Every organization regardless of size, budget or area of focus should have some form of a security operation center (SOC). When I use the term “Security Operations Center”, many people imagine a dedicated team with expensive tools and a room full of monitors. That image can be a SOC, but it is not always the case. A SOC can just be one person or multiple groups of people spread across the globe. A SOC can be outsourced to a service provider, be made of internal resources or something in between. In short, a SOC is having a dedicated person or team focused on cyber security services for an organization, which means a SOC is obtainable by all organizations.
Now that you know your organization should have a SOC, what should be expected of that SOC? A SOC is responsible for providing services, which those services need to be aligned with the goals of the organization it protects. The best way to view what is expected of a SOC is within the SOC’s mission statement and scope of work. I have seen people with security responsibilities become recognized as a formal SOC by obtaining executive support of a SOC mission statement and scope of work. These fundamental components separate a SOC from random security related services.
Regarding SOC services, I believe every SOC should have some form of the following services, which I call the foundational SOC services.
Some of these services can be outsourced, while others could be on demand. For example, a small business will likely not have a digital forensics expert on staff however, they should know who to call in if legal action needs to be taken due to a cyber related incident.
It is important to point out that a SOC doesn’t buy a tool and assume they have a service as well as having a service doesn’t mean you have an effective service. The security industry uses maturity models as a way to validate the quality of a service. Using vulnerability management as an example, buying a vulnerability scanner would move your organization from a maturity of zero to one representing you can provide ad-hoc vulnerability scanning. Higher maturity requires developing repeatable processes which are converted into policies and procedures enforced by SOC management.
Improving maturity leads to answering a question I often receive, which is “what do I need to do to function as a modern security operation center?”. My answer is one word, which is “DevOps”. DevOps means to use programing to make things work with things. This is a critical element for deploying Orchestration and Automation meaning being able to automate parts of a SOC service. As technology becomes more advanced, data grows and attacks become more sophisticated, a SOC can’t simply “peddle faster” and hope to keep up. There is a breaking point for every SOC service that separates a modern and mature SOC from one that is very reactive and unable to keep up with the pace of work. I’m often asked during classes I teach “what skillset should I focus on to get hired in the cyber security field” and my answer always includes some form of DevOps.
Bringing technology into the conversation, a Security Orchestration, Automation and Response (SOAR) technology is a common tool used by modern SOCs and key to provide mature SOC services. This is especially true for services such as incident response, which are very time dependent. Automation doesn’t have to be complex, meaning simply automating how data is shared between tools so a SOC analyst doesn’t have to login to multiple tools can give valuable time back to the team. I find four areas are popular for automation, which are the following:
To summarize, any organization should have a SOC and that SOC should provide security services. Those services are graded based on maturity and Orchestration / Automation is needed to reach high maturity ranking, which is a modern SOC. Cisco can help your organization’s SOC reach high maturity ranking through our DevOps certification programs and SecureX tool, which provides Security Orchestration, Automation and Response at no additional cost when investing in Cisco security. Check out https://developer.cisco.com/ to gain access to free DevOps training and Cisco SecureX to learn more about how to apply DevOps within your organization in a simplified manner.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels