Soc CMM in Categories
Soc CMM in Categories
Operations Centre?
CREST What is a Security Operations Centre?
Introduction
A Security Operations Centre (SOC) is a team created to protect organisations from cybersecurity breaches by identifying, analysing and responding to threats.
SOC teams comprise management, security analysts, and security engineers. A SOC liaises closely with an organisation’s business and IT operations teams.
Of course, it’s vital to communicate to all staff within any organisation that security is everyone’s responsibility; a SOC is simply the central point
for management of security issues.
2
CREST What is a Security Operations Centre?
Building blocks A SOC’s primary functions include: Security Information and Event Management (SIEM), Endpoint
• To understand the physical and digital assets, systems, Detection and Response (EDR), and Security Orchestration,
A Security Operations Centre is a centralised business unit Automation and Response (SOAR) for example.
risks and vulnerabilities of the organisation’s environment
that deals with security issues at both the organisational and
• Monitoring the security of business assets, including the A contemporary SOC team must be capable of progressively
technical level. It comprises three building blocks: people, network, users, and systems
and continuously adding detection capabilities within the tools
processes, and technology, for managing and enhancing an
• Data collection and correlation used and map them against known frameworks, such as
organisation’s security posture.
• Threat detection, including identifying anomalies, threat MITRE ATT&CK.
Governance and compliance provide a framework, tying hunting capabilities, and the use of behavioural analysis
tools and techniques From a Technology perspective, we mean the tools. that
together these building blocks.
• Alert triage to analyse and prioritise alerts receive and allow analysis of logs or data from source systems
SOC staff monitors an organisation’s information systems using to ascertain if a potential security incident is occurring.
• Incident analysis, assessing the severity of the threat, and
telemetry from various sensors throughout the infrastructure. the impact it may have on the organisation to formulate Typically, this is known as a Security Incident and Event
A SOC is responsible for an organisation’s overarching an appropriate response Management (SIEM) platform.
cybersecurity, which can include prevention and incident • Incident review to gather information about attack
It also includes the technology required to glean (threat)
patterns and techniques, to assess the need for more
response (IR). By its very nature, a SOC forms a crucial part of intelligence, either through tools or collected and enriched
monitoring rules
an organisation’s compliance and risk management strategy. separately. In more mature environments, there may also be
Security Operations Centres tend to have a much broader scope Vulnerability management and firewall management may technology in place, in terms of tools, or the ability to action
of responsibility than the more specialised CIRTs (Cyber Incident not be considered primary functions of a SOC, but they are a response to respond to alerts and provide some form of
Response Teams). Many companies only have a SOC team, but often incorporated. containment (as a minimum).
no CIRT. It is also common for IR specialists to fall under the SOC Finally, Process revolves around creating a set of plans or
People, Technology, Process
umbrella rather than as part of a dedicated CIRT. processes that tie together the technology and capabilities of a
If we agree that a SOC comprises people, technology and
SOCs can be internal, external (managed), virtual or hybrid, SOC. These plans should incorporate the business objectives
process, it’s worth taking a moment to better understand
involving a combination of in-house engineers and an external and strategy.
what’s meant by this.
Managed Security Service Provider (MSSP), more of which later. By consolidating security experts and relevant data into a
In terms of People — this means the human resources that
central location — the SOC — threats are quickly identified
are required within a SOC to understand the output and
and dealt with more efficiently and effectively. A SOC
context of information received via use of technology. Your
leverages people, processes, and technology to reduce
people — talent — need to hold a deep understanding of the
cyber security risks, via improving organisational security,
risk posed to the business.
information and communication.
The people involved in a SOC must be predominantly
experienced security professionals with the ability to
understand, triage (prioritise) and investigate security
incidents from a selection of appropriate tools including.
