Back to Insights

Security Operations Centre (SOC) Buyers Guide

Managed services 10/10/2020 - 12:33 by Swami Nathan

The current utilities that you can now outsource instead of building in-house are SOC (Security Operations Centre). But should you entrust a third party with them? Yeah, but make sure that you know how to select the finest.

What is SOC?

SOC stands for Security Operations Centre, and within a company or another entity, it is a centralised unit that oversees employees, technology and procedures to ensure that all safety measures are in place. In the first place, it is designed to avoid cyber-attacks, identify and evaluate them if they occur, and prepare an incident response.

To properly track the movements and be able to identify any anomalies, the SOC must know every event logged within an organisation. It seems as if SOC services will make or break the future of your business in today’s digitised world, full of diverse cyber threats.

Why is SOC important?

A new, diverse organisation needs to be vigilant about its cybersecurity. With recent figures said to be (on average) about £3.18 million, a data breach can be expensive, and reputational harm can be much harder (or impossible) to recover from. Hackers can strike from anywhere in the world at any moment, which suggests that corporations have to be on security 24/7.

Before threats harm the company they are tracking, the SOC and the professional security analysts behind them are essential to maintaining good security and preventing threats.

A Security Operations Centre or SOC is a central unit which, by the use of people, processes and technology, oversees the security of a business. The concept is to identify and defend against cyber threats by gathering data in one central location, analysing it with the latest technologies, and conducting research on any warnings and anomalies posed by trained security analysts.

Organizations of any size are vulnerable to cyber-attacks, and security has become an increasingly difficult task with the use of more and more advanced hacking tools by cyber criminals.

As a result, organisations are pursuing new programmes and services to protect themselves against cyber threats, and it is becoming increasingly common to integrate with a security operations centre.

How does a SOC work?

Usually, SOC employees and technology are housed in a central location where employees with various levels of experience, such as analysts, responders and hunters, staff 24/7 during the year. SOCs appear to be very process-driven: they have standard operating procedures, usage cases and playbooks to describe how SOC workers respond to and interact with different events and incidents in cybersecurity.

SOCs can also include the following, in addition to the real-time review of user reports and data feeds:

  1. Analysis of data feeds and event data in the long term;
  2. Security log normalization and storage;
  3. Dissemination of intelligence on threats;
  4. Orchestration and Automation;
  5. Detection or management of vulnerabilities (e.g., vulnerability scanning and remediation).
  6. Assessment of threats; and

For one or more of the following reasons, organisations may consider outsourcing all or some of their SOC services to a SOC service provider:

  1. An inability to recruit appropriate SOC employees with the skills required;
  2. The desire to achieve greater value by making qualified experts handle them from established cybersecurity products;
  3. A requirement to broaden SOC services rapidly due to changes in the threat environment or business model of an enterprise (e.g. incorporating e-commerce);
  4. A preference or obligation to use budget dollars for operational expenses for cybersecurity ('lease' of SOC services) rather than capital expenses (purchase of SOC equipment and hiring of staff);
  5. The ability to apply the threat intelligence of a third party acquired from monitoring many clients; and
  6. A strategic decision is taken by a third party to provide easier, recurring activities, such as initial log reviews, so that SOC staff can concentrate on high-level tasks, such as incident response or vulnerability management.

The presumption is that, for all of the above reasons, the SOC service provider will be able to deliver basic SOC services more efficiently or less costly than the organisation itself.

Features to Consider for SOC –

The following can be given by SOC vendors:

  1. Monitored or managed firewalls or technology for unified threat management;
  2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) tracking or management;
  3. Web and email safety gateways managed or monitored;
  4. Monitoring or management of emerging technologies for threat defence;
  5. Triage and short-term review of real-time data feeds for possible cybersecurity events (e.g. device logs and notifications from applications and information systems);
  6. Long-term review and correlation of tracked or managed device-related data and incident response;
  7. Regulated vulnerability scanning of software and information systems;
  8. Monitoring or management of SIEM technologies deployed by the customer; and
  9. Present and relevant intelligence on threats.

SOC service providers, as the above list, makes clear, provide several capabilities that could be useful for the SOC of your company. But it can be daunting with the range of services. One way to start assessing SOC providers is to determine the most important services for your business using two simple measures.

