0% found this document useful (0 votes)
205 views20 pages

Soc CMM in Categories

Uploaded by

Melvin Spek
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
205 views20 pages

Soc CMM in Categories

Uploaded by

Melvin Spek
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

What is a Security

Operations Centre?
CREST What is a Security Operations Centre?

Introduction
A Security Operations Centre (SOC) is a team created to protect organisations from cybersecurity breaches by identifying, analysing and responding to threats.
SOC teams comprise management, security analysts, and security engineers. A SOC liaises closely with an organisation’s business and IT operations teams.
Of course, it’s vital to communicate to all staff within any organisation that security is everyone’s responsibility; a SOC is simply the central point
for management of security issues.

According to an IBM-commissioned report, Cost of a Data


Breach 2021, the average cost of a data breach among those
surveyed is US$4.24m, reflecting a 10% increase in reported
average cost, year-on-year. The report also revealed the
average time for respondents to identify and contain a breach
is 287 days.

Clearly, there is work to be done in better securing


organisational data — and that’s where the emerging and
evolving concept of a Security Operations Centre (SOC)
comes in.

To keep ahead of threats and monitor and respond to them,


there’s a growing need for a joined-up response, comprising
security professionals, good technology and appropriate
processes and procedures.

But before we get into the critical functions of a Security


Operations Centre, (SOC) it’s crucial to outline the broad
functions of a SOC.

There is a myriad of descriptions of what comprises a SOC.


This paper is an attempt to define what the critical functions
of a SOC are, to help better understand what a Security
Operations Centre does, and how it fits into the wider
organisation and society.

2
CREST What is a Security Operations Centre?

Building blocks A SOC’s primary functions include: Security Information and Event Management (SIEM), Endpoint
• To understand the physical and digital assets, systems, Detection and Response (EDR), and Security Orchestration,
A Security Operations Centre is a centralised business unit Automation and Response (SOAR) for example.
risks and vulnerabilities of the organisation’s environment
that deals with security issues at both the organisational and
• Monitoring the security of business assets, including the A contemporary SOC team must be capable of progressively
technical level. It comprises three building blocks: people, network, users, and systems
and continuously adding detection capabilities within the tools
processes, and technology, for managing and enhancing an
• Data collection and correlation used and map them against known frameworks, such as
organisation’s security posture.
• Threat detection, including identifying anomalies, threat MITRE ATT&CK.
Governance and compliance provide a framework, tying hunting capabilities, and the use of behavioural analysis
tools and techniques From a Technology perspective, we mean the tools. that
together these building blocks.
• Alert triage to analyse and prioritise alerts receive and allow analysis of logs or data from source systems
SOC staff monitors an organisation’s information systems using to ascertain if a potential security incident is occurring.
• Incident analysis, assessing the severity of the threat, and
telemetry from various sensors throughout the infrastructure. the impact it may have on the organisation to formulate Typically, this is known as a Security Incident and Event
A SOC is responsible for an organisation’s overarching an appropriate response Management (SIEM) platform.
cybersecurity, which can include prevention and incident • Incident review to gather information about attack
It also includes the technology required to glean (threat)
patterns and techniques, to assess the need for more
response (IR). By its very nature, a SOC forms a crucial part of intelligence, either through tools or collected and enriched
monitoring rules
an organisation’s compliance and risk management strategy. separately. In more mature environments, there may also be
Security Operations Centres tend to have a much broader scope Vulnerability management and firewall management may technology in place, in terms of tools, or the ability to action
of responsibility than the more specialised CIRTs (Cyber Incident not be considered primary functions of a SOC, but they are a response to respond to alerts and provide some form of
Response Teams). Many companies only have a SOC team, but often incorporated. containment (as a minimum).
no CIRT. It is also common for IR specialists to fall under the SOC Finally, Process revolves around creating a set of plans or
People, Technology, Process
umbrella rather than as part of a dedicated CIRT. processes that tie together the technology and capabilities of a
If we agree that a SOC comprises people, technology and
SOCs can be internal, external (managed), virtual or hybrid, SOC. These plans should incorporate the business objectives
process, it’s worth taking a moment to better understand
involving a combination of in-house engineers and an external and strategy.
what’s meant by this.
Managed Security Service Provider (MSSP), more of which later. By consolidating security experts and relevant data into a
In terms of People — this means the human resources that
central location — the SOC — threats are quickly identified
are required within a SOC to understand the output and
and dealt with more efficiently and effectively. A SOC
context of information received via use of technology. Your
leverages people, processes, and technology to reduce
people — talent — need to hold a deep understanding of the
cyber security risks, via improving organisational security,
risk posed to the business.
information and communication.
The people involved in a SOC must be predominantly
experienced security professionals with the ability to
understand, triage (prioritise) and investigate security
incidents from a selection of appropriate tools including.

