People starting as engineers need to pay attention to the security field. It’s comprehensive, and it will be more prominent. Personally, I think that security will be present on the market forever, and it will keep growing — if not exponentially, then at least linearly.
Within the IT security field, various departments and systems ensure proper protection. One of them is SOC — Security Operations Center (SOC).
The term SOC is often regarded as “well-known” in the industry. I put the quotes here because I think that many companies and people who don’t possess enough IT knowledge don’t understand this matter. Don’t get me wrong, I’m not pretentious to think that I know everything, but I have my own approach to this topic and enough relevant experience.
As my expertise could help a wider audience understand SOC’s importance, I’ll discuss this topic in detail in this blog post.
What Is SOC?
A Security Operations Center (SOC) is a command center for cybersecurity professionals responsible for monitoring, analyzing, and protecting an organization from cyber-attacks. In SOC, the Internet traffic, internal network infrastructure, desktops, servers, endpoint devices, databases, applications, IoT devices, and other systems are continuously monitored for security incidents. SOC can be built internally or outsourced — entirely or partially — to external providers.
The SOC staff may work with other teams or departments but are typically self-contained with employees that have distinguished cybersecurity skills. Most SOCs operate 24–7, with employees working in shifts to monitor the network, system, application and other assets activity continually and mitigate threats.
SOC and Human Factors
So, now I’ll break down SOC to basics, starting with people. In my opinion, people are the leading cause and solution for most problems in IT security.
What do I mean by this?
People build entire SOCs and related procedures, ensure SOC task automation, bring the rules on SOC tools (used for detecting malicious behavior), and cover many other things. Each of these elements affects the SOC performance.
This means we need educated, well-behaved, meticulous, thorough, and persistent human beings to build a secure and well-maintained SOC.
However, people often don’t want to talk about the security issues they’ve noticed or caused for different reasons. For instance, they think they made an error and fear punishment (losing a percentage of their wage, job, or reputation). We don’t want to shape such a scary environment. Prisons function that way, and we surely don’t want to look or sound like a prison.
A Humane Approach to SOC Mistakes
Everybody can make a mistake, but those mistakes must not pass under the radar and cause damage. Only one thing is wrong in the case of missteps: not learning anything from them. Ideally, I would like every member of my team to feel free to say that they made a mistake. Then the team will focus on solving that matter (or a part of the team, depending on how severe the problem is).
After we solve that, we should sit down to draw the necessary conclusions. If necessary, we’ll apply some procedural changes to increase our security and business efficiency in the future. At this point, we should be able to see the flaws in our current procedures and correct them. From this, you see that every SOC is a living environment under constant change depending on events we see in the systems we monitor.
Primary Tools for an Effective SOC
As cybersecurity incidents and the volume of data they generate grow exponentially, it’s increasingly difficult for organizations to detect cyber threats and handle them properly. We need adequate tools to support these changes: robust, flexible, and reliable solutions, like SIEM and SOAR.
SIEM and SOAR
SIEM stands for Security Information and Event Manager, and SOAR is Security Orchestration, Automation, and Response. Let’s just briefly explain this.
SIEM tools provide the SOC’s foundation, given its ability to correlate rules against massive amounts of disparate data to find threats. Integrating threat intelligence adds value to the SIEM activity by providing context for the alerts and prioritizing them.
SOAR is an innovative security solution that brings cybersecurity efficiency and effectiveness to businesses of all sizes. SOAR can be a part of SIEM, but it can be a separate tool. What we choose mainly depends on how good the SOAR tool is (as a part of SIEM or a totally separate tool). SOAR is the most critical tool for raising productivity in SOC since we can automate many repetitive tasks with it.
