A Security Operation Center (SOC) is a centralized function within an organization employing people, processes and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing and responding to cyber security incidents.
The function of a security operations team and frequently, of a security operation center (SOC), is to monitor, detect, investigate and respond to cyber threats around the clock. Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personal data, business systems and brand integrity. As the implementation component of an organization’s overall cyber security framework, security operation teams act as the central point of collaboration in coordinated efforts of monitor, assess and defend against cyber attacks.
A SOC acts like the hub or central command post, taking in telemetry from across an organization’s IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. For each of these events, the SOC must decide how they will be managed and acted upon.
The purpose of a Security Operations Center is to prevent, analyze and ensure cyber security both in public and private companies. Nowadays, the world has changed due to the computerization of all companies, services and public administrations.
We live in a digital environment, in which we resort to online sales and data capture systems. Who has never shopped online? Who has never viewed his details of registered in a public online service? It is crucial for companies to rely on a computer security and protection service, such as SOC services, since a cyber attack could cause a catastrophic massive data theft.
The foundational technology of a SOC is a Security Information and Event Management (SIEM) system, which aggregates system logs and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.
Traditional Tools Used in the SOC Next-Gen Tools Leveraged by Advanced SOCs
⦁ Security Information and Event Management (SIEM)
⦁ Governance, risk and compliance (GRC) systems
⦁ Vulnerability scanners and penetration testing tools
⦁ Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and wireless intrusion prevention
⦁ Firewalls and Next-Generation Firewalls (NGFW) which can function as an IPS
⦁ Log management systems (commonly as part of the SIEM)
⦁ Cyber threat intelligence feeds and databases
⦁ Next-generation SIEMs which include machine learning and advanced behavioral analytics, threat hunting, built-in incident response and SOC automation
⦁ Network Traffic Analysis (NTA) and Application Performance Monitoring (APM) tools
⦁ Endpoint Detection and Response (EDR), which helps detect and mitigate suspicious activities on hosts and user devices
⦁ User and Entity Behavioral Analytics (UEBA), which uses machine learning to identify suspicious behavioral patterns
The roles and job titles in the security sector often involve somewhat overlapping responsibilities, and can be broad or specialized depending on the size and special needs of the organization. Typical job titles are security analyst, security engineer, security administrator, security architect, security specialist, and security consultant.
Role Qualifications Duties:-
Tier 1 Analyst:-
System administration skills, web programming languages such as Python, Ruby etc…
Monitor SIEM alerts, manages and configures security monitoring tools. Prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.
Tier 2 Analyst:-
Similar to Tier 1 analyst but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. White-hat hacker certification or training is a major advantage.
Tier 3 Analyst
Similar to tier 2 analyst but with even more experience including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing response to new threats and attack patterns.
Tier 4 SOC manager
Similar to tier 3 analyst including project management skill, incident response management training, strong communication skills.
A security manager within a SOC team is responsible for overseeing operations on the whole. They are in charge of managing team members and coordinating with security engineers. Security managers are responsible for creating policies and protocols for hiring and building new processes. They also help development teams set the scope of new security development projects. They serve as the direct boss to all members of the SOC team.
Security engineers are responsible for maintaining tools, recommending new tools and updating systems. Many security engineers specialize in SIEM platforms. Security engineers are responsible for building the security architecture and systems. They typically work with development operations teams to ensure that systems are up to date. Additionally, security engineers document requirements, procedure and protocols to ensure that other users have the right resources.
Evolution of the SOC
As the technologies evolved so the cyber security threats and attack vectors. Malicious intention users started using sophisticated tools and technologies for targeted attacks that can be executed faster to captures the vast amount of data and cause more damage. And to defend these attacks security tools and technologies are also evolving.
By utilizing these evolving technologies, Security Operations Centers (SOC) is evolved over a period of time. Hewlett Packard has come out with most informative paper on the evolution of SOC.
The first generations SOC around 1975 were mainly built for the defense organizations and government agencies. The objective of these SOC was to defend against the low impact malicious code. As the internet and technology evolved so the virus outbreaks and the needs for the intrusion detection increased.
The second generation accommodated this need around 1996. The hackers kept improving attack methodologies and started using bots to launch the Denial of Services attacks using the army of bots, that when the SOC evolved to have the capability of intrusion prevention.
Attackers changed their strategies and started slow moving attacks that will not get detected by the organizations security infrastructure, to detect these persistent attacks SOC got updated with APT (advance persistence threat detection technologies) by the time around 2007, the regulators started imposing the cyber security requirements are SOC braced to take care of these regulatory requirements.
In this 3rd generation, SOC Security Incidents and Event Management (SIEM) was the core technology, which was collecting the logs feeds from the log sources integrated with it and used to generate the alerts as per defined rules.
Around 2013, the security professional realized that adding the external threat intelligence feeds and using the heuristic analysis using SIEM solution will give an early warning of compromise.
There are a number of core skills needed by anyone entering the cyber security employment market, whether starting his or her first professional job or transitioning from another computer-related field. Here are a few of the key required skills.
Cyber security professionals must have strong written and verbal communications skills. Jobs in the field require the ability to communicate clearly and concisely with clients and executives, network administrators, legal professionals and law enforcement, media and public relations staff, fellow team members, and others.
⦁ Ability to Work in a Team Environment
⦁ A required skill for practically anyone, the ability to work with others as an effective team member is particularly important for cyber security professionals. Team members must have a clear understanding of their delegated responsibilities and need to complete their work on time, while additionally being able to contribute positively to accomplishing larger team goals.
⦁ Integrity and Discretion
⦁ By its very nature, working in the cyber security field requires sensitivity to an organization’s security vulnerability issues and be able to tackle those issues in a way that engenders trust.
⦁ Organizational and Problem Solving Skills
⦁ One important characteristic of the cyber security business is the sheer mass and complexity of data involved. Cyber security professionals must develop solid organizational and problem solving skills or risk being overwhelmed.
⦁ Programming Skills
⦁ A variety of scripts and programming tools are required to design effective security programs and analyze cyber attacks and breaches. Experience in system and network programming is a must.
⦁ Understanding of Security Principles
⦁ An understanding of basic security principles, such as privacy, confidentiality, authentication, access control, and others, results in a greater chance that systems will be less vulnerable to failures and attacks.
⦁ Risk Analysis
⦁ Cyber security personnel must be able to assess a client’s particular security needs in light of its organizational goals, which requires knowledge of risk analysis principles.
⦁ Network Protocols
⦁ A working knowledge of common network protocols, their similarities and differences, how they work and what they are used for.
⦁ Malicious Codes
⦁ Additionally, cyber security professionals need a working knowledge of malicious codes, how they are propagated and the risks associated with each.
⦁ Intruder Techniques
⦁ In analyzing attacks, personnel should be able to recognize known intruder techniques, their characteristics and effects, and identify new intruder techniques by means of elimination of known ones.