Historically, the security operations centre (SOC) was needed only by the largest corporations and was a particularly heavyweight function. These days, however, more and more organisations see the need for a SOC so that they can detect and respond to threats in real time – and they look substantially different today than in the past.
That’s because, in today’s world, everybody’s a target. Malicious actors and rogue nation-states can launch large numbers of attacks in no time at all, putting small organisations just as much at risk as large ones. Even organisations that aren’t targeted directly can suffer as collateral damage in a larger attack or as a route into a third party. For small organisations, the cost of a breach could be in the millions, so protection is vital.
The SOC doesn’t have to be a huge undertaking. These days, a modern SOC can be delivered by a Managed Security Services Provider (MSSP) using tools such as next-gen SIEMs (Security Information and Event Management) and EDR’s (endpoint detect and response). Increasingly, the most forward-looking organisations are integrating their SOC with their network operations centre (NOC). The resulting SecOps will be at the cutting edge over the next few years. This article explains the journey necessary to get there.
What is a SOC and why do you need one?
Asked to imagine a typical SOC, most people will picture a physical facility with people at banks of computers, facing a wall of screens filled with network and system data. The sort of complex, expensive facility reserved for a tier-one bank, government organisations or NASA.
A SOC is a facility where security staff defend against breaches and identify and mitigate security risks. The analysts and security specialists staffing the SOC monitor everything from governance, risk and compliance (GRC) systems to intrusion prevention and detection systems to next-generation firewalls.
Although SOCs were once large and expensive, the proliferation of the cloud and services supplied by third parties have made the technology more affordable. Just as security becomes a more widespread concern, the SOC has become more accessible. Organisations of all sizes are at risk today and therefore need to implement better security measures.
The SOC is no longer necessary for just the regulated sectors or those handling sensitive data. Helping to increase accessibility is the fact that a SOC no longer needs to be a physical facility. These days, the SOC can be virtual and its staff remote. Some organisations set up a managed or hybrid SOC, combining in-house people and tools with expertise from a managed service provider.
SIEM: The tech that pulls your SOCs up
Every SOC faces challenges, and two notable ones are visibility and noise. First, a centralised SOC might not have visibility across the organisation. Some endpoints might not be connected to the SOC, for example, encrypted data might be inaccessible and so might data from third parties. On the other hand, the data that does come in can be overwhelming. Security analysts can spend large amounts of time dealing with false positives, and the sheer amount of data can make it easy to miss actual alerts.
SIEM tooling can deal with both problems by filtering data to produce actionable insights across security tools, endpoints, cloud services and even SaaS applications.
Next-generation SIEM uses machine learning and advanced analytics to sift through huge amounts of data, reducing false positives and lowering alert fatigue. That frees analysts to spend more time on more pressing or complex threats. The number of sources from which next-gen SIEMs gather data and the intelligent processing they apply means that they detect incidents that less advanced systems miss, such as insider threats and data ex-filtration. They can also automate tasks, such as finding unused credentials for employees who have left the organisation or quarantining malware in a sandbox. The SIEM develops a smart baseline for what normal network activity looks like, which means it identifies anomalies more quickly.
How could you benefit from a SIEM?
The road to SecOps
Of course, having advanced tools like this in place is no use if organisational structure stops them from being effective. The security team was once viewed as an obstacle by operations – and in some organisations, it might still be. While operations are focused on up-time and performance, security can be often seen as slowing things down. This is the wrong approach, and attitudes are changing.
Increasingly, we are seeing that, at an organisational level, security is seen as an integral requirement like up-time or performance. It’s no longer an afterthought and security considerations are becoming more baked in rather than added on at the end of a project. Analysts communicate with Ops about threats and incidents, while Ops can use the SOC for advice and guidance. For DevOps organisations, security can be involved even earlier.
The resulting SecOps (or DevSecOps) environment is more proactive and, with both teams working together, they can diagnose and address problems much more quickly.
Security has gone beyond simply installing the right tools and has become part of the modern trend towards entirely new approaches that require new skills. For many organisations, especially smaller ones, the rate of change is too fast for them to train or hire people with the necessary skills. They might not even be able to justify a security hire, despite the essential need to keep the organisation safe.
What does a next generation SOC look like?
Not all SOCs are equal and when looking to a SOC provider you need to select one that is built using the right people, has mature processes, is aligned with next generation technologies and can deliver capabilities such as rapid detection and response, user risk detection and complex advanced threat detection.
The answer is to find a third party that can handle this for you. Managed services providers can deliver the entire SOC for you or fill specific gaps in your coverage. This means that someone is always focused on securing the cloud, leaving you to focus on what you do best.
Ward Solutions delivers a next generation SOC capability that addresses the needs of all clients from small and medium sized enterprises to large multinational and government agencies. Using advanced SIEM and EDR tools our 24×7 SOC delivers rapid detection, speedy response detecting and reacting to those internal and external threats that are so prevalent today.