What is a Security Operation Center (SOC)? To ensure the survival of their business, companies today are called upon to define an adequate cybersecurity strategy to protect their IT systems and governed data. To carry out a correct risk assessment and define this strategy in an operational manner, it is crucial to have specific skills, which find their organization in the SOC (Security Operation Center).
What is a Security Operation Center
The Security Operation Center (SOC) is a command center formed by cybersecurity specialists , to monitor and analyze activities in order to protect the company from cyber attacks. The SOC –
The Security Operation Center therefore takes care of keeping the networks, internet traffic, servers, endpoints, applications, databases and any system under constant control, directly or indirectly the cause or object of an IT security incident.
Depending on the corporate organization, its size and the actual risks existing in terms of cybersecurity, the SOC is sized to include all the necessary skills. In carrying out his duties, the SOC communicates with the other departments in the IT field, but basically he performs his task with a high level of autonomy. This makes it possible to outsource to highly specialized suppliers, if the company does not have the resources to fulfill the main envisaged functions in-house: log monitoring and mitigating IT security threats.
There are no indissoluble dogmas or practices, as the conformation and activity of the Security Operation Center should always be declined according to the specific case of each company. However, over the years various frameworks have been written, valuable guidelines especially when it comes to implementing the activity of a SOC for the first time.
A popular framework for defining a SOC has been developed by the SANS Institute, with the publication of the paper Building a World-Class Security Operation Center: A Roadmap , which is structured around three fundamental pillars: people, processes and technologies.
That said, three levels of SOC are defined, which lead us back quite clearly to the context of the Incident Response discipline:
- SOC – Level 1 Security Operation Center : analysis and monitoring of IT systems (triage)
- SOC – Level 2 Security Operation Center : incident response
- SOC – Level 3 Security Operation Center : vulnerability assessment / penetration test (proactive analysis)
For this reason, a SOC that includes level 2 or level 3 functions can take over functions and activities conventionally delegated to other cybersecurity bodies, such as the CSIRT (Computer Security Incident Response Team) or the CERT (Computer Emergency Response Team). . This does not in fact constitute an interference, but rather a natural expansion of the functions originally envisaged by the theoretical models, once they effectively take on a practical comparison with the resources dedicated to IT, concentrating and optimizing the onerous tasks they involve as much as possible.
Another recurring term in the description of teams active in the field of cybersecurity is the NOC (Network Operation Center), whose differences compared to the SOC insist above all in placing the availability of network resources as the main priority, an essential aspect especially in the case of public bodies and companies whose channels are characterized by a very high level of traffic, as in the case of important product brands .
At a technological level, the main systems used by the SOCs – Security Operation Centers are the SIEMs (Security Information and Event Management) which allow to automate above all the phase of analysis and monitoring of IT systems. Also in this case, we must observe how advanced SIEMs are equipped with functions attributable to level 2 and level 3 SOC activity. SIEMs are not created to replace the human analyst, but to assist him especially when dealing with data flows from various sources and consistent in terms of numbers. The automation in monitoring and the related logging capabilities typical of SIEMs prove to be fundamental in offering a greater level of visibility on what is happening on the processes.
The benefits of having a SOC
The availability of a Security Operation Center allows companies to monitor and protect data and their IT resources in general from the attentions of the bad guys, as well as from the inexperience of internal staff. In more detail, the main advantages deriving from the activity of a SOC are the following:
- Constant monitoring and in-depth analysis of any suspicious activity within the corporate security network and perimeter;
- Centralized management of hardware and software systems for greater visibility in terms of IT security;
- Greater information and increase in the level of internal communication between the various IT departments and decision makers , for greater awareness in terms of information security;
- Total transparency and control regarding IT security activities;
- Carrying out and optimizing the incident response activity , to mitigate and minimize the impact of IT security attacks;
- Reduction of costs and disruptions caused by computer security attacks;
- General increase in security related to data processing and compliance with current regulations,
- Better definition of internal responsibilities in the company in relation to the security of data and information systems, in order to progressively improve data governance and the general organization.
