Building an Intelligent SOC

Nowadays, with the increasing volume and complexity of cyber-threats, security monitoring and operations have become a necessity, holding a primary role in the Cloud and Information Management efforts of an organization. Organizations invest in the development of Security Operations Centers (SOCs) to provide real-time visibility, increased security, and timely response to targeted threats.

In this post, we evaluate the need that arises for many organizations to implement a SOC, their challenges, and how they can be approached carefully and efficiently. We also present our concept of ‘intelligent SOC’ (iSOC), which is basically a SOC on steroids!

Regulatory requirements, such as the European NIS Directive, the Saudi Arabian ECC directive, and many others, constitute a driving force behind the need for threat monitoring best practices, either via the development of an on-premises Security Operations Center (SOC), or by outsourcing it to a Managed Security Services Provider (MSSP).

A SOC on steroids

Let’s talk about the SOC on steroids, the Intelligent Security Operations Center (iSOC), whose main characteristic is that its teams use more than just traditional prevention and monitoring methods that only utilize static analysis and signature-based alerts, which can be bypassed by modern threats. An iSOC’s domains of responsibility are to prevent, detect, respond, and predict. This constitutes the adaptive security architecture.

Through an organization’s journey to build a Security Operations Center (SOC), there are several challenges that need to be overcome, and questions to be answered that play a vital role in an organization’s decision to either build an in-house SOC, or to outsource it to an MSSP. Firstly, to effectively run a SOC, you require “People, Processes and Technology”, therefore, putting in place what’s needed to secure those 3 areas is the core of a SOC. In addition, you must enhance it with “Security Intelligence”, which glues everything together and enhances the capabilities of the SOC.

For People, staffing a Security Operations Center (SOC) team is a challenging area regarding the skillset, education and experience required. A 24×7 SOC team consists of Tier 1 and Tier 2 Security Analysts, working in shifts, plus Team Leaders and, of course, a SOC manager. The challenge here is to properly define the SOC operating structure and model to make the right decisions in staffing the SOC team with the adequate resources.

For Processes, to be able to implement the long list of tasks that a SOC team has to do, it needs predefined processes and procedures, so that your organization’s threats are identified and eradicated, and this way minimizing your organizational risk.

For Technology, the toolset used by a SOC team is derived from the required capabilities. A SOC’s key capabilities include real-time event monitoring, threat analysis, incident escalation and response. Additional capabilities include performance and capacity monitoring (for the network), vulnerability management, threat intelligence, threat hunting, SOAR, red teaming, and other even more advanced capabilities. Apart from the soft skills required by the SOC members to possess, several systems are required to be implemented along with the security infrastructure of your organization to help SOC members capitalize on these capabilities. A well configured SIEM holds a critical part in a SOC department, as most information required for alert escalation and incident investigation comes from the SIEM technology.

Additionally, as I mentioned, an intelligent SOC enhances the “Prevent, Detect, Respond and Predict” abilities of a SOC with Security Intelligence that derives from internal and external sources, and it includes threat and operational intelligence in addition to organizational context. You should think about an intelligent Security Operations Center (iSOC) as a well-oiled machine that provides visibility over the log and event data of the organization, uses multisource threat intelligence strategically and tactically, and uses advanced analytics to operationalize security intelligence. It also automates responses and incident escalations whenever that’s feasible, adopts an adaptive security architecture, and proactively threat-hunts and investigates. These drive the iSOC beyond the monitoring of the preventive technologies and the perimeter. The intelligence-driven SOC is built on intelligence, and uses it on every level of security operations.

With the above topics and challenges, several questions are raised from the top-down of the organizational hierarchy but also from the bottom-up.

• What capabilities should my SOC own?
• What should be the operating times of my SOC?
• How should I make sourcing decisions for my SOC?
• Can I outsource some of the SOC capabilities?
• What SOC metrics should be reported to management and the board?

These questions, along with many others, can be answered during the design of the SOC and, more specifically, via a structured assessment and planning. A way to approach it is via a 4-stage project:

1. 1. Assess your organization’s needs and its current status
   2. Create a plan with what is required in terms of People, Process and Technology
   3. Build the service based on the agreed plan
   4. Set the procedures required to run the iSOC with adaptive security and continuous improvement at its core

Running an efficient SOC helps you meet your compliance and regulatory requirements. It essentially aligns you with your business needs and risk priorities by providing visibility, early alerting, and timely incident response through an intelligence Security Operations Center (iSOC).

Author: Andreas Constantinides, Manager, Professional Services