3
CREST What is a Security Operations Centre?

The purpose of a SOC and why you need one


Today, a majority of organisations need a formal organisational A SOC helps safeguard a business from cyberattacks,
“A security operations centre structure — a SOC — that holds responsibility for threat preventing disruption that may relate to, or be caused by,
(SOC) can be defined both as detection and response or Active Defence. A SOC forms the cyberattacks and works towards continuous improvement of
operational side of cybersecurity threat management. cyber security resilience.
a team, often operating in shifts
There needs to be an efficient process for detection, mitigation Active, continuous monitoring for security threats and
around the clock, and a facility and prevention of threats in place. appropriate responses to those threats is a key function of
dedicated and organised to any SOC.

prevent, detect, assess and SOC teams hold dual core responsibilities: Security events must be collated, and appropriate notification
efficiently disseminated to relevant stakeholders. A SOC needs
respond to cybersecurity threats 1. Maintaining security monitoring tools the relevant resources to interpret, validate and respond to
and incidents, and to fulfil and A SOC should maintain and update tools regularly and be threats, to neutralise them.
aware that monitoring rules continually evolve with the threat
assess regulatory compliance.” landscape. It’s crucial that tools and technology are managed,
Intelligence must be gleaned from multiple sources, then
enriched or validated (via automated and / or human means)
Gartner
as without them, a SOC cannot hope to adequately secure to gain better contextual awareness or reduce the threat level
organisational systems and infrastructure. to the organisation.
Having briefly outlined what a SOC is, we should now consider
its purpose. 2. Investigation of suspicious activities Creating a SOC means a higher level of incident response,
thanks to around the clock operations, coupled with
For small organisations, it may not make (financial) sense to The purpose of your 24/7/365 SOC team is to investigate
developing greater threat intelligence and rapid analysis.
create a dedicated internal SOC team. But as organisations suspicious and / or malicious activity within the organisation’s
grow, so do the risks and cost of cyberthreats. Failing to networks and systems. SIEM software or analytics software
prepare, organise and arm a team of qualified security will issue alerts which the SOC team must then analyse, triage
operations professionals can become an expensive mistake. and ascertain the extent of the threat.

This is especially true among organisations that deal with


sensitive information, such as financial information, health
records or trade secrets.

4
CREST What is a Security Operations Centre?

At present, not every organisation has a SOC, or understands

Up to September 2021, there were 1,291 data breaches — the requirement for one. A CREST internal survey revealed
When to create a SOC increasing boardroom buy-in to the concept, but there is a gap
compared to 1,108 breaches in 2020.
You may have some form of operational security now, but Security Magazine in understanding and funding for a fully functioning SOC.
there are many reasons to re-evaluate the effectiveness and While there are myriad reasons why a SOC might be required,
capabilities of what it provides the organisation, some examples include:
A 2019 Ponemon / IBM report suggested it takes the
including: average US company an enormous 206 days to detect a • Maintaining the confidentiality and integrity of sensitive
• The organisation is handling more sensitive data breach — plus another 73 days on average to remedy the data — accessible by staff on the premises, by remote
breach. We already know this figure, according to another IBM staff, or by customers and partners
• The threat landscape has changed, or become more
concerning, and requires improved security report in 2021, has risen to a higher total of 287 days. • When running an online service for the public

• The organisation (or attack surface) has grown larger • In organisations with dispersed offices, where a unified
And the costs run into millions of dollars. A breach lifecycle
— and bear in mind the security issues surrounding security function delivers cost savings
of more than 200 days is 37% more expensive than a
remote working • In situations where large amounts of (sensitive) data
breach lifecycle of less than 200 days (US$4.56 million vs needs to be shared with other organisations (such as
• Your current managed security service provider (MSSP)
$3.34 million). finance, health and government)
doesn’t deliver the capabilities needed by the business
Further, the 2019 report reveals: • Where a single point of visibility over all threats is required

• Security automation technologies could potentially half the Core processes a SOC should deliver include:
Reducing complexity financial impact of a breach
Alert triage — Collecting and correlating log data, the SOC
Although developing and creating a SOC can represent a • Extensive use of encryption can reduce total cost of a
breach by US$360,000 provides tools that allow analysts to review that log data and
major cost, in the long run, such a facility prevents the cost of
• Data breaches cost companies around US$150 per lost detect security issues.
reactive, ad hoc security measures, and, of course, protects
or stolen record Alert prioritisation — SOC analysts use their knowledge of
from the financial damage caused by breaches.
• Breaches originating from third-parties cost organisations the organisation, the wider business environment and the
Having a SOC embedded in your organisation will also naturally US$370,000 more than average threat landscape to prioritise alerts and rapidly ascertain which
reduce the complexity of investigations, as SOC teams can • Companies with less than 500 employees suffered events represent real security incidents.
streamline their investigative efforts, by coordinating data and average losses of more than US$2.5 million
information from a variety of sources. With full visibility into the Containment — On discovering an incident, SOC staff
network environment, for example, SOC teams can simplify Around two thirds (67%) of the financial impact of breaches are is responsible for threat mitigation and escalating it for
drilling down into logs and forensic information. felt within the first 12 months, 22% in the next year and 11% remediation and recovery.
in the third year after the incident. Long-tail costs are more
Reporting — Documenting the organisation’s response to
acute in highly regulated industries such as financial services,
an incident.
healthcare and energy.

