How to Build the Best Possible Security Operations Center

Highly effective security practices are rooted in an organization’s security operations center (SOC), the command center that monitors all network activity, analyzes all alerts, researches every threat, and orchestrates incident response. But what makes an effective SOC?

The SOC is essential for effective cybersecurity

On December 23, 2019, just two days before Christmas, a telemarketing firm in Sherwood, Arkansas, announced to its 300 stunned employees that it was closing its doors effective immediately. The company could not recover from a ransomware attack that had taken place two months earlier.

The situation was unfortunate but not uncommon. We typically hear about large-scale ransomware attacks that temporarily paralyze municipal governments, school systems, and enterprises. When these attacks are aimed at small companies such as physicians’ offices or IT managed service providers (MSPs), however, they can force them out of business.

Ransomware is just one of many highly targeted, sophisticated cyber threats that every business faces every day, and the intensity of such attacks is on the rise. One reason for the increase in incidence is simply that attackers have more opportunities, which directly relates to the growth in attack surface. As cloud resources become normal parts of IT infrastructure and as more connected “things”—smartphones, copy machines, appliances—become part of the environment, the bad guys have more avenues of attack. Another reason attacks are on the rise is attack technology is readily available for use by anyone with moderate technical skills. In short, It’s easier to be a cyberthief.

To further complicate the cyberdefense challenge, attacks are becoming more sophisticated. Attackers increasingly use automated attack strategies that probe targets through multiple attack vectors until they find a way inside.

Perhaps the biggest reason for the rapid rise in cyberattacks, though, is that cybercrime pays. The market for stolen data—personal data, intellectual property, or state secretes—is huge. With attack strategies like ransomware, thieves can make a lot of money without stealing anything. They simply make you pay a ransom to unlock your data.

But, just as attack technologies and strategies have grown more sophisticated, so have cyberdefenses. The days of setting up a firewall, installing antivirus and antimalware software, keeping up with software updates, and calling that good enough are long gone. The days of making cybersecurity just one more task for the IT team should be gone, too. Effective cyberdefenses require a proactive approach that identifies and neutralizes threats at their earliest stages—before an attack occurs. This approach requires more technology, more expertise, and continuous vigilance.

At the heart of any modern security practice is the security operations center (SOC), the command center that monitors all network activity, analyzes all alerts, researches every threat, and orchestrates incident response. Whether you build your own internal security practice or contract with a managed security services provider (MSSP), your organization’s security practice depends on your SOC. If you intend to have rigorous, effective cybersecurity, you or you MSSP will need a SOC capable of meeting your risk-mitigation requirements.

What’s inside a top-performing SOC?

An effective SOC consists of a team of security professionals who use a variety of security technologies to perform key functions, such as proactively monitoring the company network for threats, classifying any threats found, developing threat responses based on the information compiled, and using threat intelligence to actively hunt for new threats before they strike. To perform these functions well, the SOC need more than the right people and technologies. It also requires well-documented processes and procedures that cover every aspect of the security practice. With these elements in place, the SOC’s security professionals can use their skills and the technologies available to them to the organization’s best advantage.

Find the right people

Regardless of the technologies you deploy in your SOC and how you organize the security workflow, the single most important part of an effective security operation is the people who run it. People are important for one reason: Technology can only do so much. The best security technologies are excellent at detecting unusual network activity and alerting analysts to potential threats, and these are critical capabilities. But by the time the technology has detected a threat, the environment has already been compromised.

To effectively mitigate a detected threat, the security team must answer three questions:

• How far has the attack has progressed?
• What parts of the network and IT environment have been affected?
• Is the attack still underway?

The answers come from security analysts capable of correlating event activity from across the network, verifying the nature of an alert, and making decisions about how to block the threat. That’s the work of security professionals.

So, how do you hire the right people for your SOC? This task is always a challenge because good security people are in high demand. You may find people with the right knowledge, training, and experience, but that doesn’t necessarily make them the ideal candidate. In practice, the best candidates don’t always have the ideal security resume. One of the most important qualities shared by good security people is strength in critical reasoning. That is absolutely essential for diagnosing the nature and extent of detected threats. Many candidates with the best critical thinking skills are not those with a good security resume. Instead, they may come from degree programs that require this kind of thinking, such as the physical sciences or mathematics.

Ideal candidates must also have intangible skills. For example, they should be self-motivated. Top-notch security professionals are always studying the security landscape—a landscape that changes incredibly quickly—and they’re active in the cybersecurity community. They are absolutely driven to catch cybercriminals before they can wreak havoc.

Build the best technology stack

A security team with the right skills and knowledge is critical. To perform well, however, those people need the best tools for the job.

Security technology has evolved as cyberdefense has moved away from primarily preventive strategies that rely heavily on firewalls and signature-based endpoint protection toward strategies that rely on detection and response. Firewalls and endpoint protection are still important, but a great deal more is needed to protect against today’s threats.

Defending against new tactics such as malware that uses common commercial software to carry out attacks and social engineering exploits specifically designed to evade traditional defense technologies requires new tools for monitoring, detection, and security automation as well as more extensive threat intelligence. In addition, the huge amounts of data these tools generate must be integrated into a single dashboard or platform so that the security team can monitor and interpret them.

A top-performing SOC must have the following capabilities:

• Network and device data. The SOC must be able to monitor trends and patterns in network telemetry. To successfully hunt threats, security analysts require visibility into the contextual data that endpoint protection technologies and firewalls generate. Analysts rely on being able to correlate information from packet inspection and network traffic with logs and data from virtual private networks and MSPs.
• Threat intelligence. By providing additional context for detected behaviors, threat intelligence provides a critical piece of the security puzzle. With advance notice of threats, the SOC can more quickly correlate unusual behaviors to a larger security context. With actionable threat intelligence, security analysts also look for other, related suspicious activity within the organization.
• Security information and event management (SIEM). SIEM enhances situational awareness by correlating event information across events and data sources. It uses statistical aggregations to identify suspicious activity. A good SIEM system provides your SOC with a one-stop shop for viewing and analyzing security endpoint and device data. This consolidated security workflow not only makes security monitoring in the SOC easier but provides a useful visual indicator of the organization’s security footing for senior decision makers.
• Security automation, orchestration, and response (SOAR). With a SOAR platform, your SOC can automate manual tasks that security analysts perform frequently, freeing them to focus on tasks that require deeper analytical skills. Using a SOAR system, a security team can triage larger numbers of alerts without having to add staff—an important capability given the rising volume of attacks. In addition, automating certain aspects of event analysis and remediation speeds event response. Some of today’s attacks occur so quickly that perpetrators can accomplish their goals even after the attack has been detected: A SOAR platform enables faster response and help the SOC create and advance policies to prevent similar attacks in the future.

In a SOC, people and technology depend on each other. Good people get the most out of the security technology, and the technology empowers the people to exercise their skills. Both, however, depend on well-documented process for operational direction.

Create processes that get the most out of people and technology

The SOC requires efficient interactions among people, technology, and the client organizations the SOC is charged with protecting. Without well-documented processes that span their detection and response functions, security staff won’t be able to perform their mission or make best use of the technology available to them.

Effective SOCs rely on highly detailed, specific process and procedures codified in security playbooks. A playbook should exist for each scenario the SOC has encountered or expects to see based on activity in the security community or that other businesses in the same vertical have experienced. Some playbooks, or portions of playbooks, can also be encoded in the SOAR as automated functions.

One way to generate security playbooks is to use a template, such as the Integrated Adaptive Cyber Defense playbook sponsored by the US Department of Homeland Security. From there, the SOC can customize the playbook to meet the needs of the business and the way the SOC works.

In their customization efforts, many SOCs use a combination of proactive and reactive playbook development. Proactive development is based on the threat intelligence security analysts have gathered about the threat landscape the business faces. As these analysts encounter or hear about specific exploits, they can create playbooks for them, and then develop ways to monitor for and proactively respond to them.

Reactive playbook development is based on continuous review of exploits and attacks the organization has already discovered or encountered. These reviews enable the SOC to determine whether its responses are still appropriate and effective to protect the organization or need to be modified.

Security automation, which involves deciding what parts of a playbook can be automated through the SOAR and what parts belong in documents used by security analysts, is one of the most important aspects of playbook creation and maintenance. Security practices must continuously adjust this divide between manual and automated processes. Deciding what tasks to automate depends on the technology and staffing in the SOC, the difficulty of security tasks, and the risk impact of possible events on the business itself. The more exposure a security practice has to a wide range of threats, the more adept that practice will become at optimizing its security workflows and keeping its processes current to the latest threats.

10 tips for building and sustaining a top-performing SOC

The best defense against today’s cyber threats is a SOC with a well-equipped team of skilled security experts continuously working from processes that are current to the threat landscape they face and the environment they’re protecting. To that end, here are 10 tips for building and sustaining a SOC capable of protecting your business:

1. Separate security from IT. Many businesses, especially small and midsized companies, ask their IT staff to carry out security functions, such as updating software and responding to phishing attacks. Instead, security should be a discreet organization within the business, with its own budget and mission. In this way, your security organization can better attract and retain the best security people. It will also act as a coherent team that more efficiently and effectively performs key security functions.
2. Staff your SOC with the right people. Your SOC needs people with solid analytical skills and who are passionate about cybersecurity, think like attackers, and will be energetic self-learners. Cultural fit is important, too, so consider making hiring security people a team activity.
3. Give your security staff the best tools from proven vendors. When you’re considering tools for your SOC, use technology from vendors with a proven track record in the security sphere. The job of your SOC staff is to monitor for cyber threats, not configure or customize the tools they use.
4. Give your security analysts all the data they need. To do their work well, your analysts need data—about the company network, from firewalls, and from endpoint security tools. With these data, the SOC can maintain and update security playbooks and so respond to security events more quickly and effectively.
5. Build and maintain security playbooks. A SOC needs playbooks that detail what security staff should do for every kind of threat they have or are likely to encounter. These playbooks are living documents and should change with the threat landscape and the business’ risk profile.
6. Maintain a proactive security stance. Successful SOCs don’t sit back and passively monitor for threats. Instead, they are constantly monitoring the network and endpoint devices for potential exploits. They also engage in active threat hunting, which requires access to the latest threat intelligence and continuous research into potential threats.
7. Improve effectiveness through automation. Automation capabilities in SOAR and SIEM technologies can relieve security analysts from having to perform common, repetitive tasks. Instead, they can review and assess more alerts and so respond more quickly to credible threats.
8. Keep technology, processes, and playbooks up to date. Security is an ever-evolving practice. It requires that the people and technology stay on the cutting edge to be able to effectively foil their criminal counterparts. That means that the processes and security playbooks that security analysts use constantly change based on the threat landscape and the company’s security posture.
9. Cultivate teamwork. Every member of the SOC bring with him or her a unique perspective, skill set, and experience. Only through teamwork and collaboration can the SOC be truly effective and successful.
10. If you can’t build a SOC, hire one. Not every business is able to build the SOC it truly needs. In particular, small and midsize companies often lack the resources to create and maintain an internal security team and so may not recognize how vulnerable they are. Many think they’ll get by because they are too small to have anything worth stealing. That’s not so. Sixty percent of companies suffering data breaches are small to mid-sized business. These same business are ripe targets for ransomware because the disruption it causes is so costly to them. They are often the ones who stand to gain most from a good MSSP relationship. The best MSSPs have the advantage of being totally focused on security. They can hire and retain the best people, build and maintain the best technology, and keep up with the latest threats.

Without a strong, dedicated cybersecurity program, it’s difficult to defend against the growing number, variety, and complexity of cyberattacks. A strong SOC with tightly integrated people, technology, and processes is the key to a secure business.