Additional SOC Solutions
Besides these core SOC elements, we have additional tools which make our SOC even more efficient. We categorize these tools into the following groups: User and Entity Behavioral Analytics (UEBA), Asset Discovery, Vulnerability Assessment, and Intrusion Detection Systems. User and Entity Behavioral Analytics (UEBA), typically added to the SIEM platform, helps security teams create baselines by applying behavior modeling and machine learning to surface security risks. Based on this, we can easily see anomalies in our network, system, cloud, virtual environment, etc.
Asset discovery or an asset directory helps you understand what systems and tools are running in your environment. It enables you to determine what the organization’s critical systems are and how to prioritize security controls.
Detecting the gaps an attacker can use to infiltrate your systems is critical to protecting your environment. Security teams must search the systems for vulnerabilities to spot these cracks and act accordingly. Some certifications and regulations also require periodic vulnerability assessments to prove compliance.
Intrusion detection systems (IDS) are fundamental tools for SOCs to detect attacks at the initial stages. They typically work by identifying familiar attack patterns using intrusion signatures. But, before we have a signature for any attack, we need to know the pattern of that attack; and we’re back to humans again. Someone needs to recognize the attack, study it, and ensure that others also recognize it.
Mind that there is no IDS/IPS signature for new attacks, no pattern of attack, no instant remediation, etc. In modern systems, what we can typically do is notice anomalous behavior and start our investigation from there. When this happens, the only things that matter are our expertise, experience, and unity in our SOC team.
The Key SOC Positions
These are the major roles in every Security Operations Center.
Security Analyst
Security Analysts see everything and react to any strange situation, and they should generally have a background or interest in security. I said ‘background or interest’ because the Security Analyst position is an entry position for SOC.
Bear in mind there are several levels of Security Analysts: Beginner, Intermediate, and Expert. Depending on the current company organization, they later usually become Security Engineers or Team Leads.
Security Engineer
Next in line is Security Engineer. This person should have education and knowledge in the security field. Since security is a relatively new area, there aren’t many college or faculty graduates with relevant knowledge about this topic. So, that leaves us with a relatively small number of people who finished some of the related technical departments (software engineering, telecommunications, and similar) and decided to go and focus on security.
Also, people in security need to be entirely security-oriented and deep in this field since this niche is constantly changing. Among Security Engineers, one should have managerial and architectural skills to lead the team of security engineers and organize SOC systems, adapting them to the needs of the customers using the SOC.
Threat Researcher — Internal or Outsourced
Threat research is another exciting security field. It is also a way to develop skills as a security engineer. Usually, whoever goes this way, stays there forever. If there is no option to have a Threat Researcher, there is a possibility to outsource the services for our SOC threat feed. In this feed, we get all data about known and possible threats. Still, in this case, our SOC efficiency depends on a third party and their efficiency. So, for this to work, we need a trustworthy partner who will respect our SOC needs as they fluctuate.
Head of SOC Services
The Head of SOC or SOC Services — my role at UN1QUELY — is another vital position in the SOC. This position includes the following obligations:
- Creating a development strategy for third parties for the SOC and the SOC Service. This strategy specifies how many tools we’ll use for our SOC and which tools are most suitable for our SOC.
- Making a financial strategy in cooperation with the financial department.
- Defining the general SOC architecture and what positions are needed for SOC to function efficiently.
- Writing security playbooks and procedures together with security engineers. So, the head of SOC needs to know a lot about security (in multiple areas, if possible).
Note: Security engineers constantly examine security procedures and playbooks. These documents should be changed if we (security engineers and the head of SOC) notice that something could be done more efficiently.
The Final Word
At the end of this blog (one of many, I believe), I hope you now see how dynamic and diverse the SOC environment is. Every aspiring engineer wants to be surrounded by so many different technologies and knowledgeable people. At least I would like to be in that environment, and I know I would be eager to learn from others and share my point of view with people who ‘speak the same language.’
Finally, a perfect Security Operations Center is possible, but only if you adequately manage its human and technical assets and make everything work like a Swiss watch.’ It sounds a bit cliché, but that’s the whole point, and it should stay like that as long as SOC lives.