3
CREST What is a Security Operations Centre?
prevent, detect, assess and SOC teams hold dual core responsibilities: Security events must be collated, and appropriate notification
efficiently disseminated to relevant stakeholders. A SOC needs
respond to cybersecurity threats 1. Maintaining security monitoring tools the relevant resources to interpret, validate and respond to
and incidents, and to fulfil and A SOC should maintain and update tools regularly and be threats, to neutralise them.
aware that monitoring rules continually evolve with the threat
assess regulatory compliance.” landscape. It’s crucial that tools and technology are managed,
Intelligence must be gleaned from multiple sources, then
enriched or validated (via automated and / or human means)
Gartner
as without them, a SOC cannot hope to adequately secure to gain better contextual awareness or reduce the threat level
organisational systems and infrastructure. to the organisation.
Having briefly outlined what a SOC is, we should now consider
its purpose. 2. Investigation of suspicious activities Creating a SOC means a higher level of incident response,
thanks to around the clock operations, coupled with
For small organisations, it may not make (financial) sense to The purpose of your 24/7/365 SOC team is to investigate
developing greater threat intelligence and rapid analysis.
create a dedicated internal SOC team. But as organisations suspicious and / or malicious activity within the organisation’s
grow, so do the risks and cost of cyberthreats. Failing to networks and systems. SIEM software or analytics software
prepare, organise and arm a team of qualified security will issue alerts which the SOC team must then analyse, triage
operations professionals can become an expensive mistake. and ascertain the extent of the threat.
4
CREST What is a Security Operations Centre?
Up to September 2021, there were 1,291 data breaches — the requirement for one. A CREST internal survey revealed
When to create a SOC increasing boardroom buy-in to the concept, but there is a gap
compared to 1,108 breaches in 2020.
You may have some form of operational security now, but Security Magazine in understanding and funding for a fully functioning SOC.
there are many reasons to re-evaluate the effectiveness and While there are myriad reasons why a SOC might be required,
capabilities of what it provides the organisation, some examples include:
A 2019 Ponemon / IBM report suggested it takes the
including: average US company an enormous 206 days to detect a • Maintaining the confidentiality and integrity of sensitive
• The organisation is handling more sensitive data breach — plus another 73 days on average to remedy the data — accessible by staff on the premises, by remote
breach. We already know this figure, according to another IBM staff, or by customers and partners
• The threat landscape has changed, or become more
concerning, and requires improved security report in 2021, has risen to a higher total of 287 days. • When running an online service for the public
• The organisation (or attack surface) has grown larger • In organisations with dispersed offices, where a unified
And the costs run into millions of dollars. A breach lifecycle
— and bear in mind the security issues surrounding security function delivers cost savings
of more than 200 days is 37% more expensive than a
remote working • In situations where large amounts of (sensitive) data
breach lifecycle of less than 200 days (US$4.56 million vs needs to be shared with other organisations (such as
• Your current managed security service provider (MSSP)
$3.34 million). finance, health and government)
doesn’t deliver the capabilities needed by the business
Further, the 2019 report reveals: • Where a single point of visibility over all threats is required
• Security automation technologies could potentially half the Core processes a SOC should deliver include:
Reducing complexity financial impact of a breach
Alert triage — Collecting and correlating log data, the SOC
Although developing and creating a SOC can represent a • Extensive use of encryption can reduce total cost of a
breach by US$360,000 provides tools that allow analysts to review that log data and
major cost, in the long run, such a facility prevents the cost of
• Data breaches cost companies around US$150 per lost detect security issues.
reactive, ad hoc security measures, and, of course, protects
or stolen record Alert prioritisation — SOC analysts use their knowledge of
from the financial damage caused by breaches.
• Breaches originating from third-parties cost organisations the organisation, the wider business environment and the
Having a SOC embedded in your organisation will also naturally US$370,000 more than average threat landscape to prioritise alerts and rapidly ascertain which
reduce the complexity of investigations, as SOC teams can • Companies with less than 500 employees suffered events represent real security incidents.
streamline their investigative efforts, by coordinating data and average losses of more than US$2.5 million
information from a variety of sources. With full visibility into the Containment — On discovering an incident, SOC staff
network environment, for example, SOC teams can simplify Around two thirds (67%) of the financial impact of breaches are is responsible for threat mitigation and escalating it for
drilling down into logs and forensic information. felt within the first 12 months, 22% in the next year and 11% remediation and recovery.
in the third year after the incident. Long-tail costs are more
Reporting — Documenting the organisation’s response to
acute in highly regulated industries such as financial services,
an incident.
healthcare and energy.