Before signing up for specialised services such as threat intelligence, make sure you are adequately handling and tracking the current cybersecurity programmes. For example, if the company does not already have a clear understanding of what is going on with its cybersecurity programmes, it would be difficult to reap the advantages of threat intelligence.

A crucial decision that you should be prepared to make is whether to only track a SOC service provider (for example, collect logs from any or all of the cybersecurity systems of your organisation) or control some cybersecurity systems (such as firewalls or SIEMs) as well. The security strategy of your company and risk tolerance will decide this.

The burden on the SOC of your organisation can be lightened by using a SOC service provider, but the company will still need to identify and allocate programme management resources to keep the SOC vendor on track and assess its ongoing effectiveness.

Look for the following functional features irrespective of what services you select from a SOC service provider:

  1. A customer web portal that has multifactor authentication and role-based access control should be provided by the SOC vendor. The platform should have analytics and graphics, real-time alerts, ticket status of the SOC service provider and reports that can be tailored for various categories of users — managers, SOC employees, and so on.
  2. The supplier should be able to deliver requested services 24/7 during the year, provide different contact methods, such as telephone and email, and have demonstrated knowledge in rapidly escalating critical events and accidents to suitable customer employees.
  3. The SOC services should be incorporated into the security incident response of your organisation.
  4. To ensure redundancy and the ability to recover from a disaster, the SOC should provide the requested services from at least two geographically dispersed locations.
  5. The SOC service provider should have workers trained in your company for the essential cybersecurity technology they are tracking or handling.
  6. Verify that a SOC service provider can guarantee that requested services are only delivered from particular (e.g., US-based) locations, if necessary, for compliance.

It is a significant business decision to choose to use a SOC service provider; you want to have a good, reliable partner, so look for key business characteristics, such as proof that the provider is financially stable and has a high customer retention rate. In the case of poor results, the SOC provider should provide guaranteed performance-based service-level agreements which include the right to terminate service. Naturally, in your particular field, the provider should have established experience and knowledge. You should also be able to configure the SOC services supplied reasonably; the company should not have to force itself into a one-size-fits-all operation.

Using a SOC service provider would possibly mean exchanging confidential data or providing access to some of the information systems of your company to the provider. To avoid cybersecurity incidents and gaps in enforcement, at least the following security features are required:

  1. The SOC service provider should enable your company to carry out due diligence on their cybersecurity procedures. For instance, in your contract with the service provider, you should be able to add a right to inspect cybersecurity practises provision and ask them to complete an inspection questionnaire on cybersecurity practises.
  2. The SOC service provider should have at least annually conducted a third-party cybersecurity audit plus internal and external penetration tests.
  3. At least one accepted cybersecurity norm should be accredited by the SOC service provider — e.g. PCI DSS, the Federal Risk and Authorization Management Program and ISO 27001--and have a routine review of SSAE16 (Statement on Requirements for Attestation Engagements 16) carried out.
  4. Through encrypted methods, such as TLS 1.1 +, the SOC service provider should be able to receive and submit data to and from your organisation.

The SOC's Future

An exciting transition is underway at the Security Operations Centre. It interacts with departments of operations and development and is driven by powerful emerging technology to recognise and respond to critical security incidents while maintaining its conventional command structure and functions.

We demonstrated how SIEM is a fundamental SOC technology, and how SIEMs of the next decade, like emerging capabilities such as behavioural analytics, machine learning and SOC automation, are opening up new possibilities for security analysts.

The effect on the SOC of a next-gen SIEM may be significant:

  1. Using User Entity Behavioural Analytics (UEBA) to minimise warning fatigue, which goes beyond correlation laws, helps reduce false positives and uncover hidden threats.
  2. Boost MTTD by allowing researchers to more easily discover events and obtain all relevant information.
  3. Enhance MTTR by incorporating and optimising Protection Orchestration, Automation and Response (SOAR) technologies with security systems.
  4. Enable threat hunting by providing quick and easy access to analysts and powerful exploration of unlimited security data volumes.

Teceze is an example of a next-generation SIEM incorporating data lake technology, cloud service visibility, behavioural analytics, an automated incident responder and a powerful data query and visualisation threat hunting module.

SOC stands for a Security Operations Centre, and within a company or another entity, it is a centralised unit that oversees employees, technology and procedures to ensure that all safety measures are in place. In the first place, it is designed to avoid cyber-attacks, identify and evaluate them if they occur, and prepare an incident response.