Have you been tasked with establishing a Security Operations Centre (SOC) in your business? Are you – or other organisational leaders – uncertain where a SOC starts and traditional security operations end? Perhaps you want to know where your existing cybersecurity products and investment sit within a SOC framework and whether they’re still relevant.

In this article, we explain whether a SOC replaces other security solutions and the key differences between a SOC and the two other popular unified security approaches.

• Does a SOC replace other security reporting and solutions?
• How does a security operations centre see cyberthreats?
• What process does a security operations centre follow?

 

Does a SOC replace other security reporting and solutions?

No, a Security Operations Centre is not a replacement for other cybersecurity solutions such as Security Information and Event Logging (SIEM), Advanced Threat Protection (ATP) or Next Generation Firewall (NGFW), to name a few. Think of a SOC as the nerve centre – a hub pulling together all people, processes, technology and data running through an organisation, with the added capability of analysing and responding to risk.

A SOC does not get rid of the security solutions your business has implemented and as it stands, this isn’t expected to change. These solutions – covering everything from threat detection and response to content filtering, anti-ransomware to identity protection – feed the security “events” as they’re known, which a SOC acts on using a triaging system.

A SOC, therefore, streamlines how security solutions are implemented and maximises their effectiveness, by connecting disparate defence mechanisms to form an omniscient, galvanised security solution that very few cyberthreats can break through.

You can read more about how a SOC triages, classifies and responds to threats here.

How does a security operations centre see cyberthreats?

A SOC identifies cyberthreats by integrating and correlating all data being generated by an organisation’s IT infrastructure and correlating it into events. Events are logged and triaged based on the risk level posed to a business, and SOC teams are alerted and respond accordingly.

For more about the roles, responsibilities, and staffing structure of a SOC, click here.

It’s important to note that a SOC can’t safeguard data, devices, and other infrastructure that it can’t see. Therefore, it is extremely important that before establishing an external or outsourced SOC, a robust IT infrastructure audit and scoping consultation is undertaken by a partner with proven experience of delivery.

Amongst other things, a security operations centre looks at:

• Infrastructure, including endpoints and on-premises hardware
• Your complete solutions stack, cybersecurity or otherwise
• Data sources and data flows
• Integrations, interdependencies and interoperability
• Workload environments
• Security processes and personnel (focusing on skillsets)

What process does a security operations centre follow?

A SOC detects, analyses and responds to threat events by following a five-step process. Discovery, initial investigation, triage, advanced investigation, and response.

1. Discovery: Here is where a SOC pulls together data from all workload sources, security solutions, such as those listed here and open source threat intelligence databases. The people and processes running the SOC function will deploy SIEM, behavioural analytics, anomaly analytics and deception technologies as a start.
2. Initial investigation: Here is where mostly automated functions will connect the dots. They’ll score ad merge threats against a risk assessment matrix before triaging.
3. Triage: One of the key differentiators of a SOC, here is where threat events will be categorised by criticality and managers and analysts will be alerted.
4. Advanced investigation: Managers and analysts develop their understanding of the threat, build context, and coordinate resources for response.
5. Response: Depending on the threat profile, SOC incident responders will work to contain and diffuse the threat.

A SOC is only as effective as the planning behind it. With a SOC drawing from so many data sources, organisations need utmost confidence that the threat event data they’re acting on is useful, accurate and timely. After all, what is a SOC worth if it can’t minimise the risk of data breach, systems compromise or financial theft?

Taking ample time to polish and perfect the processes that define your SOC is well worth it. Integrating and correlating data sources is a great start, but without deep understanding and context, this data is little more than an input. Bear this in mind with consulting with your internal teams or outsourced partner.