer systems are monitored by software, and transmitted to the SOC, for logging and review by an analyst team. Essentially, the SOC team are the ‘virtual security guards’ that protect your network, whereas the IT team build and maintain it. Using this analogy it is easy to see the difference in roles, responsibilities and skills required by the SOC and IT teams – you would not employ a security guard to build your house, nor employ a builder to keep it secure!
Separating the SOC and IT teams into disparate elements helps reduce the conflicting pressures and priorities between these two elements. That said, management of the two teams should ideally be held by a key, central role in the organisation so that a) the operational need for network availability versus the need to keep things secure can be kept in balance and b) information can flow more seamlessly between the two functions.
What are the benefits of a SOC?
Whilst many businesses have flourished without a SOC for some time, the increasing prevalence and sophistication of cyber-attacks and the impact they can have on a business, either through financial losses due to network downtime and reduced operational output or reputational damage, means the benefits that a SOC brings are ever more tangible and the associated costs easier to justify.
A network monitoring capability allows for the effective prevention, detection and response to any malicious attack. When a suspicious event is detected, the SOC can investigate and respond accordingly to reduce both the impact and severity, either using internal SOC staff or by requesting external support, through following tried and tested procedures.
How does a SOC work?
By having an in-depth understanding of how hostile actors behave (in a Cyber Kill Chain, pictured below) and what they need to do in order to gain access to a network, the SOC is designed to block the attacker at each stage:
The Cyber Kill Chain
In the Kill Chain model, an attacker will attempt to:
- Reconnoitre the network to identify a vulnerability in the security systems: e.g. an unmaintained internet connected machine.
- Develop/weaponise an attack against it: e.g. a virus.
- Deliver this to the system: e.g. via an email, a file upload, a listening network connection
- Exploit the vulnerability: running the harmful code, connecting to the weakly protected system
- Install and maintain presence on the system, to observe and assess the targets
- Establish command and control: maintain a means of communication with the attacker’s systems.
- Take action: steal or alter information, manipulate systems.
- Identify legitimate assets and systems
- Protect assets: proactively increase the difficulty of attacks
- Detect reconnaissance or attacks as they occur
- Respond: block network traffic, shut down harmful processes
- Recover: restore data, restart systems.
What do I need to deliver a SOC capability?
An effective SOC is a combination of people, procedures and technology:
- People: the SOC management, analysts, response and maintenance staff.
- Procedures: standardised, repeatable processes for defending and responding to incidents on systems
- Technology: the deployment of software and hardware on the network and Operations Centre to monitor, triage, display and respond to events.
A SOC developed in isolation will be a total waste of time and effort for all involved. The SOC must be set up in close collaboration with both the IT and physical security teams. These 3 elements are the mutually supporting components of an effective and coherent security solution. By thinking of each element as the leg of a stool, if one is weak, the whole solution is unstable and likely to fall over…
A mature and well managed network is a pre-cursor to developing a SOC; if the network is not in a good state to start with, the task of the SOC will be totally unachievable. Similarly, if access to the network is not suitably physically restricted, the task of the SOC will be made considerably more complex and arguably irrelevant. Finally, if the SOC is not properly resourced and trained, it will not be able to carry out its function and assure the Information Security triad (Confidentiality, Integrity, Availability) such as, for example, the integrity and availability of CCTV feeds for physical security staff.
Using the previous analogy, security should be considered from the outset of the build or there may be a hole in a wall or a gap in a fence, which is then more difficult to protect or monitor either physically or virtually. In most cases, network security may not have been properly considered or appropriately updated throughout the evolution of the network, so such gaps or holes will need to be managed in line with the organisational risk appetite and budget.
SOC model options
The key question for most organisations will be whether they opt to develop an in-house SOC, adopt a hybrid solution with Managed Security Service Provider (MSSP) support or fully outsource the SOC. A number of factors will come into play here, most notably the security and confidentially requirements, the size of the organisation and network, as well as the budget and timeframe.
Each of the models have their merits, but as each organisation will have differing priorities and budgets, careful consideration of which model best fits will need to be conducted. Requirements and priorities will undoubtedly change over time, so a routine review of the chosen SOC solution should be scheduled.
Whichever model is adopted a policy of ongoing assessment will need to be employed across all areas (policies, processes, skill levels and technological controls), in order to identify areas of strength and weakness, so that resources can be allocated to bring areas of weakness up to acceptable levels.
In concert to this, procedures and processes need to be thoroughly tested to ensure that they work and are appropriate. Lessons can be learned from conducting these tests and the processes and procedures refined as a result. This process will also give the SOC staff confidence in their abilities, whilst highlighting areas for individual training and development.
The need for and relevance of a SOC has never been more pressing and pertinent. Cyber-crime and cyber-attacks are daily events that need to be defended against. An effective SOC provides considerable assurance and the ability to respond appropriately and effectively in the event of an attack. However, a SOC in isolation is futile, it needs to be viewed as a coherent package alongside IT and physical security, which are all mutually supporting; if one element is weak the overall security is fragile.
Having properly trained, motivated and appropriately supervised personnel in each area is an essential element to the holistic security solution. In tandem, appropriate policies and well-practiced procedures will mean that timely and suitable responses can be enacted to mitigate the impact of all security incidents.