5
CREST What is a Security Operations Centre?
6
CREST What is a Security Operations Centre?
7
CREST What is a Security Operations Centre?
Incidents Classification While detecting and responding to (cyber) threats and keeping
data held on corporate systems and networks secure are
Meanwhile, an incident is seen as something that is Classifying incidents under pre-agreed and understood
primary functions of any SOC, there are broader functions, too.
potentially or actually a threat or a violation of information categories will speed up the incident handling process and
security policies or standards. NIST describes incidents save time for deeper investigation. These include increasing (network and organisational)
as: “An occurrence that actually or potentially jeopardizes resilience by perennial study of the changing threat landscape
Prioritise incident (both malicious and non-malicious, internal and external).
the confidentiality, integrity, or availability of an information
system or the information the system processes, stores, or Assigning proper priority to an incident ticket ensures the There is also a need for a level of expertise within the SOC
transmits or that constitutes a violation or imminent threat incident is addressed in a timely fashion. team that is sophisticated enough to identify and address
of violation of security policies, security procedures, or negligent or criminal behaviours.
acceptable use policies.” Investigate and diagnose
Finally, creating a bank of business intelligence regarding
Incidents might include: When an incident occurs, the incident response team should user behaviours to help shape and prioritise technology
perform a deep analysis of the incident and create a report. development is a crucial element of a contemporary SOC.
• Unauthorised use of system privileges
• Denial of Service attacks on a web server SOCs are often built with several functions — commonly
Incident closure
• Sending malicious files to a targeted user thought of as a hub-and-spoke architecture. Around the
The primary goal of incident management is to resolve central SOC hub, the ‘spokes’ could include vulnerability
• Stealing sensitive information and blackmailing the owners
it swiftly and efficiently. Closing the ticket after effective assessment solutions, governance, intrusion prevention
As soon as a security incident is confirmed, a SOC acts as communication to concerned parties is a crucial step in the systems (IPS), user and entity behaviour analytics (UEBA),
‘first responder’. SOC analyst staff will perform tasks such as incident handling process. endpoint detection and remediation (EDR), risk and
shutting down or isolating endpoints, terminating any harmful compliance (GRC) systems, application and database
processes (or preventing them from executing) and deleting Remit of the SOC
scanners, and threat intelligence platforms (TIP).
files, for example. While each SOC management team should decide on the
exact functions required, the decision as to the remit of any Size of a SOC
The overarching aim should always be to respond to the
correct, required extent deemed necessary, while ensuring SOC includes, but is not limited to: The exact size of your SOC depends on the nature and size
minimal impact on business continuity. • Budget of your business. Organisations with more critical sensitive
• Whether a third-party supplier is used data, such as those in healthcare or financial services,
Incident management process flow • Willingness to share information feeds with should consider larger teams, and more hardware and
Log the incident a commercial supplier software investment.
• Internal willingness and / or capability to perform In a paper, the Dutch National Cyber Security Centre
First steps must always be to inform relevant parties of the
forensic investigations
identified incident, via appropriate pre-agreed channels. A advises starting small. A small SOC can then grow and evolve
• How business continuity is managed
SOC team member from the incident handling team should be with the organisation; while ensuring “the planning, roadmap
• Whether the SOC is internal or external (or hybrid) and implementation of a future SOC are realistic.”
charged with responsibility for capturing all necessary details
• Existing understanding of the range of threats
and data related to the incident and reporting it.
• How bespoke the SOC functions need to be — a
generic set up will be less costly
8
CREST What is a Security Operations Centre?
Scope
9
CREST What is a Security Operations Centre?
