search

Which of the following is MOST important when selecting a third-party security operations center

1 years ago
Comments: 0
Views: 46

Cybersecurity threats are becoming more common, more dangerous, and more difficult to detect and mitigate. According to the Ponemon Institute’s 2021 Cost of Data Breaches study, organizations take 287 days on average to detect a breach, and more than a month to contain it. Companies of all sizes need a formal organizational structure that can take responsibility for information security and create an efficient process for detection, mitigation and prevention. This is where a security operations center (SOC) comes in.

Show

In this article, you will learn:

What is a  security operations center?

A SOC is traditionally a physical facility within an organization, which houses an information security team. Thisteam analyzes and monitors the organization’s security systems. The SOC’s mission is to protect the company from security breaches by identifying, analyzing, and reacting to cybersecurity threats. SOC teams are composed of management, security analysts, and sometimes, security engineers. The SOC works with the company’s development and IT operations teams.

SOCs are a proven way to improve threat detection, decrease the likelihood of security breaches, and ensure an appropriate organizational response when incidents do occur. SOC teams isolate unusualactivity on servers, databases, networks, endpoints, applications, etc., identify security threats, investigate them, and react to security incidents as they occur.

Once upon a time, it was believed that a SOC was only suitable for large enterprises. Today, many smaller organizations are setting up lightweight SOCs, such as a hybrid SOC, which combines part-time, in-house staff withoutsourced experts, or a virtual SOC, which has no physical facility at all, and is a team of in-house staff who also serve other functions.

How do security operations centers work?

An organization must first define its security strategy and then provide a suitable infrastructure with which the SOC team willwork. The information system that underlies SOC activity is a security information and event management (SIEM) system, which collects logs and events from hundreds of security tools and organizational systems, and generates actionable security alerts, to which the SOC team can analyze and respond.

A SOC team has two core responsibilities:

  • Maintaining security monitoring tools – The team must maintain and update tools regularly. Without the correct and most up-to-date tools, they can’t properly secure systems and networks. Team members should maintain the tools used in every part of the security process.
  • Investigate suspicious activities – The SOC team should investigate suspicious and malicious activity within the networks and systems. Generally, your SIEM or analytics software will issue alerts which the team then analyzes and examines, triages, and discovers the extent of the threat.

Here are some of the core processes SOC teams carry out:

  • Alert triage – The SOC collects and correlates log data, and provides tools that allow analysts to review it and detect relevant security events.
  • Alert prioritization – SOC analysts leverage their knowledge of the business environment and the threat landscape to prioritize alerts and decide which events represent real security incidents.
  • Remediation and recovery – Once an incident is discovered, SOC personnel are responsible for mitigating the threat, cleaning affected systems, and recovering them to their normal working condition.
  • Postmortem and reporting – An important function of the SOC is to document the organization’s response to an incident, perform additional forensic analysis to ensure that the threat has been fully contained, and learn from the incident to improve the SOC’s processes.

Focus areas of a SOC

A SOC can have several different functions within an organization, which can be combined. Below are SOC focus areas with the level of importance assigned to each in the 2020 Exabeam State of the SOC Report.

SOC Focus AreaLevel of Importance in USA SOCs
Control and Digital Forensics — enforcing compliance, penetration testing, vulnerability testing55%
Monitoring and Risk Management – capturing events from logs and security systems, identifying incidents, responding73%
Network and System Administration – administering security systems and processes such as identity and access management, key management, endpoint management, firewall administration, etc69%

SOC deployment models

Theseare the common models for deploying a SOC within your organization:

Dedicated SOCClassic SOC with dedicated facility, dedicated full-time staff, operated fully in house, 24×7 operations
Distributed SOCSome full-time staff and some part-time, typically operates 8×5 in each region
Multifunctional SOC/NOCA dedicated facility with a dedicated team which performs both the functions of a Network Operations Center (NOC) and a SOC
Fusion SOCA traditional SOC combined with new functions such as threat intelligence and operational technology (OT)
Command SOC/Global SOCCoordinates other SOCs in a global enterprise, provides threat intelligence, situational awareness, and guidance
Virtual SOCNo dedicated facility, part-time team members, usually reactive and activated by a high-profile alert or security incident. The term Virtual SOC is also sometimes used for an MSSP or managed SOC (see below).
Managed SOC/MSSP/MDRMany organizations are turning to Managed Security Service Providers (MSSP) to provide SOC services on an outsourced basis. Modern offerings are called Managed Detection and Response (MDR). Managed SOCs can be outsourced completely or co-managed with in-house security staff.

