Most security professionals are already familiar with the concept of a security operations center. But many CISOs...
and other security professionals question the need for a SOC for their own organizations. Maybe they think they're too small or aren't likely targets for attacks. Maybe they don't think they have the resources to build and staff a SOC effectively.
While many organizations struggle with the challenges of implementing and managing their own SOCs, the bottom line is that pretty much every organization needs one. Why? To put it simply, a SOC dramatically improves an organization's ability to respond to targeted attacks.
According to the 2020 Nemertes Cybersecurity Research Study, which included 335 companies across 24 industries in 11 countries, having a SOC correlates with a decreased mean total time to contain (MTTC) threats of 43%. In a nutshell, a lower MTTC means a company can detect, understand and contain threats faster. So, companies with a SOC have an MTTC that's 43% lower -- or faster -- than companies without one.
Traditional SOCs vs. next-generation SOCs
SOCs have advanced a great deal since their inception, and the next obvious question is: What defines a next-generation SOC? More precisely, what makes a security operations center next-generation? Broadly speaking, a next-generation SOC has the following five main characteristics:
- Automated. Attacks are increasingly automated, and responses need to be as well. Long gone are the days when SOC analysts would pore manually through log files to understand what happened and determine which actions to take next. Humans don't scale, and more importantly, they take too long. Successful companies are able to detect, understand and contain a threat in 20 minutes or less. Most humans can't act that quickly. Technologies deployed in SOCs -- which include next-generation firewalls (NGFWs), cybersecurity analytics, machine learning, and security orchestration, automation and response (SOAR) tools -- need to be able to automate routine functions intelligently and effectively.
- Customized. Although the principles of cybersecurity apply across companies and vertical industries, each company typically has customized requirements for policies and responses. Targeted attacks increasingly go after specific systems, individuals or vulnerabilities within a specific company. Therefore, a critical characteristic of a next-generation SOC is that it's easily customizable to protect the company.
- Intelligent. The original premise behind a SOC was to serve as an operations center or war room, where information was shared between multiple parties to enable faster decision-making. A next-generation SOC doesn't just facilitate information sharing; it participates in the decision-making. Tools that enable AI, machine learning, behavioral threat analysis and the like help analysts quickly identify threats and attacks and prepare and execute responses to them. Threat intelligence is an important part of making a SOC intelligent. And the more threat intelligence feeds from the widest range of sources, the better and more effective the SOC.
- Dynamic. A SOC's capabilities shouldn't be fixed in time. Attacks evolve and so should defenses. A next-generation security operations center incorporates emerging knowledge about attacks -- through threat intelligence, analytics and other sources -- and develops proactive responses to them.
- Proactive. A next-generation SOC needs to be proactive so analysts spend less time evaluating and dealing with current threats and more time predicting attacks and building proactive defenses against them. Assessing prospective targeted attacks, keeping abreast of nation-state attacks and conducting threat hunting are all ways SOC analysts can stay proactive.
How to build a next-generation SOC
If those are the characteristics of a next-generation SOC, how do you go about building one? Here are 10 tips to keep in mind as you make the transition.
1. Build or buy a next-generation SOC. The most fundamental decision to make in building a next-generation SOC is whether to build one at all. Large enterprises have the staff to operate and manage a SOC, but smaller companies may struggle. Consider: To have 24/7 support, a company needs a minimum of eight to 10 staffers -- three eight-hour shifts per day, plus weekends and vacations. Most cybersecurity operations teams, particularly at smaller companies, aren't large enough to accommodate that level of support. In Nemertes' 2020 Cybersecurity Research Study, we found that companies with fewer than 2,500 employees overall did better -- based on MTTC -- by outsourcing their SOC, while companies with more than 2,500 employees were better off building their own.
Whether you outsource your SOC or build your own, take the nine remaining factors into consideration, either as selection criteria for a SOC service or as your own strategy.
2. Consider deploying SOAR. SOAR tools are a key way to make sure a SOC is intelligent and automated. These tools provide cybersecurity teams with a centralized console to manage and coordinate security, which reduces the time required to assess a situation and decide on an action. They enable incident response automation, shaving valuable time off MTTC and ensuring that analysts can focus on proactive problem-solving. They also provide an audit trail for compliance and post-mortem purposes.
3. Optimize tool count. The proper adage to follow when stocking a SOC is to "deploy as few tools as possible but no fewer." It's easy to get carried away with thousands of available cybersecurity products, but each tool carries its own technical debt and imposes its own support burden. A few well-chosen tools are better than a hodgepodge. With the right combination of tools, security teams may find they can eliminate entire categories. A SOAR tool plus an NGFW may eliminate the need for a SIEM approach, for example, or an extended detection and response product, which monitors endpoints and the rest of the enterprise to detect breaches and is similar to behavioral threat analytics, could obviate the need for endpoint detection and response or traditional antimalware.
4. Emphasize integration. Whatever tools constitute the SOC should have native integration with one another. Integrating tools into the SOC ecosystem should be a heavily weighted selection criterion when it comes to choosing cybersecurity products. If a tool doesn't integrate into the SOC ecosystem, it's likely a poor choice.
5. Define protected resources expansively. A traditional SOC monitors resources that include users, desktop and laptop devices, and servers. A next-generation SOC should track these and also provide protection for the IoT attack surface and for cloud-based and virtual resources.
6. Put success metrics in place. Cybersecurity teams should track the right success metrics. The most important is MTTC, but other relevant metrics might be events per analyst hour, events blocked, number of serious incidents per unit time and the like.
7. Don't forget the infrastructure. A next-generation SOC requires next-generation infrastructure. The SOC needs high-speed, high-quality connections to monitored resources, whether those are containers and VMs executing within clouds or remote user devices.
8. Ensure analysts focus on proactive efforts. Cybersecurity professionals should ensure that SOC analysts have enough time to conduct effective threat hunting, develop proactive strategies, and assess the likelihood of nation-state attacks and targeted attacks. Cybersecurity professionals who outsource their SOC services should ask detailed questions about how analysts spend their time and how they are compensated for threat hunting.
9. Include as many threat intelligence sources as possible. Capturing and analyzing information is a key job of the SOC. To enable it to function effectively, security professionals should provide analysts with as many sources of information as possible. Cybersecurity pros who outsource their SOC services should ask about the number and type of threat intelligence feeds.
10. Deploy and take advantage of AI, machine learning and cybersecurity analytics. To ensure a next-generation SOC is proactive and intelligent, deploy AI, machine learning and cybersecurity analytics, or ask the SOC provider about current and planned deployments.
If you do all of that, your next-generation SOC will be smarter, more dynamic, more automated, more proactive and more customized than previous incarnations.