5
CREST What is a Security Operations Centre?

In developing a SOC, there needs to be preliminary work


around understanding organisational needs, the landscape
in which it operates and any weak points from a cyber
security perspective.

A SOC cannot function in isolation, although it functions


as the operational part of organisational security; typically
separate from policy defining and audit / compliance and
governance elements.

There are several issues which need to be defined, including:


• A strategy and objectives
• Inventory, budget and resources allocation
• Capabilities
• Timeframe, and
• Technology required.

Only then may a SOC be formed that is closely aligned to the


business, rather than following generic guidelines or mirroring
other existing SOCs.

6
CREST What is a Security Operations Centre?

What a SOC does


A SOC’s primary function is security monitoring. This task Critical functions of a SOC can ultimately be boiled down to a SOCs can be involved in most of the incident management
involves centralised collection and correlation of log data from brief list: process. This might include:
all elements of the infrastructure, applications and endpoints, • Integration, management and review of traffic feeds
Awareness of all IT assets — hardware, software and
which is then used to identify any deviations from the ‘norm’. • Protective monitoring
information or data. Your SOC should have a full, detailed
This log data can be collected from cloud infrastructure, picture of every element running on your infrastructure, • Initial triage and analysis
intrusion detection systems, firewalls, web applications, active including its owner and criticality, to assist in understanding • Alerting and response
directory servers, anti-virus software and industrial control developing threats to them. Assets must include everything, • Incident management
systems, for example. from cloud services to physical infrastructure. • Root cause analysis
The SOC needs to monitor any system which can provide Log management. Traffic, incidents and anything of • Correlation management.
insight into the security or status of the organisation’s network interest must be continuously monitored and logged, so the
But before creating a SOC, there must be agreement
and systems connected to it. organisation and any authorities can complete forensics if an
across the organisation on what constitutes an EVENT and
incident or breach occurs.
There are no clear benchmarks or frameworks to base the what constitutes an INCIDENT. This is obviously of crucial
organisation or function of a SOC on. Proactive detection of malicious network and system importance for the security analysts.
activity. Probably the most critical function of a SOC.
However, in 2019, Gartner launched its Continuous Adaptive
Organisations need to know as quickly as possible if there is a Events
Risk and Trust Assessment (CARTA) framework, developed
breach — or chance of a breach — and what urgent action to An event can be described as any activity that is deemed as
from the realisation that a black and white way to monitor
take. You don’t want to wait the average 206 days it takes US important to monitor. individual events may not be considered
threats was simply not enough.
companies to detect a breach. unusual and may just be day-to-day activity needed to identify
Gartner sees CARTA as a strategic approach for organisations
Vulnerability management. Again, constant work to assess anomalies, whilst others may be indicators of an issue, for
to manage evolving digital world risks by deploying security that
any potential gaps in your network allows for the holistic example virus detection. Events might include:
moves at the speed of digital business. It suggests the SOC
oversight in terms of organisational vulnerabilities, and which • Server logs, including Log-on activity
must move away from an ‘allow / deny’ gating model towards a
areas might be most vulnerable to existing and emerging • Firewall traffic logs
far more dynamic, context-aware and adaptive structure.
threats before you get hit with them. • Proxy logs
While CARTA can be a useful starting point in any approach
Threat awareness. Simply put, maintaining keen, constant • Anti-virus or EDR logs
to organisational information security, when ascertaining
awareness of the ever-evolving threat landscape allows your
which type of information to collect, which systems to collect
SOC to tweak defences — both physical and virtual — before
information from and which correlation method to use, the
any threat hits the organisation.
most important aspect is to focus on information relevant
to your organisation — rather than on what is considered
customary to collect.

