Security operations center: 5 key functions your SOC should perform
In today’s increasingly digital and interconnected world, organizations need to be there for their customers and employees constantly, regardless of where and when they need access to their services.
While modern technology has made this connectivity easy to implement and maintain, these very tools and business requirements have also made it easier for cybercriminals to probe for vulnerabilities and attempt to gain unauthorized access to enterprise systems around the clock and from around the world.
These dueling pressures gave rise to the need for organizations to constantly monitor their networks and devices for risks to their data and assets. Because of the scale and sensitivity of operations, organizations also had to develop a consistent methodology to monitor for and prioritize how they respond to various alerts and events that could point to malicious or accidental anomalies.
Formalizing these functions led to the creation of a security operations center (SOC) and the security professionals who operate and manage them, known as SOC analysts.
So what are the key functions that a SOC performs, and how can your organization lay the foundation for an effective center for your enterprise?
ChatGPT: Self-paced technical training
What is a security operations center?
A security operations center is a team of security professionals responsible for:
- Monitoring a network of sensors and security tools to proactively identify potential cybersecurity threats 24/7/365.
- Analyzing identified anomalies for their severity and potential impact and prioritizing them for remediation.
- Isolating incidents and implementing controls to prevent future events.
While not all SOCs are the same, they are usually staffed by SOC analysts, network engineers, malware analysts and other cybersecurity professionals who use enterprise and network-based monitoring tools. Larger organizations may organize their SOC analysts into tiers, allowing them to elevate more complex technical challenges to be handled by specialists with more experience.
What are the key functions of a security operations center?
SOCs consolidate all of the functions and systems for the enterprise's security, including endpoint devices. These typically include:
- Network monitoring and incident detection
- Incident management
- Problem management
- Endpoint administration
- Security system administration
1. Network monitoring and incident detection
Network monitoring occurs 24x7, hunting for suspicious activity from security tools watching network traffic and device activity. These tools can include:
- Intrusion prevention systems (IPS)
- Data loss prevention systems (DLP)
- Security incident and event management (SIEM)
- Antivirus
If a threshold for anomalous activity is exceeded or an unusual event log is identified, the SOC team will be immediately notified to respond and triage the incident. The incident can then be treated as a part of normal operations or threat-like behavior.
2. Incident management
With an incident identified, the SOC should follow a prescribed incident management process. This process will include elements such as:
- Documentation-Gathering the information that contributes to the understanding of the scope and type of incident.
- Corrective Action-Isolating or eliminating the risk to limit the negative impact of the incident and work to prevent it from recurring.
- Investigation-Determining the root cause of an incident to learn its source and to introduce the necessary controls to limit any security gaps.
- Closure-Verifying that the incident was properly documented and remediated and that any relevant processes or controls are updated to prevent a recurrence.
3. Problem management
Problem management is a process for better understanding and managing the underlying root causes of incidents to prevent future issues. It uses a structured approach toward eliminating service-affecting issues and helps the SOC prevent issues before they can occur. These efforts help the organization to continuously improve and remain proactive in its security posture.
4. Endpoint administration
This function provides a centralized and real-time view of enterprise devices and their security posture. A SOC can work with endpoint and infrastructure device security tools to:
- Detect and prevent issues.
- Perform remote device administration.
- Deploy patches and updates.
- Adjust configurations and rules.
These operations help keep enterprise devices up to date on security standards and ahead of evolving threats.
5. Security system administration
This function requires working with internal stakeholders, process owners and third-party providers to implement and maintain security tools and meet compliance standards. Some key actions include:
- Updating and testing virus definitions or configurations.
- Testing and deploying new security controls or tools.
- Taking corrective actions based on firewall or IPS alerts.
Standing up your security operations center
As with any other IT initiative, an organization needs to determine the best approach to implement its SOC and ensure that it meets operational goals, abilities and available resources. While some organizations choose to use a security-managed services provider to provide SOC services, this approach has its advantages and limitations compared to standing up an internal SOC.
While every approach toward implementing a SOC will vary, the following components need to be in place:
Establish the SOC mission and scope
First, document the roles, objectives, purpose, and scope of the SOC. These elements give the SOC its charter and organizational mandate to employ the necessary tools, controls, and actions to keep the enterprise secure. This phase also identifies the service functions that the SOC should handle, such as those listed above.
Establish SOC Processes
Next, create repeatable and consistent policies and procedures that integrate best practices and organizational needs and requirements. These can include processes for:
- Monitoring
- Escalation
- Incident response
- Reporting
- Staffing
This phase should also establish the templates and standards for each process to help ensure consistency and completeness and the service level agreements (SLAs) to meet customer service expectations.
Understand the enterprise environment
Identify the enterprise systems, assets, datasets, and people that will be monitored and the activities defined as “normal” to create thresholds for anomalies or threats.
This phase should also focus on the tools and knowledge the SOC needs to perform its functions and the configurations and standards that must be met.
Identify stakeholders
Because each organization has its own unique operational footprint and set of internal and external customers, the SOC needs to understand which services need to be provided to each stakeholder type.
In some organizations, the SOC will monitor the entire enterprise; in others, it may just monitor specific locations or services, based on their sensitivity.
Staff and manage the SOC
For this phase, identify the coverage schedule, tiers and management structure for the SOC. This can be especially important for 24x7x365 SOCs, but it’s also important for SOCs that will use off-hours monitoring functions with “on-call” staff.
Incident and event management
This involves putting the identified SOC functions into action and identifying how the SOC will function to handle incidents and events daily. Utilizing the processes identified, tools implemented, and established staffing structure, the SOC will monitor for and handle incidents based on their severity, scope and impact.
Leverage continuous improvement
Because cyber threats, business operations, and security best practices are constantly evolving, each SOC requires continuous improvement to help its operations and processes mature over time.
ChatGPT: Self-paced technical training
Learn more about SOC best practices
This article only begins to scratch the surface of what a SOC does for an organization’s cybersecurity and how to approach implementing one.
Fortunately, organizations can use plenty of established resources, accelerators and tools to deepen their understanding of SOC services and guide how to create and manage one. One of the most comprehensive is the very detailed Security Operations Centre Framework Project by The Open Web Application Security Project (OWASP).
No matter what methodology your organization uses to perform SOC functions, taking a proactive and holistic approach toward securing your enterprise assets, data, and customers will only become more vital as businesses continue to rely more on technology and interconnectivity.
Sources:
Creating and Maintaining a SOC. McAfee, 2013
Incident Management. SafetyCulture. April 28, 2022
Problem Management in ITIL 4 and Beyond. BMC. May 2019
What is a Security Operations Center? Crowdstrike. March 11, 2021
What is a Security Operations Center? Service Now