What is a Security Operations Center (SOC)? Definition, Scope, Roles, and Benefits.
Roles and Tools in a Security Operations Center
In an ever-shifting threatscape, the necessity to identify, assess risk, respond, and hunt down emergent threats becomes even more pressing. The Security Operations Center or S.O.C is the preferred trade-off between defense reinforcement, security ‘frameworking’ & ‘blueprinting’, global policy enforcement, active threat-hunting, and auditing. A SOC team is comprised of software engineers, pen-testers, and security analysts, all banded together for the purpose of securing a company’s assets. This article will focus on the definition of the SOC concept, its scope, and the benefits associated with having a SOC team working for your company. Enjoy!
“A framework for Designing a Security Operations Center (SOC)” defines SOC as:
a team of skilled people operating with defined processes and supported by integrated security intelligence technologies (…)
and focusing on
(…) cyber threat, monitoring, forensic investigation, and incident management and reporting, under the umbrella of an overall security operations environment and clear executive support.
The paper also defines and delineates the four major pillars of SOC: Intelligence, Secure Service Development, Business Damage Control, and Continuous Monitoring.
So, we’ve established the fact that a SOC team’s main objective is to safeguard a company against cyberattacks. Something doesn’t add up – isn’t that the IT admin’s job? Well, yes and no.
The IT administrator does have a couple of security-related attributions (e.g., ensuring that all security-related patches are deployed in a timely manner and work according to specs, implementing changes following a security audit, enforcing password-changing policies, etc.), but they make up only a small fraction of his job description.
As it happens, security is a full-time job, with high upkeep, and quite taxing in terms of resources and personnel. This brings us to one of the questions raised by the topic – should my company have a SOC team? Well, if you’re running a small business with only a handful of devices, my answer would be “no”. Why? Let’s take a closer look at what it means in terms of expenditure to have an in-house SOC team.
According to an article by Kelly Sheridan of DarkReading, the average annual cost of a SOC team is around $1.5 million. And this is just the tip of the proverbial iceberg. The costs can run even higher if you want an on-prem, 24/7, fully staffed team, meaning at least one tier-one security analyst, an investigator, a responder, an auditor, and a manager.
We’ll get to those in a minute. So, if we were to add the various roles, not to mention the software and infrastructure required to get the job done, we would be looking at an annual bill of $3.19 million for an on-prem SOC team. And that’s just to keep the lights on.
Now that we have a clearer picture of what a SOC team is, let’s look at roles, tools, and other goodies.
Roles and Tools in a Security Operations Center
As I’ve mentioned, there are several ‘shoes’ to fill in a Security Operations Center team. Each has its particularity, driving ever further the (collective) effort to identify, monitor, respond, mitigate, and hound down cyber threats. Here’s what a fully staffed SOC team looks like:
- Security analysts.
- Security engineers.
- SOC team lead/manager.
- Chief Information Security Office.
- Incident Responders.
Looks like any other organizational chart, doesn’t it? Well, there’s nothing ordinary about SOC. Remember that having one on board can really burn a hole through your annual budget. Anyway, let’s chat more about each role.
A security analyst is, without downplaying its importance, the backbone of any self-respecting SOC team. The person assuming this role will be the first responder. Basically, the security analyst has the power to do what it takes in order to stop a cyberattack or mitigate its effects.
A security analyst may also take the steps he/she sees fit to protect the company from future or impending attacks. They ‘re also in charge of incident documentation and reporting. A security analyst seldomly works alone. In a fully staffed SOC team, there are at least four alert/security analysts, each possessing a unique set of skills. This multi-tiered system leverages everything from A to Z and then some.
For instance, a so-called Tier 1 Security Analyst can take up the sub-role of Alert Investigator. His duties consist of monitoring the business’ digital ecosystem using specialized tools like SIEM, filter alerts, and, most importantly, figuring out if the alerts themselves are legit or fake. Think of it as an entry-level job. Still, this is no newbie task; an Alert Investigator must possess top-class programming skills, one or more security-related certifications, and, of course, in-depth knowledge about the inner workings of a cyberattack.
Now, an alert investigator is usually backed up by another analyst called an incident responder. What sets them apart though? An incident responder should possess higher malware analysis-oriented skills as well as some skills in the digital forensics area. Most incident responders have a background in ethical hacking and threat intelligence. This brings us to tier number 3 – threat hunting.
Also called a specialist, this person is literally the Swiss army knife of security/malware analysis. His main job is to gather data from across the business environment, apply models and ascertain the company’s cybersecurity posture.