7
CREST What is a Security Operations Centre?

Incidents Classification While detecting and responding to (cyber) threats and keeping
data held on corporate systems and networks secure are
Meanwhile, an incident is seen as something that is Classifying incidents under pre-agreed and understood
primary functions of any SOC, there are broader functions, too.
potentially or actually a threat or a violation of information categories will speed up the incident handling process and
security policies or standards. NIST describes incidents save time for deeper investigation. These include increasing (network and organisational)
as: “An occurrence that actually or potentially jeopardizes resilience by perennial study of the changing threat landscape
Prioritise incident (both malicious and non-malicious, internal and external).
the confidentiality, integrity, or availability of an information
system or the information the system processes, stores, or Assigning proper priority to an incident ticket ensures the There is also a need for a level of expertise within the SOC
transmits or that constitutes a violation or imminent threat incident is addressed in a timely fashion. team that is sophisticated enough to identify and address
of violation of security policies, security procedures, or negligent or criminal behaviours.
acceptable use policies.” Investigate and diagnose
Finally, creating a bank of business intelligence regarding
Incidents might include: When an incident occurs, the incident response team should user behaviours to help shape and prioritise technology
perform a deep analysis of the incident and create a report. development is a crucial element of a contemporary SOC.
• Unauthorised use of system privileges
• Denial of Service attacks on a web server SOCs are often built with several functions — commonly
Incident closure
• Sending malicious files to a targeted user thought of as a hub-and-spoke architecture. Around the
The primary goal of incident management is to resolve central SOC hub, the ‘spokes’ could include vulnerability
• Stealing sensitive information and blackmailing the owners
it swiftly and efficiently. Closing the ticket after effective assessment solutions, governance, intrusion prevention
As soon as a security incident is confirmed, a SOC acts as communication to concerned parties is a crucial step in the systems (IPS), user and entity behaviour analytics (UEBA),
‘first responder’. SOC analyst staff will perform tasks such as incident handling process. endpoint detection and remediation (EDR), risk and
shutting down or isolating endpoints, terminating any harmful compliance (GRC) systems, application and database
processes (or preventing them from executing) and deleting Remit of the SOC
scanners, and threat intelligence platforms (TIP).
files, for example. While each SOC management team should decide on the
exact functions required, the decision as to the remit of any Size of a SOC
The overarching aim should always be to respond to the
correct, required extent deemed necessary, while ensuring SOC includes, but is not limited to: The exact size of your SOC depends on the nature and size
minimal impact on business continuity. • Budget of your business. Organisations with more critical sensitive
• Whether a third-party supplier is used data, such as those in healthcare or financial services,
Incident management process flow • Willingness to share information feeds with should consider larger teams, and more hardware and
Log the incident a commercial supplier software investment.
• Internal willingness and / or capability to perform In a paper, the Dutch National Cyber Security Centre
First steps must always be to inform relevant parties of the
forensic investigations
identified incident, via appropriate pre-agreed channels. A advises starting small. A small SOC can then grow and evolve
• How business continuity is managed
SOC team member from the incident handling team should be with the organisation; while ensuring “the planning, roadmap
• Whether the SOC is internal or external (or hybrid) and implementation of a future SOC are realistic.”
charged with responsibility for capturing all necessary details
• Existing understanding of the range of threats
and data related to the incident and reporting it.
• How bespoke the SOC functions need to be — a
generic set up will be less costly

8
CREST What is a Security Operations Centre?

It goes on to suggest that: “One of the risks of allowing a SOC


to grow too quickly is that the amount of information collected
exceeds the processing capability of the SOC.”

Scope

While a Security Information and Event Management


(SIEM) system — software designed to interpret log data
from several sources and correlate it with cyberattacks and
other security incidents on the organisation’s network — is
widely considered a core tool in the SOC’s arsenal, essential
for data analytics and correlation, in many cases, a Security
Orchestration, Automation and Response (SOAR) platform
— to integrate alert sources with Threat Intelligence — is
considered sufficient, or perhaps even just a Managed
Detection and Response (MDR) approach.

Threat intelligence (TI) is also key. Threat intelligence is


usually defined as information from external sources regarding
vulnerabilities and cyber threats. The information is used to
assess events relating to systems and within the network.

9
CREST What is a Security Operations Centre?

Key SOC functions


Understanding available resources Preparation SOC tools may include:

