Haider Pasha, regional chief security officer, emerging markets, Palo Alto Networks shares his take on what makes an SOC tick.
Today, businesses spend heavily on cybersecurity. But to get value for their money, they need an overarching strategy. The state-of-the-art approach is to build an effective security operations centre (SOC).
A SOC is commonly referred to as the central command centre for cybersecurity operations. A team of security analysts uses advanced detection tools to identify, record and repel cyberattacks. The analysts work with a playbook of processes laying out the steps they need to take to keep their organization secure.
Many large businesses have implemented successful SOCs, especially those dealing with sensitive data such as personally identifiable information (PII). Typically, these include financial and retail companies but also those working with governments and organisations looking to digitize services and use big data.
More mid-sized businesses are following suit, though the majority prefer to outsource their SOC to reduce costs. Companies that offer outsourced cyber protection are known as managed security services providers (MSSP).
Organisations often build a SOC when they have dozens of security tools operating across their network but struggle to make sense of all the data they produce. Large organisations typically have products from between 40 to 60 security vendors, from endpoint protection and intrusion detection systems to firewalls and scanning tools. Each security tool can generate large volumes of data about network activity and any suspicious exploits.
For organisations about to embark on the SOC journey, there are five important questions that boards and chief information security officers should ask before they start building a SOC that is both customized and effective.
Why build it? Be clear about what you plan to achieve with a SOC. The aim is to reduce cybersecurity threats, defend the organisation’s data, and protect its reputation. What will be the key performance indicators (KPIs)? These could include incident response times. There should also be agreements between the CISO and the board that set out the level of services the SOC will offer. These can be listed in service level agreements (SLAs) which specify areas such as the speed of response and processes for reporting critical threats.
When to deliver? With over 30 possible SOC services, a common pressure is to try and launch everything from day one. Instead, the services should be introduced in logical stages. This could follow a capability maturity model, a methodology for laying out the evolution of software processes, typically in five stages. The SOC would complete the first phase, then the CISO and board would check and assess this before moving on to the following stage. This means each stage is fully implemented and functional before going to the next.
How do you deliver? Decide on the processes you need to follow to make the SOC efficient. Playbooks and process diagrams are a key discussion point.
Who is responsible? Outside of the security division in an organisation, who else has a say to make the SOC effective? Departments such as human resources, compliance, and public relations are some common examples.
What is the technology set up? A key decision is which SOC tools should be used. This will depend on the objectives, budgets and preferences of the security analysts and the CISO. Tools usually include a security information and event management system (SIEM). This is a dashboard which analyses all security events – possible threats – which affect an organisation’s computer network. It is important to remember that a SIEM is not a replacement for a SOC, but just one tool in the SOC’s armoury. There must also be a ticketing system, so when a threat is identified, a ticket or record is created. This allows teams to seamlessly hand over their workload to other shifts. There could also be a security orchestration and response tool (SOAR), which automates the collection and analysis of low-level threat intelligence.
What is so powerful about a SOC is that it goes further than simply identifying and dealing with security incidents. Threat hunting is a vital part of the work of security analysts. They will work with cybersecurity vendors to list possible threats. And they may work with computer emergency response teams (CERTS), which are industry-wide groups that analyse security incidents. The goal is to gather data on so-called indicators of compromise – as cyber threats are known – and allow analysts to compare the threats they receive with other companies in their field.
Building an effective SOC requires clear thinking and strong vision. Done well, a SOC is not a cost but an investment in data protection and corporate reputation. As you plan the cybersecurity strategy for your organisation – and consider the essential tools – here are some key takeaways:
– Organisations create a security operations centre when they have dozens of cybersecurity tools operating across their network and need visibility and context to identify threats and reduce risk.
– A SOC not only identifies and responds to security threats, it also hunts and predicts possible sources of attack.
– The what, when, how, and who questions can only be answered when we can clearly articulate why we are building a SOC.
– A SOC helps organisations move from reactive to proactive threat management.