Understanding SOC Essentials for your Business
Security operations are evolving and staying up to date is crucial to ensure you SOC is operating in the most effective way.
Security operations centres (SOCs) are core functions for many organisations today, allowing them to monitor and respond to cybersecurity threats. In the era of hybrid working, they have evolved to meet a growing range of challenges.
Whatever the size of your business and how your SOC is structure there are some important evolutions to consider in the way the SOC operates today.
What is a SOC?
A SOC is a centralised hub in an organisation focused on monitoring and improving its security posture. It is designed to prevent cybersecurity incidents, while it also plays a role in detecting, analysing and responding to such events. The centre usually comprises a manager, analysts and incident responders, as well as threat hunters and other cybersecurity professionals. They may be in-house or accessed on an ‘as-a-service’ basis.
A SOC’s “bread and butter nowadays is security event monitoring”, said John Fokker, head of threat intelligence at Trellix. The centres ensure an organisation has the right procedures and capacity to continuously monitor the state of the network, through network traffic, systems logs and so on.
More advanced SOCs can also provide a threat hunting capability, Fokker explained. Threat intelligence is a vital focus for the centres, he said, including threat modelling and studying threat actors. “If I look at my organisation, who would be my most likely adversary? How do they operate? How does my control stack up and how can I improve it?”
Why the SOC is Changing
SOCs today face a very different environment to pre-pandemic days, Fokker said. “We're doing zoom meetings, we're collaborating on teams, we have all these additional tools … they are faced with a more hybrid environment with a lot of cloud involvement. We’ve moved from providing security alerts to proactively securing data assets.”
Attack surface monitoring has also expanded to include edge computing, he noted, which is a particular focus for ransomware actors today. “A lot of the SOCs we engage with are very keen in finding vulnerabilities in edge [systems] and making sure that they are patched.”
A major priority when establishing a SOC is to ensure it can ingest rich and valid data, said Ron Culler, VP and cyber learning officer at CompTIA. “Without that you can’t process anything – you can’t detect and you can’t investigate, remediate or report on anything.”
Initially, SOCs focused on areas like intrusion detection systems (IDS). Their detection capacity has evolved over time, Culler said, with the ability to report on incidents, while the eventual goal is for the systems to be highly automated, though this is some way off, he noted.
“With events over the last few years and the amount of organisations that have to deal with remote workforces, that has really stretched a lot of SOCs’ capabilities,” he said. “You’re now having to figure out how to monitor and manage and remediate devices on networks you have no control over.”
Extended detection and response (XDR) capabilities are improving SOCs’ capacity to handle such threats, he said, along with expanding AI and machine learning capabilities, which provide “smarter processing and determination of events.”
Culler believes SOCs will expand their ability to deploy lightweight services to monitor remote workers. “That ship has sailed – most organisations are not going back to a fully contained perimeter.”
Register for Europe’s leading cybersecurity event
Join us at London ExCeL, 4-6 June, for three days of learning, networking, discovering and exploring all things Infosecurity.
Proactive Approaches Infused with AI
The aim is to focus on threat hunting and detection, avoiding the need for incident response and remediation, a time when something has already gone wrong, explained Deryck Mitchelson, EMEA CISO at Check Point Software. He added that there is a growing focus on improving general cyber hygiene so that organisations encounter far fewer issues.
“This means they’re getting much less in the way of false positives,” he noted.
Mitchelson also pointed to the changing nature of work, with many organisations now pursuing a hybrid working model.
“There’s so much data coming through that your standard analyst teams can’t cope with it,” he said. “They’re having to rely a lot more on machine learning and AI. There’s a lot of hype around that but it’s still relevant to making better decisions.”
SOCs will, over time, use this automated capacity not just to detect but to remediate threats, Mitchelson believes.
“We’re starting to see a lot more of that in the cloud with auto-remediation of misconfigurations or issues,” he explained. “The threat surface is so large now that you can just keep adding bodies to the SOC. We’re at the stage where bodies are not the answer, it really is to do with automation, efficiencies and simplification.”
This does not mean that traditional skills are going away, he said. Analysts will still be needed, particularly when it comes to complex queries. However, AI could help them avoid becoming bogged down in phishing or other email-related problems; these often take up 20% of the time of many SOCs Mitchelson works with.
“That creates a huge amount of work for a security operations team,” he said. “You need to try and simplify these things.”
One Goal Against Ransomware
While the size of a SOC team and the way the service is delivered depends on the organisation concerned, “the main driver is to very simply detect malicious behaviours in the organisation’s environment,” commented Chris Meenan, vice president of product management for IBM security. For all organisations, ransomware continues to be a highly prevalent actor vector.
“That’s because [ransomware is] just so effective and so many organisations aren’t fully protected against those types of attacks,” he said. “Their data is overly exposed, they don’t do back-ups regularly, they don’t have their endpoints properly protected.”
He also pointed to the expanding use of Cloud services, which has driven an increased attack surface for threat actors to target. “That expanding attack surface is really starting to change the way SOCs think about their priorities and their tooling and their processes.”
This has led to a growing focus on attack surface management (ASM) he said, which can provide key insights into the attacker’s perspective.
“At the minute, security teams don't often know what the attackers are looking at, or even what cloud services they're using, what cloud infrastructure they're using. Understanding that attack surface, how the attacker is looking at their infrastructure is really important,” Meenan said.
As the user experience increases in its complexity and diversity, so the workflows must become more unified and streamlined to help them cope. “That user experience and analyst workflow is an area that we think is going to evolve quite dramatically over the next few years with a real focus on simplicity, automation, and AI to help analysts see what's most important for them to take action on and help them take action in a very confident way.”
Finally, Meenan said he anticipates a greater reliance on security being delivered from the Cloud, using open standards and APIs to integrate systems. “We will see that evolve much more…it will all be made available from the click of a button in the cloud.”
Enjoyed this article? Make sure to share it!
Latest Articles
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?