Security operations center roles and responsibilities

  • Security analyst – The first to respond to incidents. Their response typically occurs in three stages: threat detection, threat investigation, and timely response. Security analysts should also ensure that the correct training is in place and that staff can implement policies and procedures. Security analysts work together with internal IT staff and business administrators to communicate information about security limitations and develop documentation.
  • Security engineer/architect – Maintains and suggests monitoring and analysis tools. They create a security architecture and work with developers to ensure that this architecture is part of the development cycle. A security engineer may be a software or hardware specialist who pays particular attention to security aspects when designing information systems. They develop tools and solutions that allow organizations to prevent and respond effectively to attacks. They document procedures, requirements, and protocols.
  • SOC manager – Manages the security operations team and reports to the CISO. They supervise the security team, provide technical guidance, and manage financial activities. The SOC manager oversees the activity of the SOC team, including hiring, training, and assessing staff. Additional responsibilities include creating processes, assessing incident reports, and developing and implementing crisis communication plans. They write compliance reports, support the audit process, measure SOC performance metrics, and report on security operations to business leaders.
  • CISO – Defines the security operations of the organization. They communicate with management about security issues and oversee compliance tasks. The CISO has the final say on policies, strategies, and procedures relating to the organization’s cybersecurity. They also have a central role in compliance and risk management, and implement policies to meet specific security demands.

Learn more in our detailed SOC team guide.

Benefits of security operations centers

  • Incident response – SOCs operate around the clock to detect and respond to incidents.
     
  • Threat intelligence and rapid analysis – SOCs use threat intelligence feeds and security tools to quickly identify threats and fully understand incidents, in order to enable appropriate response.
     
  • Reduce cybersecurity costs – Although a SOC represents a major expense, in the long run, it prevents the costs of ad hoc security measures and the damage caused by security breaches.
     
  • Reduce the complexity of investigations – SOC teams can streamline their investigative efforts. The SOC can coordinate data and information from sources, such as network activity, security events, endpoint activity, threat intelligence, and authorization. SOC teams have visibility into the network environment, so the SOC can simplify the tasks of drilling into logs and forensic information, for example.

SOC challenges and how technology can help

  • Increased volumes of security alerts – The growing number of security alerts requires a significant amount of an analyst’s time. Analysts may tend to tasks from the mundane to the urgent when determining the accuracy of alerts. They could miss alerts as a result, which highlights the need for alert prioritization. Exabeam Advanced Analytics uses UEBA technology to provide security alert prioritization, which relies on the dynamic analysis of anomalous events. This ensures that analysts can find the alerts requiring the most immediate attention.
     
  • Management of many security tools – As various security suites are being used by SOCs and CSIRTs, it is hard to efficiently monitor all the data generated from multiple data points and sources. A SOC may use 20 or more technologies, which can be hard to keep track of and control individually. This makes it important to have a central source and a single platform. A SIEM serves this function in most SOCs. For an example of a next-generation SIEM solution with advanced analytics and security automation, see the Exabeam Security Management Platform.
     
  • Skills shortage – Short staffing or lack of qualified individuals is an issue. A key strategy for dealing with the cybersecurity skills shortage is automating SOC processes, to save time for analysts. In addition, an organization may decide to outsource.Some organizations are now outsourcing to MSSPs to help them with their SOC services. Managed SOCs can be outsourced entirely or in partnership with on-premises security staff.

Learn about how security technologies are helping solve SOC challenges in our guide: The SOC, SIEM, and Other Essential SOC Tools

Getting started with a SOC

Questions to ask before setting up a SOC

  1. Availability and hours – Will you staff your SOC 8×5 or 24×7?
  2. Format – Will you have a standalone SOC or an integrated SOC and NOC?
  3. Organization – Do you plan to control everything in house, or will you use an MSSP?
  4. Priorities and capabilities – Is security the core concern, or is compliance a key issue? Is monitoring the main priority, or will you need capabilities such as ethical hacking or penetration testing? Will you make extensive use of the cloud?
  5. Environment – Are you using a single on-premises environment or a hybrid environment?

5 steps to setting up your SOC

  1. Ensure everyone understands what the SOC does – A SOC observes and checks endpoints and the organization’s network, and isolates and addresses possible security issues. Create a clear separation between the SOC and the IT help desk. The help desk is for employee IT concerns, whereas the SOC is for security issues related to the entire organization.
  2. Provide infrastructure for your SOC – Without the appropriate tools, a SOC team will not be able to deal with a security threat. Evaluate and invest in tools and technologies that will support the effectiveness of the SOC and are appropriate for the level of expertise of your in-house security team. See the next section for a list of tools commonly used in the modern SOC.
  3. Find the right people – Build a security team using the roles listed above: security analysts, security engineers, and a SOC manager. These specialists should receive ongoing training in areas such as reverse engineering, intrusion detection, and malware anatomy. The SOC manager needs to have strong security expertise, management skills, and battle-tested crisis management experience.
  4. Have an incident response plan ready – An incident response team should create a specific and detailed action plan. The team can also create a repeatable plan that can be used over time and adapt to different threat scenarios. Business, PR, and legal teams may also be involved if needed. The team should adhere to predefined response protocols so they can build on their experience.
  5. Defend – A key responsibility of the SOC is to protect the perimeter with a dedicated team focused on detecting threats. The SOC’s goal is to collect as much data and context as possible, prioritize incidents, and ensure the important ones are dealt with quickly and comprehensively.

The security maturity spectrum — Are you ready for a SOC?

A SOC is an advanced stage in the maturity of an organization’s security. The following are drivers that typically push companies to take this step:

  • Requirements of standards such as the Payment Card Industry Data Security Standard (PCI DSS), government regulations, or client requirements
  • The need for the business to secure very sensitive data
  • Past security breaches and/or public scrutiny
  • Type of organization — For example, a government agency or Fortune 500 company will almost always have the scale and threat profile that justifies a SOC, or even multiple SOCs.

Different organizations find themselves at different stages of developing their security stance. We define five stages of security maturity. In stages 4 and 5, an investment in a security operations center becomes relevant and worthwhile.

Which of the following is MOST important when selecting a third-party security operations center

The future of the SOC

The security operations center is undergoing an exciting transformation. It is integrating with ops and development departments, and is empowered by powerful new technologies, while retaining its traditional command structure and roles to identify and respond to critical security incidents.

We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning, and SOC automation, open up new possibilities for security analysts.

The impact of a next-gen SIEM on the SOC can be significant. It can:

  • Reduce alert fatigue via user and entity behavior analytics (UEBA) that goes beyond correlation rules, helps reduce false positives, and discover hidden threats.
  • Improve MTTD by helping analysts discover incidents faster and gather all relevant data.
  • Improve MTTR by integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology.
  • Enable threat hunting by giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.

Exabeam is an example of a next-generation SIEM which combines data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder, and a threat hunting module with powerful data querying and visualization.

See our additional guides on key information security topics

We have authored in-depth guides on several other information security topics that can also be useful as you explore the world of security operation centers.

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of information security.

Security Information and Event Management (SIEM)

See top articles in our SIEM guide:

MITRE ATT&CK

Learn about MITRE ATT&CK, a security research project that is helping the security industry better understand techniques, tactics, and procedures (TTPs) used by threat actors, detecting them, and responding to them more effectively.

Next Gen SIEM

Learn about next generation security information and event management (SIEM) systems that combine traditional SIEM functionality with use and entity behavioral analytics (UEBA), security orchestration and automation (SOAR), and other advanced security capabilities.

Q&A When

Related Posts

What is a good score on zetamac
What is a good score on zetamac

What is the Value of the Square Root of 256?
What is the Value of the Square Root of 256?

What are the symptoms of fibroids after menopause
What are the symptoms of fibroids after menopause

What is legal tint in louisiana
What is legal tint in louisiana

What does round to the nearest 10th mean?
What does round to the nearest 10th mean?

What agency establishes principles and standards for examination of federal financial institutions quizlet?
What agency establishes principles and standards for examination of federal financial institutions quizlet?

What are the 7 steps in incident response?
What are the 7 steps in incident response?

The first step in creating the master budget is the creation of the
The first step in creating the master budget is the creation of the

What year did the first dodge viper come out
What year did the first dodge viper come out

What was right outside the central core of Anyang
What was right outside the central core of Anyang

Local auto body repair shops near me
Local auto body repair shops near me

Bath and body works visor clip instructions
Bath and body works visor clip instructions

How to get messages from iphone to pc
How to get messages from iphone to pc

What time does the next fortnite season come out
What time does the next fortnite season come out

What info do you need to get a passport
What info do you need to get a passport

Best bb cream for acne prone skin 2022
Best bb cream for acne prone skin 2022

All inclusive miami vacation packages with airfare
All inclusive miami vacation packages with airfare

How to get into a locked room door
How to get into a locked room door

How to remove recent inquiries from credit report
How to remove recent inquiries from credit report

How much is 2.5 liters of water in gallons
How much is 2.5 liters of water in gallons

Advertising

LATEST NEWS

Which one of the following would be considered the most appropriate action for a leader during the performing stage of team development?
1 years ago . by PedagogicalAdjustment
Why is it fitting that it is almost the last day of the summer in The Great Gatsby Chapter 7?
1 years ago . by LustyFinale
20 workers can build a wall in 30 days, how many days will 15 workers take to build the same wall
1 years ago . by AllegedCilantro
Is 12 workers can build a wall in 50 hours how many workers will be required to do the same work in 40 hours?
1 years ago . by Hand-heldEnlightenment
The various behavioral forms that nonverbal communication takes are referred to as nonverbal
1 years ago . by ClosedJuncture
Why give alpha blocker before beta blocker in pheochromocytoma
1 years ago . by PrecedingProphecy
The overlap between groups has ______ in americas residential neighborhoods and workplaces.
1 years ago . by UnrelentingClimber
Can you sue your spouse NJ?
1 years ago . by FrugalDepletion
The five flows in marketing channels discussed in the text are
1 years ago . by FadedHacker
Does Australia use accrual accounting?
1 years ago . by UrbanCropping

Advertising

Populer

Advertising

About

Legal

Help

Social

Copyright © 2024 themosti Inc.