A SOC holds responsibility for two asset types — the devices, Analysts and staff must keep well informed on the newest Security Information and Event Management (SIEM)
processes and applications it is charged with safeguarding; security innovations, cybercrime issues and trends, and any software. A SIEM solution gathers and analyses activity from
and defensive tools at its disposal to ensure proper protection. new threats on the horizon. This vigilance can help inform different resources across the organisation’s IT infrastructure.
creation a security roadmap — to deliver direction in ongoing
The SOC can’t safeguard devices and data it cannot Endpoint Detection and Response (EDR) is another software
cybersecurity efforts. It can also help formulate a disaster
‘see.’ Visibility and control must be enabled, from devices solution which can detect threats and respond to them. It can
recovery plan — written guidance for worst-case scenarios.
to the cloud, otherwise there may well be ‘blind spots’ in analyse the threat and provide analysts with salient information,
organisational network security. such as where it emanated from, how it started, which parts of
Preventative maintenance
the network it has affected and how to stop it.
A SOC must have a holistic view of the organisational threat
This could include action taken to make successful attacks
landscape, and not only of the endpoints, servers and Security Orchestration Automation and Response
harder to achieve, which may involve regularly maintaining
software used, but also any third-party services and traffic (SOAR) software helps the SOC team — especially smaller
and updating existing systems; updating firewall policies;
flowing between assets. teams — improve efficiency by better managing threats and
patching vulnerabilities and whitelisting, blacklisting and
vulnerabilities, automating repetitive tasks and responding to
A SOC must keep detailed records and maintain full securing applications. However, many of these actions are
security incidents. An example of this might be automatically
understanding of the cybersecurity currently enabled, along down to normal infrastructure team activity, and the SOC role
deleting phishing emails from employee’s inboxes.
with all the workflows used in the SOC, to increase agility and merely provides guidance on preventative maintenance and
ensure peak efficiency. remediation management for vulnerabilities. eXtended Detection and Response (XDR) software collects
and automatically correlates data across multiple security
1. Preparation and preventative maintenance 2. Continuous proactive monitoring layers, such as email, endpoint, server, cloud workload,
Even well-planned, equipped and agile response processes The SOC’s toolkit should be capable of scanning the and network. The most advanced XDR solutions employ
are no match in preventing problems from occurring. To infrastructure — such as the network, cloud and endpoints behavioural analysis to teach systems the difference between
help keep attackers at bay, the SOC must implement — 24/7/365, and able to flag any inconsistencies or regular day-to-day operations and actual threat behaviour,
preventative measures, which can be divided into two main suspicious activity. minimizing the amount of triage and human analysis required.
categories, as follows:
Around-the-clock monitoring allows the SOC team to receive 3. Log management
immediate notification of emerging threats, which in turn
A SOC holds responsibility for collecting, maintaining, and
provides the best possible chance of preventing, or at least
reviewing the log of all network activity and communications
mitigating harm.
for the entire organisation. This data helps define a baseline for
“normal” network activity. It can expose the existence of threats
and be used for post-incident remediation and forensics.

10
CREST What is a Security Operations Centre?

4. Alert ranking and management 7. Security refinement and improvement


SOC staff must be ready to examine alerts, discard Cybercriminals constantly refine tools and tactics. To keep
false positives and determine the size and scope of any ahead of them, your SOC team needs to continuously
actual threats and what they’re targeting. This allows for implement improvements. Improvements can include ‘live’
appropriate triage, and the ability to handle the most urgent practices such as red-teaming (subjecting the organisation’s
issues as a priority. plans, programmes, ideas and assumptions to adversarial
analysis and challenge), blue teaming (keeping the organization
5. Threat response safe from attackers by understanding their tactics, techniques
Upon confirmation of an incident, the SOC must function and procedures (TTPs) and evolving company’s defences)
as first responder, shutting down or isolating endpoints, and purple-teaming, which ensures proper information sharing
terminating harmful processes (or preventing them from between Red and Blue teams, maximizing their respective and
executing) and deleting files, for example. The goal is to combined effectiveness.
respond to the extent necessary while having as small an
impact on business continuity as possible.
8. Compliance management
Several SOC processes are guided by established best
6. Root cause investigation practices. Others are governed by compliance requirements.
A SOC holds responsibility for ascertaining exactly what Regular audits of a SOC’s systems is necessary to ensure
happened when, how and why in the event of a cyber compliance with regulations, which may emanate from the
security incident. Post-attack / incident investigations should organization, the industry, or governing bodies.
involve using log data and other information to help trace Examples include GDPR, (General Data Protection
the problem to its source, to help prevent similar issues from Regulation) HIPAA, (the Heath Insurance Portability and
occurring in future. Accountability Act) and the PCI DSS (Payment Card Industry
Data Security Standard).

Working within the remit of such regulations helps safeguard


the organisation’s sensitive data. Regulatory compliance can
also shield the organisation from reputational damage and any
legal challenges resulting from an attack.

In short, a SOC monitors, assesses and appropriately reacts


to any threats made towards the organisation. Its most critical
function is to protect an organisation from threat.

11
CREST What is a Security Operations Centre?

Virtual, managed and hybrid SOCs


It wasn’t very long ago that a SOC was considered something The SOC manager sits above all three tiers.
only the largest enterprises should enable. But nowadays,
Below Tier 1 operations, automated investigation and
smaller organisations are developing ‘lightweight’ SOCs,
remediation, as a response to well-known attacks, can take
especially as the threat landscape evolves and attacks
place. Tier 1 responses will deliver high speed remediation.
become ever more prevalent.
Tier 2 responses bring deeper analysis and remediation, while
There are myriad ways to choose how to set up and run an at Tier 3, we see proactive hunting and advanced forensics.
effective Security Operations Centre.
This tiering is helpful in considering whether to create a hybrid
These include the hybrid SOC, a team which brings part-time, SOC model in your organisation.
in-house staff together with outsourced experts. Another
For example, some companies choose to outsource Tier 1 and
growing option is a virtual SOC, with no physical facilities, but
2, 24/7/365, while maintaining Tier 3 level specialists inhouse.
can comprise a team of in-house staff which also work in other
roles, or a remote team.

A managed SOC brings all the benefits of a professional


cyber security team to your organisation, without the
associated full-time costs, and provides a higher level of
experience and expertise than might be immediately available
to an internal SOC.

