Organizations around the world are facing cyber-attacks at regular frequency. Technology is evolving and so are safe guards, however, the threat perception is changing only for the worse. Even the latest security software and solutions have still not been able to substantially reduce either the frequency or the damage caused by IT security breaches. Experts have started thinking on those lines that are a bit different from the conventional IT security wisdom. Conventional IT security was focused on prevention but now; the focus has shifted to timely detection. The key parameter that is being looked at to reduce the damage caused by the cyber attacks is “dwell time”, that is, the time that the malicious agent gets inside the network to cause damage or steal whatever they want. A reduction in dwell time will seriously limit the ability of the cyber criminals to cause huge damage.
In order to reduce this “dwell time” it is imperative to detect the breach in the system in the quickest possible time, it is essential to have as high visibility into the network to the extent possible and this is where the Security Operations center (SOC) comes into play. A Security Operations center ( SOC ) in its most basic form is a dedicated nodal point inside an organization’s security set up that has a team fully devoted to analyzing and correlating information. It has a “near exclusive” focus on timely detection of data breaches and reducing the dwell time of the adversary, inside the network. Security operation centers monitor and analyze security round the clock across all the possible enterprise information interfaces like web sites, applications, databases, data centers, servers, networks, desktops and other such areas. A SOC is referred with other different names like – Security Defense Center (SDC), Security Analytics Center (SAC), Network Security Operations center (NSOC), Security Intelligence Center, Cyber Security center, Threat defense center, Security Intelligence and Operations Center (SIOC).
The foundational concept around which a SOC is usually built is “security information and event management (SIEM)”. It deals with the aggregation of data to ensure that data from multiple sources is aggregated in a manner that makes sure all the crucial red flags or suspicious events are never missed. It correlates event information based on common characteristics like similar applications, interfaces, vectors, and vulnerabilities. This whole analysis and correlation creates alerts that are sent to all the relevant stakeholders. These alerts can be provided in the form of direct e-mails or centralized dashboards. Automated gathering of compliance data and creating actionable reports about the existing processes related to security, governance and audit, assure compliance. All the data and reports are retained for a long term for carrying out forensic analysis. The forensic analysis capability usually ensures that event logs can be searched across different platforms and time periods with any predefined criteria. This will help in finding expected patterns which can highlight any suspicious departure from the norm and generate an alert.
The SOC is generally manned by teams/individuals who are experts in cryptography, networking, computer engineering, security and vulnerability analysis. Some of the most commonly seen qualifications amongst the SOC experts are the following – CISSP, CEH, CSFA, CDRE, Security+, CCNA Security, F5 Certified, GIAC. Some of the most common capabilities desired in a SOC include but are not limited to :
Incident analysis – Breach analysis, reporting the comparison of the pre-breach & post breach environments and suggestions on the possible best practices to avoid recurrence.
Monitoring – Looking for phishing agents and Malware
Cloud based applications – DDoS and Web application fire walls
Insider threat analysis and mitigation – Combined use of existing policies, end point monitoring, and regular training to contain insider threats (both intentional and unintended)
Threat intelligence – Extensive updated information about all latest malware, evolving threats and vulnerabilities with their origin, signatures and the full extent of the damage that they can cause. This information will also include the information on internal technology risks like design, configuration, patch application status, etc.
Analysis of Suspicious Hubs – There are certain servers which are used to uploading stolen account information and credentials by cyber criminals across the world so that they can be retrieved and used by the cyber attackers when they plan their move on a specific network. These are called Drop zones.
Risk management – A framework that keeps track of all the identified security incidents, vulnerabilities & threats and ensures that each one of them is closed.
The clear delegation of responsibilities and a focused approach is essential to prevent cyber criminals from getting inside networks and staying there. An SOC will make it very hard for them to stay unnoticed because it gives the enterprise the most effective and the most difficult element to bring into cyber security practices, integrated approach and proactive character.
