Building Security Operations Center (SOC)

A Security Operations Center (SOC) is a dedicated facility or team responsible for monitoring, detecting, analyzing, and responding to security incidents in an organization’s IT infrastructure. It acts as the central nervous system of an organization’s cybersecurity defense, working around the clock to protect against cyber threats. This article provides a comprehensive and detailed overview of the basics of SOC, its processes, organization structure, and key components.

People
Processes
Tools

People

Most SOC teams are fighting fires with never enough staff, never enough time, and never enough visibility or certainty about what’s going on. That’s why it’s essential to focus on consolidating your toolset and effectively organizing your team. Creating a SOC team that has the right skills and uses the least amount of resources, while gaining visibility into active and emerging threats – that’s our goal.

Knowing what it takes to build a SOC will help you determine how to staff your team. For assistance with recruiting and staffing, I would like to show our SOC skillset matrix to review the roles and responsibilities for building a 4-5 person SOC team that will give your SOC a solid foundation:

Role	Description	Skills	Responsibilities
Tier 1 Security Analyst	Triage Specialist (Separating the wheat from the chaff)	Sysadmin skills (Linux/Mac/Windows); programming skills (Python, Ruby, PHP, C, C#, Java, Perl, and more); security skills (CISSP, GCIA GCIH, GCFA, GCFE, etc.)	Reviews the latest alerts to determine relevancy and urgency. Creates new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. Runs vulnerability scans and reviews vulnerability assessment reports. Manages and configures security monitoring tools (IDS, correlation rules, etc.).
Tier 2 Security Analyst	Incident Responder (IT’s version of the First Responder)	All of the above + natural ability, dogged curiosity to get to the root cause, and the ability to remain calm under pressure. Being a former white hat hacker is also a big plus	Reviews trouble tickets generated by Tier 1 Analyst(s). Utilizes emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack. Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determines and directs remediation and recovery efforts.
Tier 3 Expert Security Analyst	Threat Hunter (Hunts vs. defends)	All of the above + familiar with using data visualization tools and penetration testing tools.	Reviews asset discovery and vulnerability assessment data. Explores ways to identify stealthy threats that may have found their way inside your network, without your detection, using the latest threat intelligence. Conducts penetration tests on production systems to validate resiliency and identify areas of weakness to fix. Recommends how to optimize security monitoring tools based on threat-hunting discoveries.
Tier 4 SOC Manager	Operations and Management (Chief Operating Officer for the SOC)	All of the above + strong leadership and communication skills	Supervises the activity of the SOC team. Recruits, hires, trains, and assesses the staff. Manages the escalation process and reviews incident reports. Develops and executes crisis communication plan to CISO and other stakeholders. Runs compliance reports and supports the audit process. Measures SOC performance metrics and communicates the value of security operations to business leaders.

SOC Manager

The SOC manager oversees the operations of the SOC, including staffing, budgeting, and strategic planning. They ensure the SOC aligns with the organization’s overall security strategy and coordinates with other teams within the organization. The SOC manager also collaborates with executive stakeholders to communicate the SOC’s effectiveness and drive continuous improvement.

The SOC manager meets regularly with the organization’s CISO and IT directors to discuss emerging threats, resource requirements, and strategic initiatives. They provide reports on SOC activities, metrics, and the effectiveness of security controls. Based on the information gathered, the SOC manager advocates for additional resources, technology investments, or process improvements to enhance the SOC’s capabilities.

SOC Analysts

SOC analysts are the frontline defenders who monitor security events, investigate incidents, and respond to alerts. They possess technical expertise in cybersecurity, incident response, and various security technologies. SOC analysts work in shifts to ensure continuous coverage and collaborate with other teams to share information and coordinate incident response efforts.

SOC analysts use a combination of automated security tools, manual analysis, and threat intelligence to detect and respond to security incidents. They analyze log data, network traffic, and system alerts to identify patterns, indicators of compromise, and potential security breaches. They also work closely with other teams, such as the incident response team and threat intelligence team, to gather additional information and insights for effective incident resolution.

