The Security and Operations Center (SOC) is where the cybersecurity strategy of a business is coordinated and implemented. It is where security issues are dealt with on an organizational and technical level. It will normally comprise a team of skilled cybersecurity experts who develop and implement such security policies and use the necessary technology to monitor and respond to identified network threats. The SOC is composed of the three building blocks of people, processes and technology that go hand in hand to manage and enhance the organization’s security posture. Finally, governance and compliance provide a framework for tying these building blocks together.
The following are the characteristics of a modern SOC:
1. Threat Intelligence
Among the main challenges to the cybersecurity industry are malicious threat actors who employ increasingly sophisticated tactics, massive loads of data with extraneous information and false alarms across multiple and disparate security systems, and a dearth of skilled professionals.
A common reaction for some organizations is to incorporate threat data feeds into their network, but are increasing the burden of their own analysts with all the extraneous data and the lack of tools to do data security triage: decide what to prioritize and what to ignore.
This is where a cyber security threat intelligence solution comes in with the capability to address these issues in an actionable manner. Best of breed threat intelligence solutions use machine learning to automate data collection and processing, and integrate with existing solutions. It is then possible to make sense of all the data by providing context on Indicators of Compromise (IoC) and the tactics, techniques, and procedures (TTPs) of threat actors.
2. Threat Hunting
At its best, threat hunting is a powerful combination of the best of human intuition and machine technology. Its ultimate purpose is to proactively hunt for threats to reduce time-to-detection, dwell time and ultimately, protect the enterprise.
People take the lead in this endeavor because threat hunting is focused on emerging threats rather than known attack methods. This makes it crucial for personnel to have the time and authority to conduct research and pursue hypotheses – something difficult to carry out if they are distracted by security alerts.
It all starts with a hypothesis. Threat hunters may generate a hypothesis based on external information, e.g. threat reports, blogs, and social media. To illustrate, your team may learn about a new phishing tactic in an industry blog and hypothesize that a malicious threat actor has used that socially engineered tactic against your organization. Existing data and intelligence from past incidents also informs hypothesis development.
Upon developing this hypothesis, the team examines various techniques and tactics to uncover artifacts that were left behind.
3. Data Analytics
Data collection and analysis are integral to the modern SOC. Collecting data from network event logs, records of previous incident responses and external sources from the open web, dark web and technical sources make up the wide range of threat data sources.
Threat data commonly takes the form of Incidents of Concern (IoCs), malicious IP addresses, domain, file hashes, and may also include vulnerable data such as personally identifiable customer information, raw code from paste sites and text news sources or social media. Data that is collected is then sorted and organized with metadata tags, filtered and stripped of redundant information or false positives and negatives to prepare it for analysis.
Making sense of the processed data through analysis is the process of searching for potential security issues and subsequently notifying the relevant personnel in a format that the audience will understand. This can range from simple threat lists to peer-reviewed reports.
The modern SOC is a solution that offers real-time context on a threat landscape. When the SOC is optimal at threat intelligence, threat hunting and data analysis, it becomes a hyper-intelligent system — one that can provide transparency into the threat environments of the ecosystem of your business, timely alerts on threats and changes to risks and gives the context needed to evaluate your overall security posture.