Most SOCs operate on a ‘tiered’ basis:

Tier 1 involves monitoring, opening alerts and closing false


positives. Staff working at Tier 1 are alert analysts.

Tier 2 involves deeper investigations, mitigation and


recommendations. At this level, staff are incident responders.

Tier 3 involves advanced investigations, prevention, threat


hunting, forensics and counterintelligence. While Tier 1 and
Tier 2 can be handled by regular security analysts, Tier 3
requires expert analysts.

12
CREST What is a Security Operations Centre?

Virtual SOCs (VSOCS)


A virtual SOC (VSOC) has no physical presence, no Check whether your proposed VSOC operation is 24/7/365. A Managed SOC will also ensure proper data storage and
dedicated facility, nor dedicated infrastructure. A VSOC And remember that using part-time, remote staff can leave protection, if required. But, as with the VSOC, the issues
is a web-based portal built on decentralised security gaps in your SOC provision. surrounding data sovereignty and security must be taken
technologies, which allows remote teams to monitor events into consideration. Does your data include anything that has
Of course, a VSOC can be bolstered using automation, SIEM
and respond to threats. residence requirements? Where, then, will it be stored within a
technology and good analytics.
Managed SOC?
An increasingly popular concept, the VSOC is considered
Outsourcing a VSOC might increase the SOC’s security
to be a cost-saving SOC, in that the sometimes-significant And who owns the technology used within the Managed SOC
capabilities and bring greater access to expert resources,
costs of onsite hardware and other important infrastructure at the end of the contract / relationship?
but it will reduce internal visibility across the environment. Be
are avoided.
mindful that an outsourced SOC may lead to slower response Choosing the right level and style of Managed SOC is crucial,
Researching, choosing and purchasing an inhouse times if an event escalates. and it’s worth taking the time to do your due diligence. Look
infrastructure for a SOC can be not only daunting, but for recognised, reputable industry players, which offer high
And be mindful that VSOC services can act as an adjunct to
expensive. Jumping into a VSOC environment negates levels of customer service, certified technicians, and around-
your own in-house SOC provision. You might wish to combine
organisational concerns over time, effort and cost of setting the-clock support.
both, and as the need for SOC services grows, expand your
up inhouse.
inhouse team.
The VSOC team, of course, can be relied on to respond swiftly
and reliably in the event of an incident. The expertise already Managed SOCs
offered via a VSOC’s staff is another issue solved. Creating a A Managed SOC is one which is outsourced and managed by
SOC inhouse comes with staffing and talent cost headaches. a trusted external provider. This means lower costs, access
However, VSOCs can seem to deliver a reactive approach. to experienced professionals, and fast response times.
With decentralised technologies and processes, there may Outsourcing your security operations can also mean access
well be security gaps — making threat detection and response to superior technology. Your overstretched IT department will
less efficient. be grateful that your Managed SOC has all the latest hardware
Consider the challenges of data sovereignty and security when and software — the lifeblood of their business, after all.
thinking about VSOCs. You must ascertain whether your data Being wholly responsible for managing threats for a number of
includes anything that has residence requirements. Where, organisations means the Managed SOC provider can ill afford
then, will it be stored within a VSOC arrangement? to fall behind in terms of equipment, knowledge and expertise.

13
CREST What is a Security Operations Centre?

Hybrid SOCs
As you’ve probably already ascertained, there are several
ways of setting up a SOC, to best suit your needs, budget and
level of expected threats. A hybrid SOC is a way of combining
different types of SOC provision, as mentioned above.

Outsourcing IT services is hardly a new concept, but it’s


worth remembering why we do it — mainly for flexibility, rapid
scalability and cost effectiveness.

For example, you might have a small SOC team in-house,


working 9-5, but employ a VSOC or Managed SOC provider
outside of normal office hours.

You might decide the best model for your organisation is to


completely outsource SOC provision, mindful of the tools,
expertise and experience you can access from day one.

Hybrid model avoids some of the pitfalls of keeping provision


in-house — and of outsourcing SOC services completely. Be
mindful that in-house staff can become resentful of external
service providers; feeling like their jobs may be under threat.
Senior IT staff or your in-house CISO or SOC Manager must
ensure good relations between internal and external staff.

It’s also vital to ensure the external service provider (often


known as a Managed Security Services Provider, MSSP)
is familiar with your organisational culture, operations and
functions. There must be a clear contract drawn up to define
roles and responsibilities, and to help avoid gaps in security
service provision.

Whichever model you choose, communication is perhaps as


vital as technology and staff.

