In our increasingly digital world, cybersecurity is critical to ensure the security, availability, and confidentiality of customer data. Recent events around the world, such as the ransomware attack that forced the shutdown of the nation’s biggest fuel pipeline in May 2021, should be sufficient cause for all businesses to place cybersecurity as their top priority. The event illustrates that the conversation about data loss and leakage is not a matter of “if” but rather “when.” A Security Operations Center (SOC) is one investment that can help businesses to combat the threats against cyberattacks.
What is a SOC? What Does a Security Operations Center Do?
A SOC is a centralized function in an organization that employs a combination of people, processes, and tools to continuously monitor an organization’s security posture and implement measures to prevent, detect, analyze, contain, and remediate security threats. SOC can either include an incident response function or coordinate with a separate incident response team to respond to and recover from cybersecurity incidents.
Essentially, a SOC acts like the central command that gathers telemetry data from across the organization, including networks, servers, endpoints, databases, applications, and appliances, looking for both areas that can be strengthened and anomalous activity that could be indicative of a security incident or compromise.
How Do You Organize a SOC?
A SOC is usually led by a SOC manager and includes several SOC analysts. The size of the SOC can vary depending on the size and maturity of the organization. It might consist of a single security analyst or a war room with dozens of staff and monitors covering the walls. Often, rather than staffing a 24/7/365 SOC, a SOC relies heavily on artificial intelligence tooling to alert team members on call.
A common alternative to building an in-house SOC is to outsource the function to a managed security service provider (MSSP) or SOC-as-a-Service. This is particularly common now due to the cybersecurity talent shortage, which makes attracting and retaining skilled cybersecurity professionals difficult and expensive. An MSSP usually takes away the headache of both talent and tooling acquisitions.
Regardless of size and format, for the purpose of proper governance and visibility into the entire organization, a SOC usually reports to the chief information security officer (CISO), who in turn reports directly to the CEO.
What Are the Benefits of Having a SOC?
The key benefits of having a SOC are continuous monitoring, centralized visibility, and long-term saving on cybersecurity costs.
Cybercriminals don’t take breaks! That’s all the more reason to have a SOC perform proactive and continuous monitoring of the information assets across the organization. A SOC often utilizes security information and event monitoring (SIEM) and/or endpoint detection and response (EDR) tools to broaden its footprint on detecting credible threats and to minimize the amount of triage and analysis that must be done by humans.
Additionally, organizations’ digital footprint is powered by the growing movements of a remote workforce and bring your own device (BYOD). As such, it’s become imperative to have a centralized team to oversee, implement, and maintain the organization’s cybersecurity initiatives. The establishment of a SOC should go in step with the creation of a security roadmap and proper governance structure to empower SOC to carry out not only threat response but preventive maintenance and improvement/refinement of an organization’s overall cybersecurity strategies.
Lastly, an effective SOC can help an organization save money in the long run by reducing cybersecurity risk. According to Verizon’s 2021 Data Breach Investigation Report, 95% of the computer data breaches reported losses ranging between $148 and $1.6 million, and a median loss of $30,000. “For ransomware, the median amount lost was $11,150, and the range of losses in 95% of the cases fell between $70 and $1.2 million. And of course, direct losses are not the sole cost one encounters due to a breach. Apart from the damage done by the attacker, there remains the expense of digital forensics and incident response (DFIR), legal counsel, and reputation damage.”
What Should a SOC Be Responsible For?
A well-organized SOC should drive ongoing refinements and improvements of the organization’s cybersecurity strategies, in addition to leading the organization’s real-time threat detection and incident response. With well-trained professionals, proper tooling, and established standard operating procedures and playbooks, a SOC can be tasked with the following:
- Preventive maintenance against threats, such as patching, system hardening, and whitelisting, blacklisting, and securing applications.
- Proactive surveillance of networks, hardware, and software for threat and breach detection.
- Log management, including collecting, maintaining, and regularly reviewing the log of all network activity.
- Threat response, containment, and eradication.
- Recovery, remediation, and root-cause analysis following an attack, including system restoration and data recovery.
What Are the Tools Used in a SOC?
In this tightly interconnected digital world, the sheer number of security events will overwhelm a SOC without the right automated tools to deal with the “noise” and subsequently elevate significant threats. Tools that you should consider investing in include:
- Asset discovery: Gives the SOC visibility into assets they need to protect.
- Security information and event monitoring (SIEM): Collects, aggregates, and analyzes logs across your organization, which helps the SOC to be able to digest a large amount of data that’s not humanly possible to comb through.
- Endpoint detection and response (EDR): Helps the SOC to monitor, collect, analyze, and respond to threats at the endpoint level.
- Intrusion detection/prevention system (IDS/IPS): Assists the SOC in detecting and blocking threats.
- Vulnerability assessment: Helps the SOC detect cracks that attackers can use to infiltrate your systems.
Most organizations can benefit from having a SOC. For organizations in situations where running their own SOC does not meet the economies of scale, an MSSP or a SOC-as-a-service solution can bridge the gap. Whether having an in-house or outsourced SOC, each organization is responsible for the data security of the services that they offer. While cyberattacks will remain a common risk, a SOC can help reduce the likelihood and the impact of the risk of compromise.
If you would like more information on how a SOC can support meeting your IT audit requirements please feel free to reach out and contact us. Additionally, to learn more about the audit services offered by Linford&Co, please visit the following links: SOC 1, SOC 2, HIPAA Audits, Royalty Audits, HITRUST, and FedRAMP Compliance Certification.
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.