Olivier Le Moal - Fotolia

This article is part of our Essential Guide: Essential guide to operation-centric security

Inside the SOC: the nerve centre of security operations

Security operations centres are the bedrock of any cyber defence strategy, but operating one is increasingly challenging, with mounting workloads and a shortage of skilled personnel

This article can also be found in the Premium Editorial Download: Computer Weekly: How NHS Digital is helping support the coronavirus crisis

A security operations centre (SOC), as its name suggests, is responsible for operationalising security. This means the SOC team’s primary goal is not to devise cyber security strategy, but to make sure the security of the organisation’s assets and data is taken care of on a day-to-day basis.

To do so, SOC security analysts use a combination of technology solutions and processes to monitor, detect and respond to security incidents. An SOC monitors and analyses alerts and activities on endpoints such as laptops and smartphones, as well as networks, servers, databases, applications and other enterprise systems. They look for what is known as indicators of compromise, or small clues that show an attack may be under way or imminent.

“Their job is paramount in unearthing events that may seem harmless on their own, but, when viewed together, could indicate a massive attack,” says Nilesh Jain, vice-president for Southeast Asia and India at Trend Micro. “The SOC team’s job is to find these events, piece together the information and stop the attack before it happens or to understand why it has happened.”

In terms of technology, the SOC is often equipped with firewalls, intrusion detection and prevent systems, breach detection capabilities – and, most importantly, a security information and event management (SIEM) system.

The SIEM system can be likened to an aggregator that takes log data from dozens to hundreds of suppliers’ products and tries to make sense of them, in order to produce meaningful alerts.

“While it’s pretty awesome as it is now, a SIEM system is wide but shallow,” says Jain. “It collects from a lot of things, but the information it collects is limited. Another limitation is that a SIEM system doesn’t have an inherent response component, functioning more as a detection tool or a fire alarm that’s not connected to the sprinklers.”

So why have a SOC? Isn’t having a security team enough?

First, a SOC is very beneficial for a large organisation with hundreds or thousands of assets and people. The scale is simply too large for a security team.

Second, a SOC team monitors threats around the clock. This enables timely detection of threats, regardless of the time of day.

Third, it takes a high level of technical expertise to analyse security threats collected from various touchpoints, a task that requires the collective experience of an SOC team, which works closely with the incident response team to address security issues quickly.

Typical SOC activities

Different SOCs may have different processes when it comes to security operations. Here are the typical activities that go on in an SOC:

24/7 monitoring: Monitoring logs for critical alerts and investigate them, via automated or manual means, to deliver details on new threats. CenturyLink, a managed security service provider (MSSP) that operates an SOC in Singapore, uses on-premise log collectors – typically virtual machines – to facilitate log collection.

While CenturyLink’s log collector aggregates and receives logs from log sources, it also monitors the availability, health and performance of those sources. This telemetry information, together with the logs it receives, are encrypted, compressed and ingested into its SIEM platform, says Cheah Wai Kit, director for security product management at CenturyLink Asia-Pacific.

The SIEM platform then logically segregates the log data according to the organisation or tenant it belongs to, before parsing the data to locate meaningful information.

“By doing so, we can effectively make sense out of the information, and perform analytics and correlation on them,” says Cheah. “With millions of events occurring every hour, we ingest and parse a huge volume of logs at any point.”

Proactive threat hunting: Trend Micro’s Jain says SOCs may also use intelligence-driven (based on threat intelligence reports, intelligence feeds, malware analysis) or situational awareness-driven (suspicious events or indicators affecting critical assets within the network) methods to look for threats.

Root cause analysis: Endpoint data serves as the basis for root cause analysis, which shows where the threat originally entered the endpoint (email, web, USB drives, application, and so on), how it spread, and what devices were affected. This is important so that the organisation can understand the injection vector and trajectory. Root cause analysis also helps to identify endpoint security gaps and to paint a clearer picture of the attack.

Impact analysis: A new alert discovered in a customer environment is checked against metadata stores to see whether that file is on other protected systems, as well as what other systems the compromised hosts may have tried to access, infect or spread to.

