SOC: Security Operations Center – Luigi Cristiani

SOC: Security Operations Center

Luigi Cristiani – mail@[Link]

1. A definition
What is a SOC?

A Security Operations Center (SOC) is an organized and highly skilled team whose mission is to continuously monitor and
improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security
incidents with the aid of both technology and well defined processes and procedures.

2. The mission
As the SOC strategy must be both clearly defined and business-specific, said strategy is strictly dependent on executive levels'
support and sponsorship, otherwise SOC itself will not be able to work properly, and it will not be perceived as a critical asset
by the rest of the [Link] SOC must aim at addressing the company's needs, and a strong executive sponsorship is
necessary for it to be successful.

3. The environment
The establishment of a SOC requires careful planning; its physical security must be taken into consideration; also the layout
of the operations center has to be carefully designed to be both comfortable and functional – lighting and acoustics issues
must not be overlooked. A SOC is expected to contain several areas, including an operational room, a “war room” and the
supervisors' offices. Comfort, visibility, efficiency and control are key terms in this scenario and every single area must be
designed accordingly.

4. The technology
Once the mission and the scope of the SOC have been defined, its underpinning infrastructure must be designed; many
components are necessary to build a complete technological environment: firewalls, IPSs/IDSs, breach detection
solutions, probes and obviously a SIEM, just to name a few. Effective and efficient data collection is fundamental for a
successful SOC. Data flows, telemetry, packet captures, syslog and several types of events must be collected, correlated and
analyzed from a security perspective. Data enrichment and information about vulnerabilities affecting the entire ecosystem to
be monitored are of great importance as well.

5. People and processes

While technical requirements are of the greatest importance, the most advanced and best equipped control room would be
worthless without people and procedures bringing it to life! Besides technology, people and processes are the pillars of a
successful SOC.
As stated above, a SOC is a team; and as in every winning teams, all roles must be fulfilled properly. Leaders (and leadership)
will be needed, while engineering roles, analyst roles, and operations roles will have to be covered. Many functions must be
carried out and analysts will be assigned to two or three tiers. The primary functions provided by the team members will be
the analysis grounded on the real-monitoring of events, the detection of security incidents or data breaches, the response to
these incidents (after the necessary triage phase) and, at last, the remediation of the consequences of every detected incident.
All of the actions must be coordinated: collaboration, timing, and efficiency must be paramount for the SOC overall
organization. Each member of the team must be fully aware of both the mission and the strategy of the SOC; therefore,
an effective leadership has an enormous impact. The SOC manager must be able to build the team, motivate the members,
retain people and make them willing to create value for the business and for themselves. It is not an easy task for a SOC
manager: the “machine” must run 7 seven days a week, 24 hours a day, so stress will be a likely risk factor. Selecting the right
team members for the right tasks is a highly challenging assignment, as the range of required competences is quite wide,
spacing from vulnerability management to computer forensics through malware analysis. Establishing the proper
number of staff members is another hard and demanding charge; while no unnecessary workers should be hired and a defined
level of budget will have to be respected, the risk of being undermanned - and therefore inefficient – must be avoided.
In this scenario, the adoption of a hybrid model envisioning the cooperation between the internal and outsourced managed
service providers is a viable choice.

SOC: Security Operations Center – Luigi Cristiani

SOC: Security Operations Center – Luigi Cristiani

6. Security tools and technology components

A deeper analysis of the technology components supporting the SOC cannot be divorced from a strong emphasis on security;
every single detail of an in-depth approach must not be overlooked: LAN segmentation, NAC, VPN, endpoints hardening,
encryption of data at rest, in use and in motion, protection through well configured and monitored IPSs/IDSs, firewalls,
routers and switches. Since the SOC is a team, collaboration tools have to be carefully designed to give the members the
best user experience available, which would in turn give the SOC the best ability to produce value for the business: this goal
must be accomplished with all the security assurance requirements needed for a Security Operations Center. Mobile devices
(and their security) are another aspect that cannot be neglected while designing and building a SOC. A particular emphasis
must be placed on Data Loss Prevention measures, spanning from endpoint to servers and from e-mails to smartphones.
Without meaning to be exhaustive, many further technology components that contribute to complete the entire SOC
ecosystem should be mentioned: Web Proxies, sandboxes, endpoint breach detection solutions and forensics tools. All of the
involved systems generate events, logs, flows and telemetry data that must be ingested, processed and analyzed by a
machine and, eventually, by a human being. In this phase of ingestion, processing and correlation, it is worth to remember –
once again – the pivotal role of the SIEM for the Security Operations Center.

7. Methodology and intelligence

To improve the security posture of the organization, a SOC must be both active and proactive while carrying out the
Vulnerability Management process. Risk assessment and a sound approach to vulnerabilities handling is a priority for a SOC
(OWASP methodology in this case can be an option). Furthermore, a context aware threat intelligence approach has to be
taken to deliver more value and to be more effective in detecting/preventing the breaches and in damage containment.

8. The team at work

As soon as the SOC is operational in the live environment, the team will have to carry out its mission and will have to react
to incidents. This is the phase where the SOC has the opportunity to show the value it provides the business with.. When an
incident arises, a ticket is opened and a case will be investigated. Many parts of the team will be involved, maybe someone
external to the SOC (part of the same organization or even a third party actor) will be concerned, depending on the nature,
extent and the severity of the incident. Different levels of escalations, leading possibly to the CSIRT, could be put in place
and the team must collaborate leveraging all the available tools and procedures until the closure of the case.
To be successful, security incident detection and monitoring and the subsequent phase of incident response, require the right
mix of sound technologies, clearly defined (and repeatable) processes and procedures, together with highly specialized skills.
Intuition, ability to react quickly and precisely even under stressful conditions and relying on previously learned lessons are
key points for an effective SOC team.

9. The manager view

Building and operating a SOC it’s a high demanding mission, to accomplish this challenging task many best practice,
frameworks and standards might prove to be useful (e.g.: ITIL and COBIT) and others could be mandatory to comply with
(e.g.: PCI DSS and ISO/IEC 27001:2013).
ITIL deserves special mention as a potentially unparalleled source of advice and guidance talking about service strategy and
design, service level management (SLA and KPI have to be clearly stated, measured and monitored) and in creating an
interface between organization’s incident/problem management processes and SOC specific processes.
On the other hand, COBIT – and specifically COBIT MM (Maturity Model) - could be taken as a paramount guideline for
measuring the maturity of the SOC.
Generally speaking, the performance of the SOC must be carefully measured in all its aspects, the clear definition of KPIs is
mandatory and a wise application of continual service improvement (ITIL, again, must be taken into consideration) could
give to the SOC the best results in being successful and being perceived as a value for the organization.

10. Conclusions
The wide range – maybe one can say the complete range – of cyber security aspects to be considered, the high specialized
competences and skills needed to run an effective SOC, the tight relationships with the business strategy and processes make
the task of designing and managing a Security Operations Center a paradigmatic example of applied and holistic information
security.
Leadership, motivation and team leading skills are mandatory for a SOC manager willing to create a great team. Continuous
training and engagement is necessary to keep the pace of the SOC aligned with the relentless development of threats and the
tireless, increasingly highly sophisticated efforts by attackers. Running a SOC is as complex endeavor, as it has to address the
equally wide, pervasive and borderless problem of granting information security nowadays.
I also suggest cybersecurity enthusiasts should deepen their knowledge of the matter, because I see it as an excellent and
comprehensive topic to deal with; it will give them a complete vision of what information security is and what value, if wisely
applied, it can produce in any organization.

SOC: Security Operations Center – Luigi Cristiani