14
CREST What is a Security Operations Centre?

SOCs vs CIRT (cyber incident response team)


Years ago, it fell on the IT department to handle security A CIRT’s remit might include: The CIRT team, just like the SOC team, can evolve over time.
issues. As the threat of cyber attack grew, so did the concept • Forensic investigation of attack causes, encompassing It may initially meet on an informal, ad-hoc basis, but as the
of a SOC, set up to handle organisational cyber security. And discovering the attack timeline and lessons learned organisation, threat landscape and organisational infrastructure
with the growth in SOC provision, there arose the concept of • Development of security strategies to assist the grow, it may develop into a full-time function, as needs dictate.
the CIRT. organisation’s threat prevention
• Incident management — including creating an incident
A SOC is the broad, first line of defence, but if and when any
response plan, to ensure rapid, effective response
threat is identified, this can be escalated to a Cyber Incident
• Threat hunting, leveraging threat intelligence from the
Response Team, or CIRT. These teams are sometimes SOC to detect threats
also referred to as a CSIRT, or Computer Security Incident
• Root Cause Analysis (RCA) and remediation
Response Team. It could also be called a CERT (Computer
Emergency Response Team). Like a SOC, it might not be appropriate for an organisation
to have an in-house CIRT team, but its generally considered
A CIRT can often comprise senior members of the SOC
good practice to keep IR specialists on a retainer, so they can
and is described as a centralised function for information
be called upon swiftly in worst case attack scenarios.
security incident management and response. A CIRT will
include security experts holding responsibility for incident While a SOC can hold responsibility for incident response,
management, especially receiving, analysing and responding it’s better to have a separate CIRT team or function on hand,
to security incidents. They can operate independently or come keeping the SOC team free to continue monitoring and
under the guidance of senior SOC staff. protecting while the current attack is dealt with by the CIRT
team. Where there is an internal or external CIRT, the SOC
Typically, a CIRT will include security incident response
team can — and should — assist the CIRT in gathering all the
experts, security architects, analysts and engineers, security
information needed to deliver an effective response to threats.
managers, department heads and C-level operators, including
the CISO. Roles within the CIRT should not only include IR expertise,
but also legal, marketing and public relations experts — to
manage and mitigate the ‘fall out’ from the attack.

15
CREST What is a Security Operations Centre?

Who should you employ in the SOC?


Staffing The analysts’ role, broadly speaking, is to report any
cyberthreats, and implement changes required to continue
A SOC’s functions are usually overseen by a SOC manager.
protecting the organisation. They’re considered the last line of
Such a person should be capable of directing all SOC
defence against cybersecurity threats, work alongside security
operations. They hold responsibility for ensuring a clear
managers and cybersecurity engineers, and usually report to
information flow between analysts and engineers. The SOC
the CISO.
Manager is the one who hires; organises and / or delivers
training; and creates and executes the agreed cybersecurity Security engineers — software or hardware specialists
strategy. Of course, a SOC manager will also direct and — are charged with maintaining and updating the SOC’s
orchestrate organisational response to security threats. tools and systems. They should be capable of providing
documentation other team members require, such as digital
Security analysts are the first line of defence in the SOC,
security protocols.
acting as cybersecurity first responders. They can be
subdivided into tiers, as described in the table below. Above these roles there will often sit a CISO — Chief
Information Security Officer. This C-suite leadership position
SOC analysts are organized in four tiers. Firstly, Security
holds responsibility for establishing security-related strategies,
Information and Event Management (SIEM) alerts go to Tier
policies and day-to-day operations. The CISO reports directly
1 analysts who are empowered to monitor, prioritise and
to the CIO or CEO, informing and reporting to the board in
investigate such alerts.
regard to security issues.
Real threats identified by T1 analysts are then passed to a
In larger organisations (like multinationals), there may also be a
Tier 2 analyst, who should generally hold greater security
Director of Incident Response (IR), with overall responsibility
experience. The T2 analyst will conduct deeper analysis,
of managing incidents, and explaining security requirements to
followed by a containment strategy.
the organisation whenever there is a significant breach.
Critical breaches are escalated to the Tier 3 (senior) analyst
level, who will then manage the incident. SOC Managers are
considered to be Tier 4 analysts, responsible for recruitment,
strategy and direct management of SOC staff when major
security incidents occur.

16
CREST What is a Security Operations Centre?

Role title Required skills and qualifications (for example) Day-to-day activities

Tier 1 Analyst Web programming (Python, Ruby, PHP); scripting languages; basic security Configures and manages security monitoring tools. Prioritises and triages alerts
Alert Investigator certifications (CompTIA Security+) sys admin skills. and / or issues to determine whether real security incidents are occurring.

Tier 2 Analyst Similar to Tier 1, but with greater experience, including IR. Should be capable of Receives incidents. Conducts deep analysis. Correlates with threat intelligence
Incident Responder advanced forensics, malware assessment and threat intelligence. Ethical hacker to identify the threat actor, nature of the attack, and systems or data affected.
certification or training is advantageous. Defines and executes strategy for containment, remediation and recovery.