Incident prioritisation: With threat data and customer shared environment data, the SOC team can help identify which threat an organisation needs to prioritise.

Threat response: The SOC should provide detailed remediation options where applicable, and custom clean-up tools may be used to help the organisation recover from the threat. Many SOC teams also perform remediation.

While cyber security analysts play an integral role in running an SOC, there must be a set of processes focusing on outcomes to support it, says Roland Lau, vice-president for managed security services at Ensign InfoSecurity, a Singapore-based MSSP.

“A playbook, with clear outcome-based objectives, can be developed and deployed to reduce response time and workload for analysts as now they have a full picture on what they are required to work on,” Lau says.

“An organisation needs to have a clearly defined playbook of how to respond to different types of threats and how to do vulnerability management and utilise cyber threat intelligence. The playbook can be automated, manual or both to give analysts the degree of standardisation and scale it needs to manage security incidents properly,” he adds.

SOC challenges

Citing a recent report by the Ponemon Institute, which surveyed 554 IT and cyber security practitioners working in organisations that have an SOC, Jain notes that 58% of respondents rated their SOC’s effectiveness low. Reasons cited include the lack of visibility into network traffic, lack of timely remediation, complexity and lack of skilled personnel.

The research also revealed that workplace stress is another major problem, making it hard for organisations to hire and retain experienced cyber security professionals.

According to the report, increasing workload leading to burnout (73%), lack of visibility (72%), being on call 24/7 (71%), and alert overload (69%) are the top reasons why working in an SOC is taking a toll on security analysts.

On top of that, the difficulty in threat hunting is also contributing to workplace stress. “There are simply too many indicators of compromise to track, too much internal traffic to compare against the indicators, and too many false positives,” says Jain.

Read more about cyber security in APAC

CenturyLink’s Cheah adds that false positives can consume a large part of security analysts’ time and make it more difficult to notice when a real or true incident occurs.

“The SOC analysts’ job is to find the needle in the haystack,” he says. “We need to have a continuous calibration of rules or use cases to achieve the right noise-to-signal ratio.”

All these challenges are exacerbated by a shortage of skilled SOC personnel in the market. “There are just not enough security professionals with the right skills and experience,” says Cheah. “Talent retention is an uphill task that many organisations struggle with. It’s not easy to convince talented and technically skilled security professionals to work on shift rosters.”

Automation and the use of machine learning is cited as a way to overcome the challenges of running an SOC. This includes optimising SOC performance with the security orchestration and automation response (Soar) technology stack to automate playbooks and monotonous elements of daily workflow.

Cheah says this will relieve SOC analysts of routine tasks, freeing them up to focus on real incident response and cyber defence strategies. “With automation, we can achieve better response time and quicker triage of cases,” he says. “It will also translate to lower dwell time of an attack and reduce the risk of a data breach.”

Some MSSPs like Ensign InfoSecurity also use a threat detection and analytics engine at their SOCs to perform real-time behavioural profiling, enabling them to stay ahead of fast evolving tactics, techniques and procedures (TTPs) by examining anomalies in a network, such as malicious behaviour or patterns associated with different types of cyber threats.

To outsource or not?

Smaller and mid-sized organisations often do not have the resources or ability to manage or operate an SOC on their own. In fact, most mid-sized companies have very lean IT teams and usually cannot afford to hire adequate cyber security personnel, let alone build an SOC. 

Large multinational companies or conglomerates might have the financial means to build and operate their own SOC, but Cheah says many of them run autonomous businesses fragmented by geographies and lines of businesses. It also does not make sense for a multinational to decentralise cyber security and have each country team set up their own SOC for various reasons, he adds.

“In order to establish a central SOC, companies would require strong governance and risk management, on top of the challenges in managing, recruiting, staffing and operating the SOC,” says Cheah. “It makes more sense for organisations with diverse business environments and a less mature cyber security posture to outsource their SOC needs to an MSSP that can augment their security capabilities.

“A reliable, round-the-clock, process-driven SOC provides a more robust cyber risk management control to organisations. This way, these organisations can focus on governance and compliance, align their policies to their core businesses, and deliver a positive customer experience.”

Read more on IT risk management

Data Center
Data Management