incident response

Key Considerations for a Security Operations Center

Organizations are quickly recognizing the need to detect and respond to a variety of threats; simply blocking threats isn’t enough. The Security Operations Center (SOC) is the organization’s first line of defense against all forms of threats and will handle any suspected malicious activity. A well-designed and maintained SOC will focus on gaining efficiencies through continuous analyst training and mentoring, incident response, and constant evaluation of the organization’s security technologies.

Here are some important considerations:

A tiered SOC structure
The SOC can be designed around a simple detect, identify, and mitigate model. Analysts at various tiers investigate malicious activity (aka alerts or events) with these three stages in mind: Tier 1 analysts are charged with classifying the severity of the event and correlating the event with any historical activity. If necessary, Tier 1 analysts will escalate incidents to Tier 2 and 3 analysts, who will conduct in-depth investigations and perform root-cause analysis to determine what happened.

Threat Defense Operations (TDO)
Additionally, specialized analysts within the SOC-Threat Defense Operations (TDO) analysts-are responsible for creating detection logic in the form of signatures, rules, and custom queries based on CTI-provided threat intelligence. TDO engineers deploy the detection logic to a range of devices, appliances, tools, and sensors that make up an organization’s security stack. The rules, signatures, and queries create a threat-based preventative sensor network that generates network and host-based alerts that Tier 1-3 analysts in the SOC respond to.

TDO analysts will then fine-tune their detection logic based on SOC feedback, creating an efficient CFC that won’t waste time investigating false alarms. The TDO team is also responsible for providing in-depth malware analysis that yields valuable technical intelligence (TECHINT) that can be used in detection logic and further enriched by CTI.

Managing all the security alerts (aka “alert fatigue”)
This process-building detection solutions and then identifying and mitigating threats-is where many organizations struggle. Oftentimes, implementation of efficient and effective SOC processes are stifled by an overwhelming number of consoles, alerts, threat feeds, and tools that prohibit seamless workflows for analysts. While security managers should continually identify potential feeds and technologies to invest in, their impact on the SOC analyst should always be a primary consideration:

  • How many new alerts will this technology or new data feed produce?
  • Who will tune the technology to limit the number of false positives it produces?
  • Is the technology filling a gap in detection capabilities or adding on to existing capabilities?
  • How does the introduction of this new technology affect the SOC workflow?

The main point to remember is that more technology, tools, and threat feeds do not necessarily enable your SOC to operate more efficiently. Designs that emphasize smooth workflows and “painless” methods of data collection (e.g., analysts do not need to contact other teams to access certain data) are more likely to succeed than those that prioritize technology.

Organizations should focus on technology that enables SOC investigators to spend less time collecting data and more time investigating the root cause of the activity they’ve been alerted to.

Implementing 24/7 operations and managing investigations
Design and implementation should focus on standardizing daily operations, case management, and methods of “measuring success.” Modern-day threats necessitate that SOCs operate 24/7, 365 days a year, requiring well-thought-out shift schedules and defined roles. Leaders with managerial and technical experience can aid in workflow management and provide analyst training.

Having a well-integrated, easy-to-use case-management system that doesn’t get in the way of investigations and seamlessly interacts with other SOC tools is key. This tool ideally provides metrics on how effectively your SOC monitors, detects, and contains cases and will allow an organization to identify gaps in people, processes, and technologies.

Standardizing your standard operating procedures
Successful implementation also demands accurate and up-to-date documentation. This includes documentation on network architecture, standardized operating procedures (SOPs), and point-of-contact lists. If the SOC is considered the “heart” of the CFC, then SOPs act as its beat, guiding analysts in situations ranging from collecting forensic evidence to stopping data exfiltration.

These procedures change as new technology and organizational structures are implemented. Many organizations fail to update, train, and test their staff and leaders on SOPs, hurting their response times and containment metrics.

The bottom line
The SOC provides core security functions within the CFC and can achieve efficiencies through close integration with other teams such as CTI and TDO. Instead of looking to new technology first, successful organizations will constantly evaluate their security posture and frequently train their analysts on how to react to new threats. Organizations must carefully consider how new technology and tools will impact the analysts’ workflow and their ability to detect and respond to threats while focusing on processes and procedures.