The Complete Guide to Security Operations Centers

Security operation centers (SOC) are oriented in the protection of confidentiality, integrity and availability of the information assets in the network and services of the company. 

What does a Security Operations Center do and why is it important?

The SOC allows the companies to centralize, visualize and manage information assets. Also help to detect, prevent and remedy cybersecurity events

Main tasks of a security operations center are:

• Monitor and analyze events from the different sources to detect possible malicious behavior.
• Identify security risks, global trends, sector trends and company trends that could affect the company.
• Prevent the materialization of a security risk using a proactive security analysis of information assets of the company. As a result you will have a risk mitigation plan.
• Manage security incidents in order to reduce the Impact of the materialized risk in the company
• Support company areas that need it in security crisis.

Technology, Process and People

Technology: Technologies that support a SOC can be dividend in 4 categories:

1. SIEM technologies: They are responsible for centralizing, processing, analyzing and presenting all the data collected from different sources in a single application that allows technical and executive people to know what is happening in their network and take decisions based on that.
Some options that you can find in the market are:

• SIEMonster
• ELK + some plugins
• OSSIM
• LogRhythm
• Qradar
• Splunk
• ArcSight

2. Monitoring and Control technologies: These are the data sources that SIEM will receive. Correct configuration and knowledge of this controls is the base of a good analysis. Some examples of technologies of this category are:

• Perimeter security solutions: Firewall, VPN, Proxy
• Network security solutions: NAC, IDS/IPS, vulnerability scanner
• Endpoint security solutions : Antivirus, DLP, EDR
• Infrastructure monitoring tools
• Applications and OS logs

3. Incident response technologies: In case of an incident, it is necessary to have tools to allow the identification of the involved devices, recover affected files, analyze event logs. For example:

• Vulnerability scanner
• Application log analyzer
• Forensic tools

4. Management technologies: The main aim of a security operations center is to impact the business strategy. Implementing tools that allow traceability, documentation and reporting will be fundamental.
Some of the technologies of this category are:

• Ticketing
• Reporting
• Inventory

Process: Defined processes should allow the answer of some of these questions on each topic.

1. Crown jewel: Which are the critical information assets? Where are them? How are them protected? How you plan to protect them?
   
2. Risk management: How to identify, classify and manage risks in the company? Who is the responsible of an information asset and who is responsible of its protection?
   
3. Incident response: Which are the parameters for classify an incident as low, medium, high or critical priority? Who must be informed? Who is responsible of the mitigation?
   
4. Security awareness: Is the CEO aware of the importance of security information in the company? Are the employees aware of their responsibility in the company security? Does the budget of the company includes investment on cybersecurity?
   
5. Continuous evolution: Does the SOC direct communication with cybersecurity community? Does the SOC direct communication with another SOCs in order to share IoCs, troubleshooting, etc? Are there documentation processes to ensure that the well-known problems database keep updated?
   
6. Information segmentation: Who has view access to a specific information asset? Who has edition access to a specific information asset?

People: People involved in a security operations center must have at least following skills

1. Hard skills:

• Defensive and offensive security
• Networking
• System administration
• Forensics

2. Soft skills:

• Communication
• Client management
• Project management
• Problem solving
• Teamwork

It is common for a security operations center to be hired as a service in companies where security is not their core business because it reduces costs and effort but ensures a security control. In these cases, communication between the SOC provider and the business analyst is critical to getting the most benefit from the service for the business.

SOC is a wide and dynamic topic. I hope that with this article you have a general idea about it.