Security operations center use cases, strategies vary

More CISOs are turning to security operations centers to centralize infosec processes, but experience shows SOC use cases will depend on the organization's infosec objectives.

Tim Sattler, CISO at German multinational Jungheinrich AG, spent the first four years of his position watching the threat landscape evolve. During that time, he saw the number of security incidents accelerate, hackers turn more sophisticated and ransomware attacks become more dangerous.

In 2016, Sattler decided Jungheinrich needed a security operations center, or SOC, to centralize and coordinate the key elements of his security team's work. The primary goal: improve the firm's overall security posture.

"This is an absolutely essential thing to have," said Sattler, who is also chair of the German chapter of ISACA, an international professional association focused on IT governance. "With the threat landscape changing, ransomware and data breaches, you need to have the people in place who can detect these things and respond in a timely manner."

Building the center was the right move. In the years since the SOC became operational, Sattler said Jungheinrich has developed more advanced security capabilities in-house, counteracted emerging threats and created a more secure environment.

SOCs gain traction as threats escalate

The number of organizations with functioning SOCs is growing, reflecting an industry shift from prevention-only security strategies to those relying on prevention and detection. Gartner, in its study of SOCs, predicted 25% of all organizations will have a SOC function by 2024, up from only 10% at the beginning of 2020.

Security operations center use cases vary by organization, as do their implementation and management. Some SOCs are designed as part-time and virtual; others are fully staffed round the clock. Some companies outsource their SOCs, while others rely on a hybrid model, using both internal and external resources.

Despite the different security operations center use cases incorporated by companies, SOCs are generally responsible for the security tasks, such as monitoring and detection, incident response, threat intelligence and threat hunting.

The increasing use of SOCs within the enterprise has fueled a growing list of best practices. To get a better sense of how organizations should structure their SOCs, TechTarget interviewed Sattler, Gartner analyst Mitchell Schneider and Vladlena Benson, professor of cybersecurity management with the Aston Business School at England's Aston University. Benson is a member of the ISACA Emerging Technology Advisory Group. The following are among their recommendations.

Customize your SOC. CISOs must determine their SOCs' responsibilities and capabilities, based on use cases, security requirements and security gaps.

For starters, CISOs must decide whether their SOCs will handle only security monitoring and incident response or whether they want to include other functions, such as threat hunting or forensics. At the same time, some use cases may be excluded or at least have their inclusion pushed until further along in the development process.

"Every SOC is unique," Schneider said. "They may look the same from far away, but when you look closely, they vary by missions, objectives and goals."

Organizations, he said, should also consider their risk tolerance, industry and security maturity level, as well as the skills, expertise and resources they have when devising the objectives for their SOC.

Sattler, for example, said his company didn't have continuous security monitoring in place before launching its SOC. It did have incident response, but Sattler said he wanted a structure that brought continuous improvement to the security function. So, he designed a SOC that addressed those needs.

However, he opted against adding forensics capabilities because "we decided early that forensics is out of scope. It's a very difficult task and requires a lot of training."

Establish contracts for all needed services. Although Jungheinrich doesn't have an ongoing need for a forensics team, Sattler said his company may need those services at some point. To that end, he has contracted with an outside firm to ensure he can access those capabilities when they're needed.

"You should have those contracts in place in advance; you can't start looking for external help when something's going on," Sattler said. "You have to take into consideration that you might not be the only one in need at the time, and if you have no contract in place, you probably won't find any external experts who can help you."

Focus on improvement, advancing maturity. The most effective SOCs are those focused on continual improvement. Close attention must be paid to the tools, processes and staffing within the SOC to ensure optimal performance on a long-term basis.

Security analytics is a good example, Schneider said. "The types of security analytics solutions that are deployed in the security operations center require continuous configuration and tuning," he said. SOC leaders should also establish regular communications across the rest of the security department, as well as the other business units, to ensure policies and objectives are aligned, he said, adding that it's also important for security execs to have an internal roadmap that anticipates future use cases and the resources needed to support them.

Finally, companies need to measure the success and maturity of their SOCs. Sattler uses SOC-CMM, a measurement methodology designed expressly for SOCs.

Have a talent strategy. A SOC requires the right mixture of talent based on what the organization wants to achieve.

"You have to have the right mixture of people -- people who are experienced, security team members who know about threats and malware but also people who understand your organization," Sattler said.

Sattler opted against outsourcing Jungheinrich's SOC because he wanted a team that knew the company's products, processes and culture. "This becomes critical when you're analyzing an incident. You need to know the business."

A good retention plan is critical. "It's very difficult to find people to do this job, so you should do everything you can to retain them so they don't walk away after a few years," Sattler said.

Organizations that don't have the resources to staff their own SOCs have the option to use a service provider for some or all of the capabilities, Schneider said.

"There are not a lot of organizations that do a full DYI SOC," he said. Still, sourcing should be a strategic decision, not just a default. "Whichever option you take, whether internal or external or hybrid, it has to align to business risks."

Invest in the right tools. SIEM software, threat intelligence tools, and endpoint detection and response products are among the most commonly used technologies in SOCs. But these tools need to be aligned with the objectives set by the SOC team. This also means knowing which functions will be handled internally or outsourced to an external provider.

At Jungheinrich, Sattler said the SOC is equipped with technologies that fall under the security orchestration, automation and response stack -- threat and vulnerability management, security incident response and security operations automation -- all of which line up with the SOC's assigned responsibilities.

Build data capabilities. SOCs ingest, process and analyze data from multiple sources, both internally and externally. As such, they must be equipped with resources -- tools, expertise and experience -- adequate enough to perform these tasks, Benson said. This is critical; for security teams to be effective, they must use data analysis and threat intelligence to cut through the activity and residual noise of an enterprise network to identify where actual threats may be occurring.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing