The Importance of Building a Security Operations Center

Data breaches, malware infections, and cyberattacks are common occurrences for organizations both large and small. Detecting and eradicating these threats before they cause any adverse effects has become a daily priority for IT managers. Many IT departments are dealing with the problem by building a separate security operations center (SOC), either in the organization or through a security services provider.

A security operations center centralizes an organization’s IT security monitoring and incident response activities in a single location and is responsible for remediating both internal breaches and external cyberattacks.

While SOCs are often portrayed as IT "war rooms" with monitors on every wall and dozens of staff, the reality is usually more modest. In smaller organizations that may not need a full-blown security operations center, the "SOC" might be a single IT security analyst with a couple of monitors and low-cost or open source monitoring tools. At the other end of the spectrum, large organizations—especially those that store and transmit sensitive data or that depend on 100% network uptime—may implement fully staffed SOCs with multiple IT security software tools. Most SOCs are between these extremes, with budgets and needs dictating SOC tools and personnel. Not every organization needs, or can afford, a 24-hour SOC or even an on-site SOC.

A common alternative to building an internal security operations center is to outsource this function to a managed security services provider (MSSP). An MSSP provides services such as malware and spam filtering, intrusion detection, firewalls, and virtual private network (VPN) management. Outsourcing to an MSSP reduces the upfront costs of new hardware and software, as well as the cost of employing IT security specialists.

Key components of a security operations center

Regardless of its size, an SOC or SOC service has three essential components. Organizations that are considering an SOC may want to incorporate aspects of these components in stages, according to their security needs and IT budgets.

Security analysts. SOC personnel monitor for threat alerts, identify internal and external security breaches, conduct incident response and analysis, and perform other related functions. The team is typically comprised of specialists trained in various areas of cybersecurity, including threat detection and response, forensic analysis, malware reverse engineering, and intrusion detection.

SOC analysts are usually organized into three tiers, each with more advanced levels of expertise. Not all SOCs need to incorporate the most advanced levels.

  • Tier 1 analysts are the front-line staff of the security operations center. They monitor IT systems and field incoming calls, triage threat alerts, and collect data needed to escalate an event to tier 2.
  • Tier 2 analysts are the primary incident responders. They review event logs, evaluate possible cyberattacks or internal breaches, determine the scope of a threat, and suggest remediation tactics. An incident responder can remediate many cyberthreats but may escalate some threats to tier 3.
  • Tier 3 analysts are threat hunters and subject matter experts with in-depth expertise in areas such as network security, computer forensics, and malware reverse-engineering. While they can respond to the most difficult threats, they often work proactively, studying logs and other data to identify potential security breaches. Threat hunters may examine zero-day malware samples from researchers, such as McAfee Labs, and seek evidence of infections in their organization.

SOC analysts typically apply a range of skills, including knowledge of operating systems, network protocols, and system administration as well as knowledge of threat detection and evaluation tools. Professional certifications of these experts typically include Certified Information Systems Security Professional, GIAC Certified Incident Handler (GCIH), SANS SEC501: Advanced Security Essentials – Enterprise Defender, or SANS SEC503: Intrusion Detection In-Depth.

Processes and standards. Security operations center analysts rely on processes, policies, and standards to do their job. These standards typically describe the responsibilities of each team member and the hand-off procedures between them, so that no security issue is overlooked. The guidelines also describe the operating procedures for threat monitoring and detection, incident logging, threat escalation, analysis, incident response, compliance monitoring, and reporting. Standards do not need to be extensive. Small organizations may adopt basic security guidelines to address their immediate security needs. ISACA's Control Objectives for Information and Related Technology (COBIT) 5 and supporting COBIT 5 for Information Security offer security-specific guidelines for threat evaluation and response.

The NIST SP800-61 Revision 2, Computer Security Incident Handling Guide offers response-specific best practices.

Key performance indicators (KPIs) can inform the SOC staff of the SOC's effectiveness and improvement over time. SOC metrics include the following:

  • Average incident detection time
  • Average time from discovery to remediation (by threat type, analyst, or by time of day)
  • Number of incidents per analyst
  • Incidents by device or application type or by type of threat
  • Time between threats or incidents

SOC tools. Security personnel rely on SOC tools such as security incident and event management (SIEM) and analysis software to monitor and assess data from firewalls, network routers, PCs, and other IT assets. The core technology of a security operations center is the SIEM (or similar system), which collects event data from a variety of the organization’s infrastructure and threat detection components, including the firewall, database server, file server, email, web server, active directory, endpoint monitoring software, and others. The SIEM provides real-time analysis of the incoming data and seeks correlations that might indicate a cyberattack or security breach.

Small security operations centers might have only a SIEM. Larger SOCs may have some or all of the following technologies:

  • Endpoint detection and response (EDR) tools monitor endpoints such as desktop computers, laptops, and printers on the network, searching for suspicious activity. McAfee Active Response, part of McAfee Investigator, is an example of an EDR.
  • Malware quarantine and analysis tools (sandbox). Sandbox technologies provide a secure space to execute and analyze malware without risking damage to production systems. McAfee Advanced Threat Defense is an example of a sophisticated sandbox with in-depth investigation capabilities.
  • User and entity behavior analytics (UEBA) software examines the behavior of users and devices and notes abnormal patterns. Unlike a SIEM, which operates on rules and thresholds to determine suspicious events, a UEBA tool uses machine learning to spot deviations from normal behavior. Because SIEMs and UEBAs perform similar duties, but in different ways, some organizations may implement one or the other. McAfee Behavioral Analytics is an example of UEBA technology.
  • Security orchestration, automation, and response (SOAR) applications automate security workflow, such as incident response activities. SOAR rules-based applications speed the response to threats, thereby potentially reducing damage. Swimlane, a McAfee partner, provides a SOAR platform.
  • Ticketing software, often used in call centers, helps large SOCs track the status of security issues and resolutions.

SOC personnel also require collaboration tools to share information and insights. In some organizations, a simple whiteboard or small conference room is sufficient for daily internal collaboration. Other SOCs may use virtual whiteboards or collaboration software.

To keep informed of the cyberthreat landscape outside of the organization, SOCs often subscribe to threat report services. The Information Sharing and Analysis Centers (ISACs) are an association of nonprofit organizations within various industries that share actionable threat information to their members. Many ISACs provide 24/7 cyberthreat warning capabilities.

Most organizations can benefit from a security operations center, whether it’s a full-scale war room or a single security analyst at a desk. MSSPs can fill some of the gaps for organizations that lack the resources for an internal SOC. However, each organization is ultimately responsible for its own IT systems and data. A carefully designed approach to threat detection and response is critical to safeguarding valuable IT assets and minimizing the chances of a costly data breach.

Security operations center resources