Every organization regardless of size, budget or area of focus should have some form of a security operation center (SOC). When I use the term “Security Operations Center”, many people imagine a dedicated team with expensive tools and a room full of monitors. That image can be a SOC, but it is not always the case. A SOC can just be one person or multiple groups of people spread across the globe. A SOC can be outsourced to a service provider, be made of internal resources or something in between. In short, a SOC is having a dedicated person or team focused on cyber security services for an organization, which means a SOC is obtainable by all organizations.
Now that you know your organization should have a SOC, what should be expected of that SOC? A SOC is responsible for providing services, which those services need to be aligned with the goals of the organization it protects. The best way to view what is expected of a SOC is within the SOC’s mission statement and scope of work. I have seen people with security responsibilities become recognized as a formal SOC by obtaining executive support of a SOC mission statement and scope of work. These fundamental components separate a SOC from random security related services.
Eight Foundational SOC Services
Regarding SOC services, I believe every SOC should have some form of the following services, which I call the foundational SOC services.
- Risk management: Identifying and making decisions to deal with organizational risk. This pertains to managing any type of risk, from physically securing assets to patching digital vulnerabilities that exist within software.
- Vulnerability management: Identifying and managing risk from technical vulnerabilities. This commonly involves targeting vulnerabilities within software found on servers, laptops, and IoT devices. Most SOCs use vulnerability scanners and outside threat intelligence to identify vulnerabilities.
- Incident management: Responding to security-related events. This covers what actions the SOC takes when certain events occur, such as isolating systems, alerting team members, and implementing remediation steps to resolve the issue
- Analysis: Analyzing various types of artifacts. This includes identifying characteristics, reverse engineering, vulnerability/exploitation analysis, root-cause analysis, remediation, and mitigation analysis.
- Compliance: Assessing and maintaining organizational compliance requirements.
- Digital forensics: Gathering evidence post incident to determine the cause of the incident and prepare for legal action.
- Situational and security awareness: Providing the organization with awareness of its operational environment and potential threats.
- Research and development: Researching the ever-evolving threat landscape, developing new tools and techniques, and modifying existing tools to improve effectiveness.
Security Operations Centers: Build, Buy or Partner?
Some of these services can be outsourced, while others could be on demand. For example, a small business will likely not have a digital forensics expert on staff however, they should know who to call in if legal action needs to be taken due to a cyber related incident.
It is important to point out that a SOC doesn’t buy a tool and assume they have a service as well as having a service doesn’t mean you have an effective service. The security industry uses maturity models as a way to validate the quality of a service. Using vulnerability management as an example, buying a vulnerability scanner would move your organization from a maturity of zero to one representing you can provide ad-hoc vulnerability scanning. Higher maturity requires developing repeatable processes which are converted into policies and procedures enforced by SOC management.
DevOps and SOCs: Improving maturity leads to answering a question I often receive, which is “What do I need to do to function as a modern security operation center?” My answer is one word, which is “DevOps.” DevOps means to use programing to make things work with things. This is a critical element for deploying Orchestration and Automation meaning being able to automate parts of a SOC service. As technology becomes more advanced, data grows and attacks become more sophisticated, a SOC can’t simply “pedal faster” and hope to keep up. There is a breaking point for every SOC service that separates a modern and mature SOC from one that is very reactive and unable to keep up with the pace of work. I’m often asked during classes I teach “What skillset should I focus on to get hired in the cyber security field?” and my answer always includes some form of DevOps.
Security Orchestration, Automation and Response (SOAR)
Bringing technology into the conversation, a Security Orchestration, Automation and Response (SOAR) technology is a common tool used by modern SOCs and key to provide mature SOC services. This is especially true for services such as incident response, which are very time dependent. Automation doesn’t have to be complex, meaning simply automating how data is shared between tools so a SOC analyst doesn’t have to login to multiple tools can give valuable time back to the team. I find four areas are popular for automation, which are the following:
- Enrichment – Improving data, eliminating manual pivots and automating workflows leading to verdicts
- Response – Automating outcomes such as preventing access to a system or removing a file
- Threat Hunting – Taking different datapoints and using them to identify threats
- Cyber Hygiene – Automating vulnerability management, posture and configurations
To summarize, any organization should have a SOC and that SOC should provide security services. Those services are graded based on maturity and Orchestration / Automation is needed to reach high maturity ranking, which is a modern SOC. Cisco can help your organization’s SOC reach high maturity ranking through our DevOps certification programs and SecureX tool, which provides Security Orchestration, Automation and Response at no additional cost when investing in Cisco security. Check out https://developer.cisco.com/ to gain access to free DevOps training and Cisco SecureX to learn more about how to apply DevOps within your organization in a simplified manner.
Author Jospeh Muniz is a technical solutions architect at Cisco Systems. Read more guest blogs from Cisco here.