A SOC holds responsibility for two asset types — the devices, Analysts and staff must keep well informed on the newest Security Information and Event Management (SIEM)
processes and applications it is charged with safeguarding; security innovations, cybercrime issues and trends, and any software. A SIEM solution gathers and analyses activity from
and defensive tools at its disposal to ensure proper protection. new threats on the horizon. This vigilance can help inform different resources across the organisation’s IT infrastructure.
creation a security roadmap — to deliver direction in ongoing
The SOC can’t safeguard devices and data it cannot Endpoint Detection and Response (EDR) is another software
cybersecurity efforts. It can also help formulate a disaster
‘see.’ Visibility and control must be enabled, from devices solution which can detect threats and respond to them. It can
recovery plan — written guidance for worst-case scenarios.
to the cloud, otherwise there may well be ‘blind spots’ in analyse the threat and provide analysts with salient information,
organisational network security. such as where it emanated from, how it started, which parts of
Preventative maintenance
the network it has affected and how to stop it.
A SOC must have a holistic view of the organisational threat
This could include action taken to make successful attacks
landscape, and not only of the endpoints, servers and Security Orchestration Automation and Response
harder to achieve, which may involve regularly maintaining
software used, but also any third-party services and traffic (SOAR) software helps the SOC team — especially smaller
and updating existing systems; updating firewall policies;
flowing between assets. teams — improve efficiency by better managing threats and
patching vulnerabilities and whitelisting, blacklisting and
vulnerabilities, automating repetitive tasks and responding to
A SOC must keep detailed records and maintain full securing applications. However, many of these actions are
security incidents. An example of this might be automatically
understanding of the cybersecurity currently enabled, along down to normal infrastructure team activity, and the SOC role
deleting phishing emails from employee’s inboxes.
with all the workflows used in the SOC, to increase agility and merely provides guidance on preventative maintenance and
ensure peak efficiency. remediation management for vulnerabilities. eXtended Detection and Response (XDR) software collects
and automatically correlates data across multiple security
1. Preparation and preventative maintenance 2. Continuous proactive monitoring layers, such as email, endpoint, server, cloud workload,
Even well-planned, equipped and agile response processes The SOC’s toolkit should be capable of scanning the and network. The most advanced XDR solutions employ
are no match in preventing problems from occurring. To infrastructure — such as the network, cloud and endpoints behavioural analysis to teach systems the difference between
help keep attackers at bay, the SOC must implement — 24/7/365, and able to flag any inconsistencies or regular day-to-day operations and actual threat behaviour,
preventative measures, which can be divided into two main suspicious activity. minimizing the amount of triage and human analysis required.
categories, as follows:
Around-the-clock monitoring allows the SOC team to receive 3. Log management
immediate notification of emerging threats, which in turn
A SOC holds responsibility for collecting, maintaining, and
provides the best possible chance of preventing, or at least
reviewing the log of all network activity and communications
mitigating harm.
for the entire organisation. This data helps define a baseline for
“normal” network activity. It can expose the existence of threats
and be used for post-incident remediation and forensics.
10
CREST What is a Security Operations Centre?
11
CREST What is a Security Operations Centre?
12
CREST What is a Security Operations Centre?
13
CREST What is a Security Operations Centre?
Hybrid SOCs
As you’ve probably already ascertained, there are several
ways of setting up a SOC, to best suit your needs, budget and
level of expected threats. A hybrid SOC is a way of combining
different types of SOC provision, as mentioned above.
14
CREST What is a Security Operations Centre?
15
CREST What is a Security Operations Centre?
16
CREST What is a Security Operations Centre?
Role title Required skills and qualifications (for example) Day-to-day activities
Tier 1 Analyst Web programming (Python, Ruby, PHP); scripting languages; basic security Configures and manages security monitoring tools. Prioritises and triages alerts
Alert Investigator certifications (CompTIA Security+) sys admin skills. and / or issues to determine whether real security incidents are occurring.
Tier 2 Analyst Similar to Tier 1, but with greater experience, including IR. Should be capable of Receives incidents. Conducts deep analysis. Correlates with threat intelligence
Incident Responder advanced forensics, malware assessment and threat intelligence. Ethical hacker to identify the threat actor, nature of the attack, and systems or data affected.
certification or training is advantageous. Defines and executes strategy for containment, remediation and recovery.
Tier 3 Analyst More experienced than a Tier 2 analyst, including high-level incidents. Should Conducts regular vulnerability assessments and pen tests. Reviews alerts,
Subject Matter Expert / be acquainted with pen testing tools and cross-organisation data visualization. industry news, threat intelligence and security data. Hunts threats and seeks
Threat Hunter Malware reverse engineering, and capable of identifying and developing unknown vulnerabilities and security gaps. When a major incident occurs, teams
responses to new threats and attack patterns. with Tier 2 Analysts in response and containment.