Types of SOC, Security Operation Center
As announced in the introduction, depending on the size of the company and the criticality that the cybersecurity topic entails for the fate of the business, it is possible to form an in-house SOC or rely on the various outsourcing methods available on the market, where there is a proliferation of cloud security services . Among the main types of Security Operation Centers we find:
- Dedicated internal SOC : all team resources are allocated within the company, with company employees;
- Distributed SOC : also known in the literature as co-managed SOC, it provides a hybrid form of full-time and part-time internal team with the collaboration of an external managed services team that offers consultancy packages tailored on the basis of actual needs. These suppliers, defined as Managed Security Service Providers (MSSP) ensure high standards in terms of skills and technological equipment, due to their high level of specialization;
- Managed SOC : this configuration does not require internal resources to be dedicated to the SOC, but entrusts the entire burden to an MSSP, who performs his end-to-end task, relating directly to the internal managers;
- SOC support : a SOC can make use of specific consultancies to obtain highly specialized advice and services regarding a particular task, as often happens in the case of threat intelligence, as the speed with which the evolution of threats varies would make it too complex and costly to internalize this activity;
- Virtual SOCs : Provides a live Security Operations Center without an on-premises physical office, whether the team is internal, external, or hybrid in composition. Virtual SOCs carry out their activity on the SOC as a service (SOCaaS) model typical of services available in the cloud. This model is increasingly widespread due to the typical advantages relating to the cloud offer, which allows companies to control costs in detail without the need, in the event that the service is entirely managed by the MSSP, to invest in resources and personnel internal, with the complete guarantee of being able to scale resources according to one’s workloads.
Composition of a Security Operation Center
The Security Operation Center is made up of various professional figures, experts in various areas of IT security, data management and IT systems that can be found in a corporate context. The number of members in a SOC depends on various factors, including the complexity of the job and the budget available. In its most complete formulation, the SOC –
Security Operation Center provides:
- SOC Manager : as the name suggests, this is the leader of the organization and is the operational manager of the SOC and of the resources active in the field of cybersecurity in the company. In addition to managing and supervising the work of the members of the SOC, his duties include communication with company managers, who are updated on the basis of reports and insights suitably prepared to allow the understanding of information security facts even to a non-technical public;
- Incident responder : specialist in managing and mitigating attacks and active penetrations against corporate systems, including the eradication and definitive elimination of the threat;
- Forensic investigator : assumes the fundamental task of identifying the causes and reconstructing the incident timeline, in order to identify with certainty the origins and magnitude of the attack, in order to allow the incident responder to successfully eradicate it, as well as providing useful elements to improve the entire organization in terms of cybersecurity;
- Analyst: crucial figure in the activity of the SOC, due to his ability to prepare and organize the warning systems on the basis of the logs generated by the monitoring systems (e.g. SIEM). The analyst is also responsible for coordinating and analyzing the results of the vulnerability assessment scans which are essential for identifying any flaws in the company’s IT systems, from the servers, to the network, to the endpoints used inside and outside the security perimeter. The analyst must therefore possess skills in programming languages, system administration and procedures in the field of IT security and is one of the most sought-after figures precisely because of his 360° vision, capable of ranging from technical to organizational aspects with an analytical and objectively measurable approach;
- Ethical hacker : figure specialized in vulnerability assessment activities, in particular as regards the penetration test, i.e. the attack simulations useful for determining with certainty the ways in which the attacker could exploit a vulnerability to penetrate the security perimeter corporate. In a SOC, penetration testers work closely with analysts.
- Compliance auditor : mainly responsible for establishing that the procedures performed by the SOC – Security Operation Center on data and IT systems comply with current regulations and company policies, suggesting the necessary measures if not.
The main priorities and activities carried out
The Security Operation Center performs various IT security functions, in relation to the characteristics of each company and the types of organization that we have previously described. Among the main activities carried out by a SOC we find the prevention, protection and detection against threats to the company’s IT security.
Prevention
The prevention activities carried out by the SOC include research, development and updating of the IT systems used by the company and threat intelligence activities, which can in turn be delegated to highly specialized suppliers. From the point of view of prevention, the SOC is responsible for coordinating and carrying out the proverbial internal training activity for employees, in order to form an adequate culture in terms of IT security, useful for avoiding trivial accidents caused by wicked actions by the staff through your endpoints.
Protection
Protection consists largely of active monitoring activities on systems, in order to identify and resolve possible threats. In its most advanced form (level 2), the SOC cannot ignore the exercise of the incident response, i.e. the discipline useful for reacting successfully to the eventuality of an IT security incident, to identify the cause and magnitude of the attack on to mitigate it and eradicate malicious agents from corporate systems. The SOC’s responsibilities therefore also include backup and recovery activities, useful for restoring systems to the operating condition that preceded the incident. In general terms, the SOC can therefore perform the functions of an IRT (Incident Response Team) starting from the definition of an IRP (Incident Response Plan) and its correct execution, including the testing and exercise phases. The IRP must be constantly updated on the basis of the indicators received through the triage activity, which consists in the constant analysis of the logs, the network and the endpoints.
Detection
It refers above all to the proactive component of security activities, useful both in terms of prevention and investigation, to identify and resolve with certainty the possible vulnerabilities present in the network and in IT systems. A proactive approach is identified in the fundamental activity of vulnerability assessment and penetration testing, typical of level 3 SOC. A fundamental aspect concerns the reporting and auditing phase of these activities, which must be organized and carried out in such a way as to constitute useful tools not only for the resolution of a single incident but to the progressive improvement of all the systems useful for guaranteeing company safety.