Should you have a security operations center? Almost certainly, yes.
In a recent Nemertes' research study, we documented that successful cybersecurity operations are 52% more likely to have SOCs than their less successful counterparts. Nemertes measured success based on an organization's mean total time to contain security breaches; to be considered successful, organizations had to have an MTTC of less than 20 minutes, placing them in the 80th percentile of all companies.
For smaller companies, outsourcing the SOC to a provider was the way to go, while larger companies benefited more from having their own, internally staffed SOCs.
Key SOC technical capabilities
Whether a SOC is internally staffed or provided externally, building a security operations center means including some key technical capabilities engineered to cover the full lifecycle of a cybersecurity incident -- from detection and response to prediction of future incidents. These capabilities include the following.
Notification and alerting. The SOC's most fundamental role is to notify the security team when a security event occurs. A range of tools deliver notifications and alerts from SIEM software and intrusion detection/intrusion protection products to behavioral threat analytics. While the exact tool choice can vary based on the cybersecurity organization's requirements, it's essential when building a security operations center that it include a tool that focuses on notification and alerts.
Security orchestration, automation and response (SOAR). Coined by Gartner, SOAR covers a range of tools, products and services that emphasize what happens after an incursion has been detected. SOAR products are, in essence, shrink-wrapped robotic process automation (RPA) software designed for cybersecurity incident response. SOAR typically provides some or all of the following capabilities:
- Automated incident response. Most cybersecurity organizations have developed an incident response Ideally, SOAR automates the implementation of some or all of that policy, including alerting appropriate staffers, taking affected systems offline and providing other proactive security measures.
- Case management. Many SOAR tools provide a framework for managing the full lifecycle of a security incident. Among other features, these case management tools give analysts the ability to document an incident, capture and timestamp all analyst activity, include appropriate security controls -- a low-level analyst shouldn't automatically receive access to sensitive data that may have been exposed during a breach -- and collect all additional information pertinent to an ongoing cybersecurity incident response.
- Logging and auditing for compliance. It should be obvious from the description of case management capabilities that a SOAR product should be able to provide ample logging and auditing information that can assist in future compliance initiatives.
- Analytics and AI. In addition to the RPA capabilities described above, many SOAR products include analytics and AI to provide troubleshooting and root cause analysis of cybersecurity incidents, as well as predictive analytics used to highlight potential vulnerabilities.
Intelligent threat hunting. Ideally, building a security operations center should include tools that offer more than just incident detection and response -- though both of those are critical. It should offer some insight into an organization's vulnerability to threats, including analyzing data to uncover vulnerabilities and applying insight from threat intelligence services to detect possible attacks.
Whether you engage an external SOC provider or have your own staff, these capabilities -- notification/alerting, SOAR and intelligent threat hunting -- should be part of your strategic response portfolio. They represent the full lifecycle of threat protection and are essential services the SOC should provide.