Internet of Things (IoT), artificial intelligence, big data, blockchain, migration to the cloud… The integration of these technologies in a company provides value to the company and its customers. However, digital transformation increases the need to protect the IT infrastructure and they should consider whether to create or contract a security operations centre (SOC) or modernise it if the company already has one. Because attacks by cybercriminals are increasing and becoming more sophisticated every year, and not only in the business world, but also in public administrations. But what exactly is a SOC in cybersecurity?
Cybersecurity SOCs are technology platforms with teams of highly skilled security professionals whose job is to continuously monitor, detect, analyse, defend and investigate the company’s IT systems to prevent, respond to and simulate cyberattacks. Protection is addressed in a comprehensive and coordinated manner with response plans, remediation actions and other measures to safeguard all information generated on the company’s networks, databases, servers, applications and connected devices.
To perform this vigilant and defensive role, SOCs use various cybersecurity tools, such as firewalls, vulnerability assessment and management, SIEM and SOAR solutions, block lists or real-time network scanning to monitor and analyse the network with 24-hour coverage every day of the week.
When the SOC detects an alert, it is classified according to its severity so that it can be prioritised and managed in order to respond immediately to the threat and try to prevent cyberattackers from causing damage or gaining access to the environment. After an incident, the relevant team restores systems and recovers compromised or deleted data. It also looks for the cause and origin of the threat in order to make the appropriate modifications to the tools to prevent the incident from happening again in the future.
A SOC must keep abreast of the latest attack trends of cybercriminals. This is vital to continuously implement improvements and to be prepared for new threats. It must also follow safety standards and regulatory requirements, and therefore audits systems regularly to ensure compliance.
SOCs can be in-house (physically located in-house), outsourced (all or part of the service is outsourced to an external provider), hybrid (combining in-house security teams with external support teams) and virtual (hosted in the cloud and managed by in-house employees or an outsourced SOC).
SOC equipment: tiered to ensure protection
Cybersecurity SOC teams are composed of cybersecurity experts with different profiles, some defensive and some offensive. These include SOC analysts who are organised at three levels:
- Level 1 SOC analysts: monitor the network for incidents. They are the first to respond to an attack by determining its level of severity. When they gather information and more research is needed, they pass it on to Level 2.
- Level 2 SOC analysts: examine, investigate and respond to security incidents that level 1 is unable to resolve. They determine its cause, the extent to which it has penetrated the infrastructure, and create and implement a containment and recovery strategy.
- Level 3 SOC analysts: even more experienced than the above, respond to critical incidents. They are known as threat hunters because they are continuously looking proactively for new security holes and vulnerabilities within systems. Penetration testing tools are used for this purpose.
The SOC Manager is responsible for the team and directs security operations, while SOC engineers and architects analyse security requirements and develop and implement security tools to control and defend the company’s assets.
Benefits of SOC in cybersecurity
Large companies usually have their own internal cybersecurity SOCs, but SMEs that do not have the resources will turn to an external one to provide a customised security service, with the advantages that this entails:
- Faster (and more expert) response to incidents: continuous monitoring of the network for security incidents makes it easier to detect and address the incident quickly and proactively. The different security teams respond and act according to protocols, addressing the incident in a comprehensive manner.
- Diminishes the impact of attacks: anticipation makes it possible to contain attacks and even prevent them from affecting systems. Proactive support reduces risks.
- Minimises business downtime: this rapid response and a team of experts covering all aspects of security allows systems to be restored, normalising the situation as soon as possible and ensuring that the website or service is not down for so long and is resumed as soon as possible.
- Making better decisions: with the data collected in the SOC, reports are produced on a daily basis and this information allows for the development of more precise strategies based on this information.
- Reduce costs: if a company outsources to a SOC, it saves on employee salaries, among other costs (direct or indirect) related to cybersecurity incident management.
Some challenges for SOCs in cybersecurity
Security operations centres are an effective and solid bet to protect organisations, but they face a problem (widespread around the world), which is the shortage of talent in qualified profiles, as is the case with other technology positions. The latest report (ISC) Cybersecurity Workforce Study puts the global shortage of skilled cybersecurity professionals at 3.4 million (and the gap has increased by 26% in one year).
The sophistication and complexity of the techniques employed by cybercriminals is another major challenge for SOCs that must continuously integrate tools that uncover new threats. In addition, with the huge amount of data generated, the volume of traffic multiplies and this makes it difficult for SOCs to analyse the network in real time, as well as triggering false alarms. This means that they must implement automation tools and other solutions that filter out what is relevant so that they do not become saturated. But it is not about introducing too many tools, but too few and really effective ones.