Managed Security Operations Center (SOC) in CybersecurityPublish Date: August 2, 2018
New-age cyber-attacks are more advanced, robust, and impudent and varied in nature and mode of the outbreak. Organizations are always susceptible to the intellectual property theft as existing legacy security solutions are proving to be inadequate and obsolete in the light of a new wave of cyber-attacks. The continuously increasing demand for expertise in cybersecurity put forth newer and difficult challenges in bringing up integrated solutions to the problems. The need is growing for a flexible, fast solution, based on the proven Security Operations Center (SOC) model, providing end-to-end managed services to meet rapidly evolving security challenges.
What is the role of Security Operations Centers (SOC) in Cybersecurity?
A security operations center (SOC) can be a team working round the clock or a dedicated functional facility organized to detect, assess, prevent, and respond to any cybersecurity threat or incident. A SOC is required to fulfill and assess regulatory compliance. Though not unheard of, internal security operational capabilities are mostly limited and to build an internal SOC is costly and need time-consuming efforts. Also, internal SOC requires ongoing attention to be effective. Therefore, many large and even medium-sized organizations opt for options of having a third-party managed security service.
- Improved communications and shared knowledge to enhance situational awareness and response capabilities
- Reduced incident response times by enabling the Information Security function and IT to work together toward common goals, with each contributing specialized skills and experiences
- Improved countermeasure planning though joint accountability for identification and resolution of causes
- Streamlined incident management reporting with valuable technical context
Types of SOC models
- No dedicated facility
- Part-time team members mostly selected from existing teams of other functions
- More reactive than proactive
- Reactive, activated when a critical alert or incident occurs
- Only activated during a critical alert
- Dedicated facility available for complete work hours and beyond
- Dedicated team
- Expertise specifically targeted for cyber incidents
- Fully in-house
Co-managed/ Distributed SOC
- Dedicated and semi-dedicated team members
- Mostly operative during working hours (Typically 5×8 operations)
- When used with an MSSP, it is co-managed
- Can be used with external third-party management
- Coordinates other SOCs
- Provides threat intelligence, situational awareness, and additional expertise
- Very rarely directly involved in day-to-day operations
Multifunction SOC / network operations center (NOC)
- A dedicated facility having a dedicated team performing not just security, but other critical 24/7 IT operations from the same facility to reduce costs
- Traditional SOC functions and new ones, such as threat intelligence, computer incident response team (CIRT) and operational technology (OT) functions, are integrated into one SOC facility
In addition to the six models above, where the customer’s internal security teams are involved in varying degrees, there is another “fully outsourced” model. In fully outsourced models, a service provider builds and operates the SOC with minimal (or at best, supervisory) involvement from the customer organization.
Any combination of these different types can be used in any organization based on the requirement of prevention and mitigation for cyber-attacks. Also, the function can be outsourced completely. Where a service provider shapes and operates the SOC with minimal involvement from the client organization.
Reasons to opt for SOC
The strategic business impact of a SOC makes it a critical initiative for organizations.
Organizations are building internal security operations capabilities because they want more control over their security monitoring and response process and also to have more informed conversations with regulators.
Let’s understand the actual requirements for SOC from the organizational point of view. Every organization needs complete control over the organization’s security monitoring and response process. Frequent and informed communications with the regulatory bodies build confidence and response to the uncertainties becomes less surprising. A roadmap for response planning can be ready in advance to avoid last minute chaos leading to business issues. SOC becomes a must and critical for organizations due to its direct business impact.
Recommendations to build a SOC capability:
In case the organization decides to build the in-house SOC capability due to any reason or a vendor is involved at any stage, following recommendations are useful during the complete process of analyzing the requirement, building competencies, making an assessment, planning response, and finally taking preventive or curative actions.
- Perform a pre-process cost-benefit analysis of different security operations models before deciding and finalizing on an internal SOC
- Emphasize on aligning SOC deliverables with business objectives
- Develop goals and metrics for the SOC
- Identify which business functions have critical business value to focus the vision
- Consider the pros and cons of having a managed service and compare the cost of operations (concurrent and fixed)
- Develop competencies and plan for retaining the competent staff available with the function
- Enable buyers to plan budgets for SOC projects by aligning pricing and service catalogs to buyer maturity with the ultimate objective of growing SOC maturity for the buyer in a structured manner.
- Gain a competitive edge by focusing on industry-specific use cases for SOCs and helping customers evolve SOC metrics that are unique to their organization.
- Focus on aligning SOC deliverables with business objectives by developing tightly defined goals and metrics that the SOC needs to deliver against.
- Consider use of MSSP services to offset the cost of 24/7 SOC operations and to fill coverage gaps.
- Develop a SOC staff retention strategy from the outset.
Advantages of Managed SOC
- The third party to deal with providing the technology, manpower, and expertise
- Your organization’s digital assets are protected 24/7
- Internal staff can focus on functional work activities without being bothered for the cyber issues
- Real-time protection to the organization,
- Reduced risks exposure in the ever-changing security threat environment.
- Information related to events, vulnerabilities, threats is available in real time to propose and perform actions.
- Cyber-intelligence is available for real-time situational awareness.
- The required part of organizational functions can be focused
- Sources may include network devices, security appliances in organizational, operational environment
- Robust knowledge about threat Intelligence using different global watchlists and databases
Key Components of Managed SOC
A Managed SOC needs few requirements to fulfill to be more robust and create an attack-immune protected environment in which organization can function without being burdened with the challenge of monitoring and controlling cyber threats. These efforts need to be focused on using the following guidelines.
- Competency and expert knowledge: An internally managed SOC needs to build a team of vigilant security experts whereas a managed SOC mostly has a certified expert team which can be directly deployed by a client organization
- Training: Experts teams need to continuously upgrade for their knowledge and skills to remain robust in the fast-changing cyber environment. The training needs to be focused on the latest network security equipment, security updates, the latest attacks, hacks, and so on. While the vendor organization can manage the training of their staff, internally-managed SOC needs to be trained within the organization or the training cab outsourced.
- Reporting: Real-time, integrated, action-oriented intelligence is useful for decision makers to control the situations with preventive and corrective actions. The decision makers may involve security analysts, systems engineers, or cyber-experts to analyze the state and suggest improvements in the organizational security.
- Managed Services: When the cyber-security solution is outsourced, it is expected that a team of certified security specialists provide services to the client organizations; the following are the suggested few:
- 24/7 Security monitoring and real-time information availability
- Firewalls Appliances
- Event Handling and incident response
- Continuous diagnostics and mitigation (isolated or informed consent)
- Unified Threat Management solutions
- Virtual Private Network solutions
- Patch Deployment Solutions
- Anti-malware solutions
- Cloud Security
- Vulnerability management
External managed SOCs focus on the business value delivered to organizations by providing monitoring and control support in real-time to save client’s critical business data. These vendors may also enable buyers to plan the budgets for SOC projects to increase the SOC maturity in a structured manner. These managed SOC providers get the competitive edge due to the industry-specific use cases for SOCs. They can, therefore, help customers advance SOC metrics customized and probably unique to their organization.
Typical SOC Framework – Illustrative Purpose
Get more than what you think from your security solutions with YASH.
Manga Sridhar Akella-Program Manager Information Security @YASH Technologies
Program Manager Information Security @YASH Technologies