Incident Response Team

The incident response team within the SOC focuses on investigating and responding to security incidents promptly. They collaborate with other teams, such as network administrators and system administrators, to contain and mitigate incidents. This team follows predefined incident response plans to ensure consistent and effective incident handling.

When a security incident occurs, the incident response team in the SOC takes the lead in coordinating the incident response activities. They gather information from SOC analysts, assess the impact of the incident, and engage other teams, such as system administrators and legal counsel, if necessary. They document the incident details, collect evidence, and work towards restoring normal operations while minimizing any potential impact.

Threat Intelligence Team

The threat intelligence team collects, analyzes, and disseminates relevant threat intelligence to the SOC. They continuously monitor external threat feeds, analyze the latest attack trends, and provide actionable intelligence to enhance the organization’s defenses. The threat intelligence team collaborates with SOC analysts to incorporate intelligence into detection systems and incident response procedures.

The threat intelligence team uses various sources, such as commercial threat feeds, open-source intelligence, and information sharing platforms, to gather intelligence about emerging threats, new attack techniques, and known threat actors. They analyze this intelligence, correlate it with internal security events, and produce reports or advisories for the SOC analysts. This information helps SOC analysts to proactively detect and respond to potential threats.

Processes

There is a long list of things that the SOC team needs to do—and do properly—so that your organization’s assets are protected and high-priority threats are detected quickly and with minimal impact. Establishing the key processes you’ll need for building a SOC is the most crucial part of incident management.

These include Event Classification and Triage; Prioritization and Analysis; Remediation and Recovery; and Assessment and Audit.

Event classification and triage

Tier 1 SOC Analysts review the latest events that have the highest criticality or severity. Once they’ve verified that these events require further investigation, they’ll escalate the issue to a Tier 2 Security Analyst (please note: for smaller teams, it may be that the same analyst will investigate issues as they escalate into a deeper investigation). The key to success in this stage is to document all activity (e.g. notation, trouble ticket, etc).

It’s essential to document every stage of an investigation: which assets you’ve examined, which ones have “special” configuration and which events are false positives

Prioritization and analysis

Prioritization is the key to success in any endeavor, and it’s even more critical in cybersecurity. The stakes are high and the pace of attacks continues to escalate and shows no sign of stopping. Meanwhile, the resources you have to protect assets against this onslaught are highly limited. Focus on those events that could be most impactful to business operations, which requires knowing which assets are the most critical.

Review and respond to any activity that indicates an adversary has infiltrated your environment. This can range from the installation of a rootkit/RAT or backdoor taking advantage of an existing vulnerability to network communications between an internal host and a known bad IP address associated with a cyber adversary’s C2 (command-and-control servers) infrastructure.

Remediation and recovery

The faster you can detect and respond to an incident, the more likely you’ll be able to contain the damage and prevent a similar attack from happening in the future.

There are a number of decisions to make when investigating an incident, particularly whether your organization is more interested in recovering from the damage vs. investigating it as a crime. Make sure that you work closely with your management team. Be sure to communicate clearly and often and have a remediation plan.

Each attack will differ in terms of the appropriate remediation steps to take on the affected systems, but it will often involve one or more of the following steps:

Re-image systems (and restore backups)
Patch or update systems (e.g. apps and OS updates)
Re-configure system access (e.g. account removals, password resets)
Re-configure network access (e.g. ACL and firewall rules, VPN access, etc.)
Review monitoring capabilities on servers and other assets (e.g. enabling HIDS)
Validate patching procedures and other security controls by running vulnerability scans
By the way, some SOC teams hand off remediation and recovery procedures to other groups within IT. In this case, the SOC analyst would create a ticket and/or change control request and delegate it to those responsible for desktop and system operations.

Assessment and audit

It’s always optimal to find and fix vulnerabilities before an attacker exploits them to gain access to your environments. The best way to do that is to run periodic vulnerability assessments and review those report findings in detail. Keep in mind that these assessments will identify technical vulnerabilities rather than procedural ones, so make sure your team is also addressing gaps in your SOC processesthat could expose you to risk as well.

