A Security Operations Centre (SOC) has become one of the vital components of a well-rounded cyber security programme

A Security Operations Centre (SOC) has become one of the vital components of a well-rounded cyber security programme, not only in large-scale organisations, but increasingly in SME organisations that are now beginning to manage their cyber security risks more seriously.

In this article, Steve Usher and Rob Treacey, of Shearwater Group plc, not only provide a brief insight into the organisational need for a SOC, but also help to define what they think a good SOC looks like, as well as the advantages and disadvantages of running a SOC in-house versus outsourcing it through a Managed Security Service Provider (MSSP).

One only has to look at some of the facts and figures from reputable, research sources in 2020 alone to understand why there is an ever increasing need for organisations to consider deploying a SOC.

  • 72% of enterprises lack internal capability for threat management.
  • Source: Everest Group Market Trends 2020
  • 37% of enterprises have already outsourced their SOC requirements to 3rd party MSSPs.
  • Source: Everest Group Market Trends 2020
  • The UK National Cyber Security Centre (NCSC), handled 723 incidents between 1 September 2019 and 31 August 2020. In the previous three years, it handled an average of 602 annual incidents.
  • Source: UK National Cyber Security Centre - 4th Annual Review 2020

Some senior leaders are still choosing to bury their heads in the sand in the hope that they will not fall victim to a cyber incident. Cyber security threats are not about to disappear anytime soon, they will continue to grow and evolve. Various factors are driving the need for a SOC, notably:

Rob Treacey, Managing Director of Technology Risk Management at Xcina Consulting.

A Changing Threat Landscape: The threat landscape is getting broader, more advanced and malicious with the adoption of cloud, mobile and IoT technologies. With this adoption, there is no longer a clear demarcation between an organisation's internal and external network.

Increased Complexity: The threat environment is becoming more complex and advanced with coordinated and adaptive attacks.

The SOC acts as a nexus as it melds together the systems and personnel responsible for providing, maintaining, investigating, and responding to cyber security events within an organisation.

It works closely with all cyber security staff, especially security engineers, who maintain, troubleshoot and deploy security technologies. It should also work closely, or even overlap, with the Incident Response (IR) team, as most of the time the SOC will be directing the IR team when dealing with incidents. Additionally, the SOC plays an advisory role to technology related teams, such as the vulnerability management and cloud technology teams.

What makes a good SOC is subjective. Core components are universal, such as a well configured SIEM or log management system as well as the ability to monitor various security products that are deployed throughout the network. Other components are down to the organisation using the SOC. An incident management system along with a SOAR (Security Orchestration, Automation, and Response) and EDR (Endpoint Detection and Response) are highly desirable, whereas a TIP (Threat Intelligence Platform) can be extremely useful to organisations that have a mature SOC. Threat intelligence feeds can also be used to enrich the information in SIEM and assist with the detections and reactions to the runbooks in SOAR. These can also be fed into firewalls, IPS units, and other technologies that ingest API feeds.

Steve Usher, a Senior Security Analyst at Brookcourt Solutions.

Depending on the stated goals of the SOC, various other services may be considered. BAS (Breach and Attack Simulation) services can be deployed on a continuous basis to ensure any issues reported by penetration tests, or red team engagements, are mitigated and remain mitigated though product updates and changes to policies.

SOC staff may come from diverse backgrounds, but there are also common personality traits that should be considered and nurtured. Curiosity is one of these traits, along with a drive to constantly learn and expand knowledge.

Staff can specialise in multiple disciplines, including threat hunting, threat modelling, malware analysis and threat intelligence, to name but a few. Having a diverse range of skills and backgrounds can be extremely advantageous to the overall efficacy of the SOC. It is no secret that there is a shortage of experienced security staff and this is no different when looking for experienced SOC staff and managers.

It is important to take time to find the right personnel and realise it will take time. Truly experienced and knowledgeable staff want to work for an organisation with appropriate cultural values, who provide them with a competitive salary and sufficient training.

For organisations who are looking to establish an in-house SOC or are looking to outsource to an MSSP, that provides a SOCaaS (Security Operations Centre as a service), here are some pros and cons to consider: -

Cost: A SOCaaS generally has a single monthly fee with no office space, equipment, staff salaries or training costs to consider.

High Quality and Experienced Staff: Experienced SOC staff invariably demand a high salary and are becoming increasingly harder to find. Using a SOCaaS not only negates the headache of finding and retaining high quality staff but also the training they will expect.

New Technologies: Can be adopted faster due to the ability of an MSSP to recruit staff quicker, train them more efficiently, and move staff around while others dedicate time to learning new technologies and products.

24/7 Monitoring: Can be performed using shift work and global locations. For an internal SOC, finding quality staff to work unusual hours, such as overnight, is not only difficult but extremely costly. Provided the organisation, utilising the SOCaaS, has the ability and desire to respond to any threats, found outside of normal working hours, this aspect of the service is vital.

Access: High-level access will need to be provided to the SOCaaS, as a third party provider, which opens up an organisation to an additional vector of attack. Access can include domain admin accounts, local admin accounts, multi-factor authentication tokens as well as access to sensitive or valuable information on an organisation's network.

Response Times: Response times from a SOCaaS could be slower due to the time is takes for the alerts, logs and events to arrive at the SOCaaS. Also, SOCaaS are generally governed by SLAs and should the SOCaaS have numerous customers and become busy, then urgent alerts/incidents will be triaged, irrespective of the customer.

So whether your organisation is considering deploying a SOC, or has already deployed one, remember that not all SOCs are created equal. Consider a SOC that takes your organisation on a journey of continuous improvement; has highly skilled resources; is flexible and agile and constantly evolving; leverages best in class products; has global capability and most importantly, aligns with your organisation's cyber security risk appetite. If you do not have the capability or budget to establish a SOC internally, consider outsourcing it to a trusted MSSP.

About the authors:
Steve Usher is a Senior Security Analyst at Brookcourt Solutions, which is a reseller and integrator of cyber security solutions.

Rob Treacey is Managing Director of Technology Risk Management at Xcina Consulting, which helps organisations strengthen their security posture.

Both Brookcourt Solutions and Xcina Consulting form part of the broader Shearwater Group plc.