What Makes a Modern SOC
A SOC is responsible for providing services, and those services need to be aligned with the goals of the organization the SOC protects.
August 23, 2021
Sponsored by Cisco
Every organization–regardless of size, budget or area of focus–should have some form of a security operations center (SOC). When I use the term “security operations center,” many people imagine a dedicated team with expensive tools and a room full of monitors. SOCs do sometimes look like that, but not always. A SOC can just be one person or multiple groups of people spread across the globe. A SOC can be outsourced to a service provider, composed of internal resources or something in between. In short, a SOC is having a dedicated person or team focused on cybersecurity services for an organization, which means a SOC is obtainable by all organizations.
Now that you know your organization should have a SOC, what should be expected of that SOC? A SOC is responsible for providing services, and those services need to be aligned with the goals of the organization the SOC protects. The best way to view what is expected of a SOC is within the SOC’s mission statement and scope of work. I have seen people with security responsibilities become recognized as a formal SOC by obtaining executive support of a SOC mission statement and scope of work. These fundamental components separate a SOC from random security-related services.
Regarding SOC services, I believe every SOC should have some form of the following services, which I call the foundational SOC services.
Risk management: Identifying and making decisions to deal with organizational risk. This pertains to managing any type of risk, from physically securing assets to patching digital vulnerabilities that exist within software.
Vulnerability management: Identifying and managing risk from technical vulnerabilities. This commonly involves targeting vulnerabilities within software found on servers, laptops and IoT devices. Most SOCs use vulnerability scanners and outside threat intelligence to identify vulnerabilities.
Incident management: Responding to security-related events. This covers what actions the SOC takes when certain events occur, such as isolating systems, alerting team members and implementing remediation steps to resolve the issue.
Analysis: Analyzing various types of artifacts. This includes identifying characteristics, reverse engineering, vulnerability/exploitation analysis, root-cause analysis, remediation and mitigation analysis.
Compliance: Assessing and maintaining organizational compliance requirements.
Digital forensics: Gathering evidence post-incident to determine the cause of the incident and prepare for legal action.
Situational and security awareness: Providing the organization with awareness of its operational environment and potential threats.
Research and development: Researching the ever-evolving threat landscape, developing new tools and techniques, and modifying existing tools to improve effectiveness.
Some of these services can be outsourced, while others could be on-demand. For example, a small business will likely not have a digital forensics expert on staff; however, they should know who to call in if legal action needs to be taken due to a cyber-related incident.
It is important to point out that a SOC doesn’t buy a tool and assume they have a service, and having a service doesn’t mean you have an effective service. The security industry uses maturity models as a way to validate the quality of a service. Using vulnerability management as an example, buying a vulnerability scanner would move your organization from a maturity of zero to 1 by demonstrating that you can provide ad-hoc vulnerability scanning. Higher maturity requires developing repeatable processes that are converted into policies and procedures enforced by SOC management.
Improving maturity leads to answering a question I often receive: “What do I need to do to function as a modern security operation center?” My answer is one word: DevOps. In the DevOps model, programing is used to make things work with things. This is a critical element for deploying orchestration and automation—or, the ability to automate parts of a SOC service. As technology becomes more advanced, data grows and attacks become more sophisticated, a SOC can’t simply “peddle faster” and hope to keep up. There is a breaking point for every SOC service that separates a modern and mature SOC from one that is very reactive and unable to keep up with the pace of work. I’m often asked during classes I teach, “What skillset should I focus on to get hired in the cybersecurity field.” My answer always includes some form of DevOps. Click on Page 2 to continue reading…
Bringing technology into the conversation, security orchestration, automation and response is a common tool used by modern SOCs, and it is key to providing mature SOC services. This is especially true for services such as incident response, which are very time dependent. Automation doesn’t have to be complex. For example, simply automating how data is shared between tools so a SOC analyst doesn’t have to log in to multiple tools can give valuable time back to the team.
Four areas are popular for automation:
Enrichment: Improving data, eliminating manual pivots and automating workflows leading to verdicts.
Response: Automating outcomes such as preventing access to a system or removing a file.
Threat hunting: Taking different datapoints and using them to identify threats.
Cyber hygiene. Automating vulnerability management, posture and configurations
Conclusion
Every organization should have a SOC, and that SOC should provide security services. Those services are graded based on maturity, and orchestration/automation is needed to reach high maturity ranking, which is a modern SOC. Cisco can help your organization’s SOC reach high maturity ranking through our DevOps certification programs and SecureX tool, which provides security orchestration, automation and response at no additional cost when investing in Cisco Security.
Learn how to apply DevOps within your organization in a simplified manner. Access Cisco Secure and free DevOps training at https://developer.cisco.com.
Joseph Muniz is Technical Solutions Architect in the Americas Security Sales Organization at Cisco Systems. Joseph started his career in software development and later managed networks as a contracted technical resource before moving into consulting, where he discovered a passion for security while meeting with a variety of customers.
Joseph has been involved with the design and implementation of multiple security projects, ranging from Fortune 500 corporations to large federal networks.
The author and contributor of several books, Joseph has also spoken at popular security conferences such as RSA, Cisco Live, ISC2 and DEF CON.
Joseph’s current role gives him visibility into the latest trends in cyber security both from leading vendors and customers.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like