Tier 4 Keen project management skills, incident response management training and Hiring and training. Oversees defensive and offensive strategies. Manages
SOC Manager strong communication skills. resources, priorities and projects.
Team Leader
Direct team management when responding to business-critical security
incidents. Organisation contact for security incidents, compliance, and all
security-related issues.
Security Engineer Computer science, computer engineering or information assurance degree. Software and / or hardware specialist, ideally experienced in security aspects of
Support and Certifications such as CISSP. information systems.
Infrastructure
Creates solutions and tools to help organisations deal with operational disruption
of. Note: Sometimes security engineers are employed within the SOC, other times
they simply support the SOC as part of development or operations teams.
17
CREST What is a Security Operations Centre?
Mean Time to Detection (MTTD) Average time taken to detect incident How effective the SOC is in processing important alerts and
identifying real incidents
Mean Time to Respond (MTTR) or Closure / Escalation Time Average time before SOC takes action to detect and escalate How effective the SOC is at gathering relevant data,
the threat coordinating a response, and taking action
Total cases per month Number of security incidents detected and processed How busy the security environment is and scale of action
managed by the SOC
Types of cases Number of incidents by type: web attack, attrition (brute force The main types of activity managed by the SOC, and where
and destruction), email, loss or theft of equipment, etc. preventative security measures should be focused
Analyst productivity Number of units processed per analyst — alerts for Tier 1, How effective analysts are at covering maximum possible alerts
incidents for Tier 2, threats discovered for Tier 3 and threats
Case escalation breakdown Number of events that enter the SIEM, alerts reported, The effective capacity of the SOC at each level and the
suspected incidents, confirmed incidents, escalated incidents workload expected for different analyst groups
18
CREST What is a Security Operations Centre?
A SOC’s effectiveness can perhaps best be measured by using the services of Red, and / or Purple Teams.
Other resources required to measure the effectiveness of the SOC include:
People Policies Consider which metrics highlight the success of the SOC. For
example, time to respond / resolve might not look good on
The SOC board needs to include staff with deep technical and Success can be measured against policies created to describe
paper, out of context.
business knowledge. They needn’t be permanent members the roles, responsibilities and IR processes involved in the
of the SOC and can undoubtedly operate as a virtual team. SOC. Such policies set expectations for all stakeholders, Decide which metrics you’ll deliver and in what format. A good
Keeping experts on hand that can serve as an extension to the as well as the authority to act when attacks occur, and the start is to highlight the number of incidents and escalations
SOC team during attacks will increase success. consequences of not adhering to the policies. that have occurred over the agreed reporting period, with a
status field and incident category.
While certifications might not be a valuable metric, you can still Benchmarks can be set under each aspect of such policies.
track how staff improves over time. Nurturing staff proficiency Include the incident remediation techniques used and be
in a specific domain is a measurement you could use to Planning sure to provide enough context for a less technical reader to
demonstrate your SOC team’s quality, maturity, and knowledge. The SOC needs a vision which aligns with organisational understand. This context will help build bridges between the
objectives, priorities and risk posture. Maintaining alignment SOC and the rest of the organisation, helping improve the
And, of course, internal or external training will bolster existing
with the organisation and keeping the SOC team and overall organisation’s security culture.
skill sets. Technology
technology running requires careful budgeting and resources.
We’ve already stressed how vital up to date technology is to
the success of a SOC. If appropriate hardware and software And be sure to calibrate expectations. If it happens that
lie beyond the budget, consider an outsourced SOC function. someone outside the SOC team finds a threat or intrusion,
Remember, the success of your technology will be measured what should they do? Who should they report it to? Plan the
by how it adds value to the organisation. steps required to engage with such a situation, and what
questions to ask before escalating it.
19
CREST What is a Security Operations Centre?
Warning
This Guide has been produced with care and to the best of our ability.
However, CREST accepts no responsibility for any problems or incidents arising from its use.