Tier 3 Analyst More experienced than a Tier 2 analyst, including high-level incidents. Should Conducts regular vulnerability assessments and pen tests. Reviews alerts,
Subject Matter Expert / be acquainted with pen testing tools and cross-organisation data visualization. industry news, threat intelligence and security data. Hunts threats and seeks
Threat Hunter Malware reverse engineering, and capable of identifying and developing unknown vulnerabilities and security gaps. When a major incident occurs, teams
responses to new threats and attack patterns. with Tier 2 Analysts in response and containment.

Tier 4 Keen project management skills, incident response management training and Hiring and training. Oversees defensive and offensive strategies. Manages
SOC Manager strong communication skills. resources, priorities and projects.
Team Leader
Direct team management when responding to business-critical security
incidents. Organisation contact for security incidents, compliance, and all
security-related issues.

Security Engineer Computer science, computer engineering or information assurance degree. Software and / or hardware specialist, ideally experienced in security aspects of
Support and Certifications such as CISSP. information systems.
Infrastructure
Creates solutions and tools to help organisations deal with operational disruption
of. Note: Sometimes security engineers are employed within the SOC, other times
they simply support the SOC as part of development or operations teams.

Table — Roles within the SOC, Edited from https://www.exabeam.com/security-operations-center/security-operations-center-roles-and-responsibilities

17
CREST What is a Security Operations Centre?

Reporting and analysis


Measuring the effectiveness of the SOC
Organisations must measure SOC team performance to continuously improve their processes. Here are a few important metrics that serve to demonstrate the scale of activity in the SOC,
and how effectively analysts are handling the workload.

Metric Definition What it Measures

Mean Time to Detection (MTTD) Average time taken to detect incident How effective the SOC is in processing important alerts and
identifying real incidents

Mean Time to Respond (MTTR) or Closure / Escalation Time Average time before SOC takes action to detect and escalate How effective the SOC is at gathering relevant data,
the threat coordinating a response, and taking action

Total cases per month Number of security incidents detected and processed How busy the security environment is and scale of action
managed by the SOC

Types of cases Number of incidents by type: web attack, attrition (brute force The main types of activity managed by the SOC, and where
and destruction), email, loss or theft of equipment, etc. preventative security measures should be focused

Analyst productivity Number of units processed per analyst — alerts for Tier 1, How effective analysts are at covering maximum possible alerts
incidents for Tier 2, threats discovered for Tier 3 and threats

Case escalation breakdown Number of events that enter the SIEM, alerts reported, The effective capacity of the SOC at each level and the
suspected incidents, confirmed incidents, escalated incidents workload expected for different analyst groups

18
CREST What is a Security Operations Centre?

A SOC’s effectiveness can perhaps best be measured by using the services of Red, and / or Purple Teams.
Other resources required to measure the effectiveness of the SOC include:

People Policies Consider which metrics highlight the success of the SOC. For
example, time to respond / resolve might not look good on
The SOC board needs to include staff with deep technical and Success can be measured against policies created to describe
paper, out of context.
business knowledge. They needn’t be permanent members the roles, responsibilities and IR processes involved in the
of the SOC and can undoubtedly operate as a virtual team. SOC. Such policies set expectations for all stakeholders, Decide which metrics you’ll deliver and in what format. A good
Keeping experts on hand that can serve as an extension to the as well as the authority to act when attacks occur, and the start is to highlight the number of incidents and escalations
SOC team during attacks will increase success. consequences of not adhering to the policies. that have occurred over the agreed reporting period, with a
status field and incident category.
While certifications might not be a valuable metric, you can still Benchmarks can be set under each aspect of such policies.
track how staff improves over time. Nurturing staff proficiency Include the incident remediation techniques used and be
in a specific domain is a measurement you could use to Planning sure to provide enough context for a less technical reader to
demonstrate your SOC team’s quality, maturity, and knowledge. The SOC needs a vision which aligns with organisational understand. This context will help build bridges between the
objectives, priorities and risk posture. Maintaining alignment SOC and the rest of the organisation, helping improve the
And, of course, internal or external training will bolster existing
with the organisation and keeping the SOC team and overall organisation’s security culture.
skill sets. Technology
technology running requires careful budgeting and resources.
We’ve already stressed how vital up to date technology is to
the success of a SOC. If appropriate hardware and software And be sure to calibrate expectations. If it happens that
lie beyond the budget, consider an outsourced SOC function. someone outside the SOC team finds a threat or intrusion,
Remember, the success of your technology will be measured what should they do? Who should they report it to? Plan the
by how it adds value to the organisation. steps required to engage with such a situation, and what
questions to ask before escalating it.

Be sure to strike a balance between reporting and feedback


on the SOC’s success and not over-delivering information to
interested parties within the organisation. By delivering every
detail of every metric, you’ll make it hard for others to ascertain
what’s most important.

19
CREST What is a Security Operations Centre?

Warning

This Guide has been produced with care and to the best of our ability.
However, CREST accepts no responsibility for any problems or incidents arising from its use.

For further information contact CREST at:

www.crest-approved.org © Copyright 2022. All rights reserved. CREST (International).

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy