What Does a Security Operations Center Do?

Your organization’s SOC is the central command post that takes in hundreds of thousands of pieces of information, processes and analyzes them, and responds to potential threats, all while working diligently to prevent both internal and external incidents. They monitor your intranet, customer-facing web apps, all devices (whether printers and desktops, to work-at-home laptops), data servers, and employee activity – in other words, your entire IT infrastructure.

Your SOC’s responsibilities may include any or all of the following:

Taking stock of available resources

The SOC safeguards the entire threat landscape, including different endpoints and software on-premises and servers. If it is connected to the internet or intranet (an intranet is an internal network, cut off from the web at large), they monitor it.

Preparations and preventive maintenance

One of the most important jobs of a SOC team is to work hard to prevent attacks from happening. This is a difficult and far from foolproof task. We lock our doors to keep people from simply walking in, but this won’t prevent someone from breaking our windows with a rock. With that said, your SOC team is going to work hard, doing everything they can to make sure your network is safe, keeping an eye on trends and new attacks, and performing regular hardening and maintenance to your organization’s network.

Alert ranking and management

Your SOC will use automated software to monitor and alert for any potential threats. These tools – known as SIEMs – are growing more sophisticated, but it is still the SOC team’s responsibility to look closely at each alert, dismissing false positives and investigating legitimate (or legitimate-looking) alerts. Your SOC team will then rank legitimate alerts, so that the Tier 2 Analysts (see Roles Within a Security Operations Center below) can know which threats and attacks to deal with first.

Threat response

The moment an incident is confirmed, the SOC will act as first responders. They will shut down or isolate infected endpoints, they will terminate harmful processes, and, if malicious file transfers have occurred, remove those harmful files. Bear in mind, too, that they will do all of this while maintaining business continuity as much as possible.

What Are the Components of a Security Operations Center?

All Security Operation Centers have three components: personnel, tools, and policies.

Personnel

Within this industry, there are many, many automated tools. However, in our experience, no amount of automation can completely replace a person’s instincts and thought-process. The personnel on your team are the ones who will do the hard work of keeping your business, employees, and customers safe. While the size of your team will vary based on needs and budget, all SOC teams, regardless of size, have the following roles:

• Manager: As in any industry, the manager leads and manages the group. He or she directs the focus of the day, assigns tasks, and – if needed – fills in for other roles and duties. He can also step into any role if need be.
  
  
• Analyst: Analysts do exactly as it sounds – they analyze data, mostly in the form of alerts, and triage the severity of the alert. They may also examine other data points, compiling long-term reports of threats, breaches, and successful prevention.
  
  
• Investigator: Just like an investigator in law enforcement, a SOC investigator looks deeply into breaches, determining how and why they happened, so as to enable the team to harden that area of the network.
  
  
• Responder: Responding to a security breach is a complex job, and the responder will work closely with the investigator to find the vulnerabilities and fix them. In many cases, the Responder and Investigator are one and the same person.
  
  
• Auditor: The cybersecurity industry is heavily regulated, and it is the auditor’s job to make certain that your company’s network is in compliance with local and applicable international laws. If you want your official audits to go smoothly, you will want a top-notch auditor on your organization’s SOC team.

Again, how many people you have will depend on your budget. In many cases, smaller businesses will combine several of these roles into one person. In other cases, larger corporations may have multiple analysts, investigators, and responders.

Before we move on to tools, let’s examine the analysts for just a moment. SOC Analysis comes in three tiers. While an analyst in your organization may fulfill the role of one, two, or even all three of these tiers, the tiers are very important.

Tier 1 Analysts

Tier 1 Analysts are the triage nurses of your SOC team. They monitor alerts and network systems, field incoming calls, and collect and compile any data that needs to be escalated.

Tier 2 Analysts

Tier 2 Analysts evaluate internal and external attacks to determine the scope of the incident [whether it was an attempt, an advanced persistent threat (APT), or a breach of data], review event logs, and provide remediation suggestions.

Tier 3 Analysts

These are the threat hunters. They work with an in-depth knowledge of computer forensics, malware reverse engineering and network security. Threat hunters may also be involved in studying zero-day malware (in efforts to discover them on your network) and security logs, looking for the more intricate and minute incidents that the lower-tier analysts may have missed.

SOC tools

Your SOC team is going to rely heavily on a number of tools, including firewalls, Active Directory (if your organization is using Windows), Endpoint Detection and response software (EDR), and many others. One of the most important tools at your SOC’s disposal is a security incident and event management (SIEM) tool, which assesses and monitors data from across the network. It compiles and analyzes the data in real-time, and offers your SOC team the ability to set threshold alerts for any potential threats (for example, if your typical web app traffic has 400 hits per hour, and you suddenly spike to 20,000, this could indicate a number of problems).

Other tools your SOC team may use include:

• A sandbox for malware quarantine and analysis
• User- and entity-behaviour analytics (UEBA)
• Security orchestration, automation and response (SOAR), and
• Ticketing software

Procedures and policies

Security operations center personnel rely on policies and procedures to keep your network safe. These can include detailed responsibilities for each member of the team, security policies such as password requirements and least-privilege practices, and procedures for alert analysis, threat detection, and compliance monitoring. Now, your SOC should also be making efforts to adapt and update policies and procedures often, making sure that they are working efficiently and to the best of their abilities. One valuable tool that your SOC can use to help revamp policies is the use of Key Performance Indicators (KPIs). There are several parameters that these KPIs can measure, but some of them include:

• The time between incidents and threats (How vulnerable is the network? Where can it be strengthened?)
• Average incident detection time (Meant Time to Detection, or MTTD)
• Average time from discovery to remediation (Mean Time to Recovery, or MTTR)
• Incidents by device (which may indicate an insider threat)
• Number of incidents per analyst (is your team understaffed? Can they take on more responsibilities?)

What’s the Difference Between a SOC and a NOC?

It is very easy to confuse your Network Operations Center (NOC) with your Security Operations Center (SOC). Though they will often work together, they are not the same thing. Here are some of their differences:

• Your NOC is tasked with keeping your network up and running, while your SOC is tasked with keeping the network secure.

Your NOC is important and vital to your organization, but the SOC is far more specialized in what they do. It is the difference between a family doctor and a neurologist.