But that’s not the end of the job description; a specialist can also reverse-engineer malicious code for learning or mitigation purposes, analyze malware patterns in order to define new defense strategies, and conduct regular pen-testing. Of course, the team wouldn’t be complete without a lead, a person in charge of supervising all the above-described ops and ensuring that the recommendations go through and get approved by the execs.
Now that we’ve covered security analysis, let’s move on to the second role – security engineer. The job may appear to be lackluster when compared to the duty roster of a security analyst, but it’s in no way insignificant. A security engineer must ensure that all the tools and software and hardware are up to par and that the documentation is end-to-end consistent.
So, we have documentation, maintenance, updating & patching, and, of course, working side-by-side with the security analysts on implementing the system changes or security recommendations. Nor a Rockstar, nor an underdog be.
Next on the list, we have the SOC team lead or the SOC manager. Apart from the obvious HR-related duties (i.e., hiring new people, onboarding, assessing performance), the SOC manager must also ensure that there’s a perfect communication accord between the security analysts and engineers. Without this bond, the team would fall apart in an instant.
Going higher up the business ladder, we have the Chief Information Security Officer or CISO. His duties span the entire security roster, from security operations to cyber-risk assessment, threat intelligence, planning, investigating events, advanced forensics, data loss, governance, and, of course, head-hunting (i.e., looking up potential candidates).
So now you know all there is to know about SOC teams. Up next, we’re going to look at the various tools the team uses in order to carry out job-specific tasks.
We’ll go tier by tier.
For Security Analysts
- Data mining and analysis tools. Since analysts need to pull lots of data in order to make educated guesses about malware, it’s obvious that they’ll need a data mining tool capable of gathering, sorting, filtering, and displaying various types of info. To name just a few, we have apps capable of finding specific text strings with special operators, graph-rendering apps, tools capable of uncovering info buried deep inside documents, databases that contain the names of compromised hosts and/or companies, search engines that allow you to search for devices connected to the Internet, DNS recon tools, website engine ID solutions, QA verifiers for source code and overall security, harvesting tools that allow the user to quickly gather stuff like names, open machine ports, banners, hosts, emails, and even PGP key servers, malware trackers, and SIEMs (Security Information and Event Management solutions).
- Pen-testing tools and vulnerability scanners. Here we have browser-specific pen tools, open-source vulnerability scanners, SQL flaw mapping tools, auditing apps, vulnerability managers, proxy debugging tools, Joolma scanners, Ruby frameworks, and more.
- Advanced logging tools capable of retrieving hidden information. For instance, we have WordPress file analyzers capable of sniffing out missing or modified file, merging tools, and various web-based apps that allows you to compare files.
For Security Engineers
- Encryption apps.
- Packet Sniffers.
- Pen-testing tools.
- Defense tools for wireless networks.
- Vulnerability scanners and vulnerability managers for web applications.
- PKI Tools.
- Antivirus and antimalware software.
- Intrusion Detection Systems (IDS).
- Intrusion Prevention Systems (IPS).
Parting Thoughts. SOC Benefits.
Before I leave with this very fine piece of writing, there’s just one more thing that I’d like to discuss – benefits. So, what are the advantages of having a Security Operations Center? Cost-wise, zilch, especially if you’re running a small business. Well, what about an enterprise? Let’s bring up some numbers. A survey by Statista, running from 2020 to 2021, stated that more than 70% of large-sized companies have experienced at least one data breach.
The survey in question was focused on North American companies. Still not convinced? Here’s another number – 80. A 2021 survey pointed out that 80% of large-sized companies expect a data breach within the next 12 months. Do you know how to avoid being just another number? Yes, you’ve guessed it – hire a SOC team. To wish away that skittishness, I’ve put together a small list of benefits. Enjoy!
- Around-the-clock monitoring. No need to worry about what happens after working hours, because you have a security team at the ready, monitoring every bit of information entering and leaving your company.
- Less pressure on the IT team. Hiring a team of security specialists means taking some heat off your IT admins.
- Minimize the risk associated with malicious activities. Since every corner of your business is carefully watched, the odds of a data breach or ransomware attack are close to zero.
- Increased visibility. It’s easier for a team focused on security (and nothing) else to discover and fix hidden vulnerabilities.
Can’t hire a team right now? No worries. You can also contract 3rd party SOC services. Heimdal™ Security’s eXtended Detection and Response (XRD)\Security Operations Center (SOC) service is the perfect fit for a budding company. We offer a simplified data mining system via our own Intelligence Center, the ability to monitor all types of devices across your environments, and 24/7 availability.