Three elements that every advanced security operations center needs

Security operations centers (SOC) have been around for a while, stretching back to the old room full of live camera feeds. The intent of a SOC is simple: provide the business with the ability to see what is going on in order to take action if necessary. The level of SOC sophistication varied depending on the risks and infrastructure complexity. Consider the humble stretch of road and an analogy for businesses in the very early days of the internet: In low risk, low traffic areas, it was often not necessary to have a constant additional surveillance of this road. Road rules -- basic perimeter-based network security measures like firewalls -- still applied, but it was considered sufficient for any out-of-the-ordinary incidents to be handled reactively.

Then, when a stretch of road became busy, speed limits might have be reassessed. A stop sign might have been introduced. Then a traffic light. Then live monitoring of an intersection.

The days of back-country roads, where traffic was scarce and those traveling on them could be trusted to a degree not to break the rules, are gone. Today's businesses of any reasonable size are setting up next to a well-established highway of attackers who are actively seeking to break in, and in some cases are no longer sole-actors but well-funded criminal groups. Businesses that may have considered themselves to be low interest, and have low amounts of traffic. This is due to the rise of opportunistic nature of attacks, and a new wave of sophistication shown in online criminals.

However, the term Advanced Security Operations Center keeps popping up. It represents another shift in security as attacks take advantage of new technologies and attack vectors. What new challenges do SOCs need to be able to deal with to warrant them being called advanced? And how do you tell if yours is advanced or still in the stone age? Here are three things that are needed for a SOC to earn its "advanced" title.

Increased visibility and modularity

As highways and tunnels increased in scale and complexity, so too did the number of traffic cameras and feeds in the traditional SOC. However, businesses expand at a much faster rate. With attackers automating their attacks and scanning infrastructure without any human intervention required, it has become unacceptable to have any blind spots in newly added or to be configured infrastructure. Yet today's SOC analysts commonly complain that even though they know attacks are occurring, criminals are using techniques and abusing businesses' own infrastructure so they remain hidden.

For a SOC to be advanced, it should provide analysts with the full view of data from multiple sources within the business. A basic SOC may already have a Security Information and Event Management (SIEM) in place to sift through logs, however, as noted in a recent Ernst and Young report on SOCs, a SIEM system alone does not equate to mature security monitoring, and the benefits of a SIEM cannot be fully realised without a well designed SOC.

In addition to the full view of data, an advanced SOC should have the capability to expand with the business at a moment's notice. A modular approach to an advanced SOC should be mandatory, allowing the business to roll out new infrastructure and immediately take advantage of out-of-the-box rules/configurations. This approach should expose the organisaiton to a minimal amount of risk as its infrastructure grows and enable rather than prohibit its business goals.

Increased correlation and analysis

Older SOCs were great for digging through logs. However, this is the age of Big Data, of security analytics, and soon to be of the Internet of Things. While logs will always be in important tool in the SOC analyst's toolkit, they are not enough. To fully realise the benefits of a modular approach to an advanced SOC, these additional data feeds must be able to be analysed, not just logs, and not just structured data.

The advanced SOC pulls in information from multiple sources, whether that be endpoints, gateways, or any networked devices, and determines what is the most important information. Traditionally, if an analyst wanted to investigate an issue, they may get a hint of the incident through a SIEM system, then move from device to device trying to determine from logs alone what had happened. Any wider signs of compromise over multiple devices may be missed, or, mistakenly thought of as "normal" behaviour if the severity of the attack is underestimated.

However, the advanced SOC should be able to use multiple data sources identify anomalous behaviour, and by using big data analystics to build a footprint of known normal behaviour, build a investigative case of an attack. When investigating such an attack, analytics can assist by determining whether, for example, connections to a remote site are performed with regularity that indicates a human user, an innocuous automated process, or malware. This ability moves the advanced SOC away from log driven security and towards intelligence driven security.

Incident workflow and prioritisation

Even when a SOC analyst has the tools to identify and analyse an attack, if they are unable to prioritise an incident, they may be sacrificing the forest for a tree. A common complaint from SOC managers is that they want their already great teams to focus on the top issues in order to provide the business with more value.

SOCs that can wear the advanced title do this and more. The combination of increased visibility and analysis already provides the SOC analyst with the tools to be more effective, but to go further, but an advanced SOC goes further, offering a workflow to prioritise the most important incidents, provide an audit trail, and provides the analyst the ability to go into as much or as little investigative depth as necessary.

A simple workflow provides analysts of all levels with the clear business rules on what incidents they are required to investigate, how to escalate these, and importantly the order in which to do so to minimise the risk to the business. From within their workflow, analysts should be able to begin their investigation without having to go to a third party tool or device, with clear instructions or recommendations on what kind of activity has been suspected.

To assist the analyst, information at the time of the attack needs to be available. While the traditional SOC might provide basic logging to reveal basic metadata, an advanced SOC must be able to present the analyst with full packet inspection, instantly provide them with the scope of the attack without the need to manually interrogate each device, and show what information may have been affected.

Read more: Tuning the security analysts

This combination of visibility, analysis and action is what makes a SOC advanced. Most importantly, however, it is what allows an analyst to answer the CEO's most pressing incident response questions in the minimal amount of time: "How did they get in, what did they do, and are we safe?"

Join the CSO newsletter!

Error: Please check your email address.

Tags Security operations centers (SOC)IT industryriskgatewaysIT Securitysecurity analyticsbig dataimportant informationSIEMnetwork securitycamera feedsCEO'sErnst and Youngendpointsvisibility and modularitymetadataCSO Australiabusiness goalsForward thinking ITsecurity operationsworkflow

More about Advanced

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Lee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts