Historically Security Operations Centers (SOC) have been a combination of people, processes, and technology designed to protect information systems, detect and respond to incidents to minimize damage. Many times SOC were built to meet fundamental needs for log collection and analysis, achieve compliance, and provide incident response. However, traditional SOC has morphed into a modern SOC concept where there is a lot more focus on building capabilities for early threat detection (both known and unknown), minimizing dwell time, and using automation to improve efficiency. The nature of SOC has also morphed from a reactive organization to proactive hunting to identify threats before they strike.
If you think about the traditional SOC, the focus areas were as follows:
- Log collection from systems and applications/
- Use Security Incident and Event Management (SIEM) solutions for correlations.
- Developing use cases to identify threats.
- Integrate vulnerability scanning data for risk scoring.
- Provide incident response through SOC as well as extended IT teams (first responders).
- Putting significant focus on achieving compliance while managing risk.
Capabilities of NextGen SOC
A modern NextGen SOC takes into account all of the capabilities of a traditional SOC. However, the focus has shifted from managing tools to building capabilities and from reactive approach to a proactive approach. Modern SOC design also uses new sources of telemetry beyond traditional Syslog data collection and discovering unknown threats. When you think about a modern SOC, following are some of the salient features and capabilities of a NextGen SOC.
- Less focused on tools and more on capabilities as more and more SOC tools are now available in the Cloud and as-a-Service.
- Threat intelligence integration is now an essential component of SOC.
- Using automation to shorten analysis and response time through Security Orchestration, Automation and Response (SOAR) tools.
- Proactive threat hunting, not only from internal telemetry data but also going outside of corporation boundaries and discovering threats through dark web research.
- Finding unknown threats with help from machine learning techniques like anomaly detection and unsupervised learning.
- Cloud telemetry integration and use of APIs.
- Cater for convergence of IT/OT (Operational Technologies), including IoT.
- User and Entity Behavior Analytics (UEBA) going beyond just log data and known threat detection.
Businesses who have adopted nexgen SOC concepts see improvement in threat detection, quick incident response and better satisfaction of their staff as well as their internal or external customers.
Does a NextGen SOC Costs More?
Not necessarily. Many times it is just a cost shift. Efficiency is achieved through reducing mean time to resolve (MTTR) incidents through automation and proactive capabilities. Cloud based tools (e.g. Cloud based SIEM technologies) help in better cost management as well as capacity planning. What the security leaders need to do is to build cost models and business cases keeping in view the total cost of ownership.
SOC is a continuous and unending journey and a perpetual Cybersecurity Arm Wrestling with threat actors. Infosec leaders must continuously evaluate where they stand right now and where they should be going to achieve goals and provide value to businesses they support.