Running vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve SOC team performance and efficiency.

Tools

We may bucket the essential security monitoring tools to five major categories: Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring, and SIEM / Security Analytics.

Security Information and Event Management (SIEM)

SIEM systems collect, correlate, and analyze security event data from various sources. They provide a centralized view of security events, enabling SOC analysts to detect and respond to security incidents effectively. SIEM systems also support log management, incident investigation, and reporting capabilities.

A SIEM system ingests log data from network devices, servers, and security appliances, allowing SOC analysts to monitor and analyze security events in real-time. It correlates events, applies threat intelligence feeds, and generates alerts based on predefined rules or anomaly detection algorithms. SOC analysts can then investigate the alerts, drill down into specific events, and take appropriate action to address potential security incidents.

Intrusion Detection and Prevention Systems (IDPS)

IDPS tools monitor network traffic, detect potential intrusions or attacks, and generate alerts. They can identify known attack signatures, anomalous network behavior, and patterns associated with malicious activities. IDPS plays a crucial role in early threat detection and prevention.

An IDPS deployed within a SOC continuously analyzes network traffic and compares it against a database of known attack signatures. If the IDPS detects a match, it generates an alert indicating a potential intrusion attempt. For instance, if an IDPS identifies a network packet with a signature associated with a known exploit, it will trigger an alert, enabling SOC analysts to investigate and respond promptly.

Log Management Systems

Log management systems collect and store logs from various systems, devices, and applications. They allow SOC analysts to analyze logs, identify security events, and perform forensic investigations when necessary. Log management systems provide centralized log storage, search capabilities, and reporting functionalities.

A log management system in a SOC collects logs from network devices, servers, firewalls, and other relevant sources. SOC analysts can search and analyze logs to identify patterns, detect suspicious activities, and correlate events across different systems. For example, by analyzing logs, SOC analysts can track user access patterns, identify unauthorized login attempts, or trace the source of a security incident.

Threat Intelligence Platforms

Threat intelligence platforms provide SOC teams with access to valuable threat intelligence feeds and data. These platforms help SOC analysts stay updated on the latest threats, indicators of compromise, and emerging attack techniques. Threat intelligence platforms aggregate, analyze, and deliver actionable intelligence to enhance the SOC’s detection and response capabilities.

A threat intelligence platform within a SOC receives and processes threat intelligence feeds from various trusted sources. It analyzes this information, identifies relevant threats, and disseminates actionable intelligence to SOC analysts. For example, the platform might provide information about a new malware variant, including its behavior, indicators of compromise, and recommended mitigation techniques.

Incident Response Tools

Incident response tools facilitate the coordination and management of security incidents within a SOC. These tools streamline incident handling processes, aid in collaboration between team members, and provide documentation and reporting capabilities. Incident response tools ensure efficient incident resolution and help maintain incident response best practices.

An incident response tool used in a SOC provides a centralized platform for SOC analysts to track and manage security incidents. It enables them to assign and track incident tasks, document investigation findings, communicate within the team, and generate incident reports. The tool helps maintain consistency in incident response processes and ensures proper documentation for post-incident analysis.

A Security Operations Center (SOC) plays a critical role in an organization’s cybersecurity defense. By monitoring, detecting, and responding to security incidents, SOC teams protect against cyber threats and minimize the impact of breaches. With functions ranging from threat monitoring and incident response to vulnerability management and threat intelligence, the SOC serves as the frontline defense against evolving cyber threats.

Understanding the structure, functions, and key components of a SOC is essential for organizations aiming to establish an effective security defense. Real-world examples demonstrate the practical application of SOC activities in safeguarding organizations’ critical assets. By addressing challenges, following best practices, and continuously improving SOC operations, organizations can enhance their cybersecurity posture and better protect their digital assets.

Hope you like the post. For more incident management please subscribe to our newsletter, follow us on Twitter and LinkedIn.

Save your privacy, bean ethical!