In recent times organizations have realized that IT security cannot be treated as a surrogate function and it has started to get the respect it deserves. IT security as a whole and IT Security Operation centers, in particular, are getting much more attention and investments than they received historically. An IT Security Operations center (SOC) is now being considered as a nodal point for the rapid co-ordination and response in case of security breaches and related incidents.
Like most departments of an organization, the establishment and success of a SOC depends on three key elements – people, processes and technology.
Before even thinking about putting in place any of these pillars, the capabilities currently available in the organizations should be looked at. A thorough audit of the existing resources becomes paramount and it becomes imperative to weigh them against established industry best practices. Once the available resources are compared with industry best practices and the gaps are identified, a plan may be drawn out to fill these gaps and get the people, processes and technology in place.
Getting the right people for a SOC is the first step. Depending on the size of the company, and the investment available, the total number of people needs to be arrived at. This number should be decided in cognizance of the fact that the SOC needs to be operational 24x7x365. Once the numbers are fixed, the next stage is finding out what are the key skills and capabilities essential for the people manning the SOC. Leaders or heads for the center, Security analysts, Security specialists and Forensic investigators who understand cyber security well are the right people for this operation since the center it going to be the tip of the spear in the fight against cyber threats.
Setting up the processes is the second step. In this step the starting point is the definition of the scope of the SOC – For what areas is the SOC responsible for? What is it going to protect? What are the interfaces it is going to monitor? The scope can always be modified in alignment with the mission and objectives of an organization.
The key processes that need to be established are:
| How to monitor? | How to log shifts and incidents? |
| How to notify | How to develop a report and create dashboards? |
| How to escalate? | How to investigate incidents? And |
| How to transition the daily SOC actions? | How to monitor compliance? |
The successful round the clock implementation of the procedures is highly dependent on the technology that is put in place for the SOC. This is the third step. The security architecture of the company needs to be defined and the key tools and components need to be put in place. These include but are not limited to
- Status monitoring and incident response aids
=>SIEM (Security Incident and Event Management)
=>Anti – Virus
=>IPS (Intrusion Prevention systems)
=>DLP (Data loss prevention)
=>IDS (intrusion detection systems)
=>Anti – Phishing
=>Anti – Malware
=>NBAD (Network Behavior Anomaly Detection)
- Centralized logging platforms
- Network admission control
- Identity and access management
- Filters and gateways for e-mails and spam
- Cyber threat intelligence
- Database activity monitoring
- Filters for web gateway’s
- Firewall
- Methods to monitor file integrity
- Methods for assessing vulnerabilities and patching them
Establishing a SOC and bringing it up to perform at its full potential is always a time consuming and tedious process. Sometimes it might take up years. For the effective functioning of a SOC, it is however, essential to have all the analyzed threat data feeds on a single dashboard. It must have a clear chain of command and enough authority to take remedial action in the quickest possible time once an intrusion is detected. Speed of the decision is very important here. SOC use cases should also be defined clearly – meaning that the SOC should have a clearly defined small number of key parameters that need to be tracked and monitored continuously. Examples are…unsuccessful login attempts, data corruption in systems, DoS baseline anomalies, repeated attacks from a single source, unauthorized access to confidential data, just to name a few. This helps in ensuring that the SOC is not run too thin and it does not waste time in analyzing unnecessary noise. Once the organization is confident that these can be monitored and managed properly, these can be increased in number and prioritized further for investments and capability building. Planning for long term and executing in the short term goes a long way in ensuring that the SOC runs properly. A routine SOC audit is a must to understand, what is working and what is not.
Like any other part of an organization, the SOC also needs continuous assessment and augmentation in terms of new technologies and skill sets. It is an entity that works 24x7x365 so it needs dedicated focus, continuous evaluation and investment.
