A security operations center (SOC), also called an information security operations center (ISOC), is a central location where an information security team monitors, detects, analyzes, and remediates cybersecurity incidents, typically around the clock, 365 days a year.
The security team, comprised of security analysts and engineers, monitors all activity on servers, websites, databases, networks, applications, endpoints and other systems for the sole purpose of detecting potential security threats and averting them as quickly as possible. In addition, staff monitor relevant external sources (e.g., threat lists) that could have an impact on the organization’s security posture.
The scope of a SOC is not limited to detecting threats, but also extends to analyzing them, investigating the source, reporting on vulnerabilities discovered, and preventing similar incidents in the future. In other words, the team handles issues in real time while continuously looking for ways to optimize the company’s security posture.
There are also GSOCs (Global Security Operations Centers) that coordinate security offices located all over the world. If your company has offices across the globe, it may make sense to establish a GSOC (rather than SOCs at each location) to avoid repetitive tasks and functions, reduce overhead, and give the security team a comprehensive view of what is happening across the enterprise.
Below, we discuss the basic functions of a SOC or GSOC, as well as important considerations when setting up a SOC.
Cyberattacks are causing more and more damage to businesses. In 2018, billions of people were affected by data breaches and cyberattacks, and consumer confidence in companies’ ability to protect their privacy and personal data declined. Nearly 70 percent of consumers believe companies are vulnerable to hacking and cyberattacks and also say they are less likely to start or continue business relationships with companies that have already experienced data breaches.
Simply put, SOCs provide assurance that threats are detected and averted in real time. Broadly speaking, SOCs can:
These benefits are invaluable because they literally keep your business running. But is a SOC really absolutely necessary? If your company is subject to government or industry regulations, has suffered a security breach, or stores sensitive data such as customer information, the answer is a resounding yes.
The SOC provides leadership in real-time incident response, promotes ongoing security improvements, and protects the organization from cyber threats. Using a complex combination of appropriate tools and personnel to monitor and manage the entire network, a well-functioning SOC can perform the following tasks:
The SOC uses a number of tools that collect data from across the network and from various devices, monitor for anomalies, and alert employees to potential threats. However, the scope of the SOC goes beyond simply responding to acute problems that arise.
What is the function of a SOC when it is not detecting threats? The SOC is tasked with uncovering vulnerabilities inside and outside the organization through ongoing software and hardware vulnerability analysis, as well as actively gathering threat intelligence on known risks. Even when there are no active threats at the moment (which is rare given that a hacking attack occurs about every 39 seconds), SOC staff proactively look for ways to improve the security posture. Vulnerability assessment also includes actively attempting to penetrate one’s own system (penetration testing). In addition, security analysis is a core task of SOC staff. This involves the optimal use of suitable security tools in the company. It is determined what works and what does not.
The SOC is staffed by highly qualified security analysts and engineers, as well as managers who ensure that everything runs smoothly. These are professionals who have been specially trained to monitor and manage security threats. Not only are they trained to use a variety of security tools, but they also know the specific procedures to follow in the event of an infrastructure breach.
Most SOCs prefer a hierarchical structure for handling security issues, ranking analysts and engineers based on their qualifications and experience. For example, a typical team might be structured as follows:
While the SOC focuses on monitoring and analyzing a company’s security status and detecting any threats around the clock, 365 days a year, a NOC, or Network Operations Center, primarily ensures that the network’s performance and speed meet requirements and that downtime is minimized.
SOC engineers and analysts keep an eye out for cyber threats and attack attempts so they can respond before a company’s data or systems are compromised. NOC staff, on the other hand, look for problems that could throttle network speeds or cause downtime. Both aim to use proactive, real-time monitoring to prevent problems before they affect customers or employees. In addition, both are looking for ways to make continuous improvements so that similar problems don’t occur again.
SOCs and NOCs should work hand-in-hand to manage major incidents or crisis situations. In some cases, SOC functions also reside within the NOC. NOCs may well be able to identify and respond to some security threats, especially related to network performance, if staff are properly trained and looking for those threats. Conversely, a typical SOC would not be able to detect and address network performance issues without investing in different tools and skills.
Best practices for running a SOC include: developing a strategy, creating enterprise-wide visibility, investing in the right tools, hiring and training the right people, maximizing efficiency, and designing your SOC to meet your specific needs and risks.
Develop a strategy: a SOC is a significant investment because so much depends on your security planning. When developing a strategy that meets your security needs, ask yourself the following questions:
Create visibility across your entire enterprise: Your SOC must have access to all elements that could impact security, even if they seem small and insignificant at first. In addition to the larger infrastructure, this includes device endpoints, systems controlled by third parties, and encrypted data.
Invest in appropriate tools and services: When building your SOC, focus on the tools first. Without proper automated tools to reduce the “noise” and bring the most important threats to the forefront, you will struggle to manage the flood of security events. Specifically, you should invest in the following tools:
Hire and train qualified professionals: Hiring qualified employees and providing them with ongoing training is a key component of success. The market for safety professionals is highly competitive. Once you have succeeded in hiring qualified employees, you should continuously invest in their further training. In doing so, you will ensure greater safety, higher motivation and strengthen employee loyalty. Your team needs to be knowledgeable in the following areas: Application and network security, firewalls, information assurance, Linux, UNIX, SIEM, and security engineering and architecture. For the highest level security analysts, the following qualifications are desirable:
Review all of your options: The following are the most common types of SOCs.
Signs your computer has a virus and what to do about it Try Free 1 Month Trial What is a computer virus? A computer virus