What is a Security Operations Center
With the advent of the Fourth Industrial Revolution and the pervasive digitization of virtually all industries, information systems have become indispensable. Savvy organizations leverage them to improve efficiency in production and delivery of products/services to clients. With their widespread adoption and integration into nearly all areas of business activities, information systems now rule today’s business landscape.
Although this has opened up a world of massive improvements and innovative possibilities to businesses, these benefits come at a price. Businesses operating in cyberspace carry an increased level of risk and are more vulnerable to insidious threats. Cybercriminals and hackers target such businesses to gain access to the information they possess or to carry out other malicious activities. The consequences of these attacks include loss of consumer trust, disruption of business activities, litigation, fines, reputational damage and loss of clients.
The Current Cybersecurity Landscape
Over the past couple of years, cybersecurity has become a major source of concern especially for organizations and companies in regulated industries such as banks, credit unions, defense contractors, Fintech companies and other financial services institutions.
In 2017, 54 percent of businesses said they were the targets of one or more attacks while only 38 percent of global organizations claim to be able to handle sophisticated cyber attacks. Studies also show that 51 percent of companies experienced DDoS attacks, 59 percent were the targets of botnets and malicious code, 62 percent experienced social engineering and phishing attacks while 64 percent were the victims of web-based attacks.
Also, IBM’s Cyber Security Intelligence index showed that the financial services industry was the target of over 60 percent of all cyber attacks in 2016.
The Need for a Strong Cybersecurity Strategy
Network and data center breaches shake customer confidence, and it’s essential that organizations protect intellectual property, customer records, and other critical digital assets. With new and sophisticated threats already pervading the cyberspace, it’s essential that businesses develop and implement a strong strategy for cybersecurity risk management.
Security Operations Center Defined
One of the most effective ways to do this is by setting up a Security Operations Center (SOC). Also called NSOC (network security operations center), SAC (security analytics center), or SDC (security defense center), SOCs refer to a combination of technologies, processes and people that provide organizations with round the clock cybersecurity awareness and protection by detecting, containing, and defending against IT threats.
SOCs ensure that IT incidents and cybersecurity threats are properly identified, analyzed, investigated, and reported. They constantly monitor enterprise information systems and IT infrastructure (such as networks, servers, data centers, databases, applications, websites, computers, and other endpoints) to identify possible intrusion activities and cyber attacks, analyze threats and take appropriate measures to defuse the situation.
SOCs help enforce strong cybersecurity risk management strategies by creating and implementing a set of controls, processes, and policies designed to safeguard information systems and infrastructure from malicious attacks that could compromise critical operations and the organization’s reputation/integrity.
In essence, SOCs ensure the detection, prevention, and mitigation of cybersecurity threats on your network.
Components of an SOC
Let’s take a look at the various components of an SOC.
This is the most critical component of an SOC. The most effective SOCs are staffed by talent with security skills (GCFE, GCFA, GCIH, GCIA, CISSP, etc.), sysadmin skills, programming skills (Perl, Java, C, C#, PHP, Ruby, Python), and extensive experience in security analysis and threat hunting.
They may also be former white hat hackers with a dogged ability to find the root cause of a possible security breach by following minute details. They leverage emerging threat intelligence to identify the scope of a successful attack and the systems and network affected. Furthermore, they quickly review asset discovery and vulnerability assessment data to determine the type of remediation and recovery effort needed.
SOCs are usually based on SIEM (security information and event management) systems. These systems enable security analysts to view and assess security threats to an enterprise’s IT infrastructure by aggregating and correlating data from some or all of the following tools and systems.
- Enterprise AV
- UTM (unified threat management)
- Wireless intrusion prevention system
- IPS (intrusion prevention system)
- IDS (intrusion detection systems)
- Penetration testing tools
- Application and database scanners
- Web site assessment and monitoring systems
- GRC (governance, risk, and compliance) systems
- Network discovery and vulnerability assessment systems
SOC operators set up these various security tools and systems to collate and send security-relevant data (such as firewall allows/denies, persistent outbound data transfers, login/logoff events, etc.) to the SIEM system. They also ensure that the SIEM tool receives logs from critical on-premises and cloud infrastructure (such as active directory, domain controller, web, active directory, DNS, file server, database server).
SOC teams usually achieve their objectives by executing four major processes. The first is “event classification and triage.” At this point, SOC personnel review suspicious system events, user activity, firewall accept/denies, etc. and classify them based on severity or criticality.
The next stage involves “prioritization and analysis.” SOC analysts review events (or combination of events) that indicate malicious behavior ranging from the installation of malware to the exploitation of existing vulnerabilities.
The third stage deals with remediation and recovery. SOC personnel review the scope, source and nature of the breach/cyber attack and determine the appropriate remediation steps to take.
Lastly, SOC analysts undertake assessment and audit activities. They run network vulnerability scans, generate compliance reports, and review their internal processes to ensure topnotch performance and efficiency.
To protect themselves from sophisticated malware, zero-day threats and the increasingly insidious nature of the current cybersecurity landscape, enterprises must develop and implement a strong cybersecurity strategy. The best way to do this is by leveraging SOCs to ensure the security of digital assets.
However, building one in-house can be a time-consuming affair with serious staffing and cost implications. Before embarking on such a project, CISOs and technology leaders should explore the benefits of using an MSSP with extensive cybersecurity expertise and experience.
Victor is a 25-year veteran of the IT industry. Previously President of Global Villager, Victor joined Link High Technologies as President in 1992 and used his skills as a visionary business leader to quickly transform the company from a computer repair shop to an IT consulting firm. Victor has a passion for learning, holding a BA from the University of California at Berkeley, a Juris Doctor from Rutgers Law School in Newark, and certifications in Citrix, Microsoft, and Novell Technologies. He is also a certified HIPAA Security Professional. Victor also supports a number of local charities and nonprofit organizations including the Spina Bifida Resource Network.