Security Operation Center (SOC) Overview

I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.

One of the most important questions is why your organization needs a SOC?

Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews. 

What are the sub-team/sub-group in a SOC?

Key Roles in a SOC Team?

• SOC Manager
• Cyber Security Analyst
• Incident Responders/Commanders
• Digital Forensics Experts
• Detection Engineers
• Security Architects/Program Manager/DevOps Engineers

​

Types of Security Operation Center (SOC)

Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).

There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.

​The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget  for the SOC. In some cases, the quality of the investigation can be poor too.  

Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.

Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.

In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.

Key Responsibilities of SOC

• Implement, Manage, and Propose Security Tools: SIEM, EDR, SOAR are the primary tools SOC uses, but they responsible for proposing new security gaps and devices to the business as well. If an alert/incident has made to the SIEM application, it must have bypassed specific security controls. SOC Analysts should always think about solutions to reduce the number of alerts/cases. A typical example is proposing an email security tool for reducing the number of phishing alerts.
• Investigate, Respond, Contain, and Remediate Suspicious alerts: The core function of the SOC is to investigate the malicious activity. SOC cannot wholly rely on preventive and detective controls. A successful SOC is always on a Hunt.
• Cyber Security Strategy: SOC is responsible for the overall Cyber Security strategy of the company. SOC should develop playbooks, SOP’s, Policies to respond to certain types of alerts. For example, SOC should develop a Cyber Security Incident Response Plan, Escalating the polity of HR/Legal, etc.