In the original Star Trek television show, Captain Kirk would slightly recline in a command chair with various buttons that allowed him to deploy different technologies. Regardless of the alien threat, he had the necessary tools at his disposal to protect the Enterprise and his staff.
An organization’s security operations center (SOC) acts as the Captain Kirk “command chair” for all security activities. In a small organization, a SOC might consist of one or two security analysts fulfilling various functions. In a larger organization, the team may have various security analysts with specified roles and responsibilities. In either case, the SOC is responsible for monitoring, detecting, responding, and recovering from cyber threats.
When organizations build an efficient security operations center design, they empower the team to protect data and achieve compliance objectives more effectively.
What is a SOC?
A security operations center (SOC) is the centralized unit staffed with security professionals tasked with detecting, analyzing, and responding to cyber threats. Typically, the SOC deploys a security event and information management (SIEM) solution to aggregate and correlate log data from across the environment, including information generated by security tools like:
- Endpoint detection and response (EDR)
- Identity and access management (IAM)
- Threat intelligence feeds.
- Intrusion detection systems (IDS)/intrusion prevention systems (IPS)
What does a SOC do?
A SOC manages the organization’s security architecture, taking a proactive approach to mitigating cyber threat risks.
Preparation, Planning, and Prevention
With a SOC, organizations centralize all security risk mitigation activities, enabling them to create a streamlined approach to threat detection and incident response. An effective SOC design enables the team to implement, maintain, and monitor key security controls like:
- Building an asset inventory that identifies all digital assets.
- Managing security technologies, like updating firewall rules.
- Designing and testing detections, like creating Sigma rules.
- Testing the incident response plan, either through red teaming or tabletop exercises
Monitoring, Detection, and Response
After implementing a SIEM and security architecture, the SOC team gets down to the real business of security. Typically, this means implementing the incident response plan from the detection through recovery phases. As part of the monitoring, detection, and response phases, the SOC is responsible for:
- Monitoring for abnormal activity based on the thresholds identified in the preparation stage.
- Reviewing and triaging alerts triggered by the detection rules.
- Investigating the root cause of a potential incident.
- Isolating compromised systems.
Recovery, Refinement, and Compliance
Finally, the SOC completes the incident response by restoring systems to their pre-incident state. Afterward, they review how the incident occurred and what they need to change to prevent the same thing from happening in the future. As part of this, they are responsible for:
- Eradicating the threat
- Engaging in recovery activities like, wiping devices or providing user access to networks.
- Conducting a “Lessons Learned” discussion to identify what happened and whether the organization needs to make changes to the incident response processes.
- Fine tuning detections and processes to respond to any vulnerabilities identified in the post-mortem discussions.
- Writing an IT security incident report as part of compliance requirements and obligations.
What Are the Roles and Responsibilities of SOC Team Members?
The SOC is a team with a collective mission of defending against cyber threats. While small teams may have members who perform all the roles, larger teams can consist of the following functions:
- Security analysts: Using security tools and threat intelligence to monitor for and evaluate security threats.
- Incident responders: Reacting to detected security incidents by investigating detections to minimize risk.
- Threat hunters: Scanning for Indicators of Compromise (IoCs) for proactive threat detection.
- SOC manager: Guiding the SOC’s strategic direction, including integrating security solutions that respond to evolving cyber threats.
- Security engineers: Designing and maintaining security systems by implementing various security solutions to determine the best ones for the organization’s needs.
What Is the Structure of a SOC?
A SOC’s structure consists of different layers that each have their own responsibilities, often based on their experience level and capabilities. When building a SOC, organizations should consider the following:
- Level 1 – First Response: Security analysts at this level are responsible for initial security monitoring and alert triage working to prioritize them based on potential impact then escalating them quickly.
- Level 2 – Incident Resolution: Security analysts at this level investigate an incident’s root cause to understand its scope which requires them to have a higher degree of technical expertise and analytical skill.
- Level 3 – Proactive Security Operations: These security professionals strengthen threat detection capabilities and engage in threat hunting activities to proactively identify and respond to potential vulnerabilities.
- Level 4 – SOC Performance Integration with Business: Security engineers and managers at this level align security activities with business objectives to minimize operational disruption, often conducting audits and performance assessments to review incident response plan and security standard effectiveness.
7. Steps for Building an Efficient SOC Design
Whether your organization is large or small, building a SOC enables you to create efficient cyber threat detection and incident response capabilities that protects your organization’s and customers’ data. By creating a plan that defines the strategy and taking purposeful steps to implement the design, you can create an effective security architecture across people, processes, and technologies.
1. Develop the Strategy
Before you hire security analysts or onboard additional technologies, you need to develop security goals that align with business objectives. Some considerations here might include:
- Identifying sensitive data, like personally identifiable information (PII), payment card information, bank account information, or protected health information (PHI).
- Identifying all digital assets and potential storage locations.
- Current compliance landscape to help define required, baseline controls
- Future business objectives, including potential new geographic markets or industries that come with compliance or data protection requirements.
2. Design the Solution
While you likely already have some security technologies in place, you want to build out a security architecture that allows you to integrate these into a centralized hub of security monitoring and compliance reporting. If you have a SIEM or seek to deploy one, you should consider the different security data that you want it to ingest, including:
- Endpoint monitoring tools across all devices, including workstations, network devices, and Internet of Things (IoT) devices.
- Network security monitoring tools, including firewalls and DNS servers.
- External facing services, like web applications that connect to the public internet.
- Sources that enrich security data, like GeoIP information or threat intelligence feeds.
Additional considerations when deploying a SIEM should also include automation capabilities, like whether it leverages artificial intelligence (AI) to suggest remediation activities or machine learning (ML) to monitor for anomalies.
3. Develop Processes, Procedures, and Training
Once you know the technologies that you want to implement, you should either build or review your current incident response plan. These procedures guide your security analysts, including how to escalate alerts, manage investigations, and respond to identified security threats. As part of this process, you should consider:
- Defining roles across the different security analysts and SOC levels.
- Creating workflows for incident detection and response.
- Protocols for handling IoCs.
- Escalation from alerts through investigation and recovery.
- Integrations with messaging applications, like Slack or Teams, and IT service management (ITSM) platforms.
With processes and procedures defined, you can create and implement training for each job role based on what the person’s job function within the SOC.
4. Invest in Tools and Services to Fill Gaps
At this juncture, you may realize that you need additional tools to handle evolving threats. Some examples of these might include:
- API security tools.
- Data loss prevention (DLP).
- Mobile device management (MDM).
- Mobile threat defense (MTD).
5. Prepare Environment
With all your technologies ready for deployment, you need to prepare your environment to ensure that the deployment will run smoothly without impacting business operations. This process may entail reviewing:
- Network infrastructure to ensure continued performance.
- Data storage locations, like a security data lake, that will manage the security telemetry.
- Data routing capabilities to separate out high-priority data necessary for investigations from data retained for compliance purposes and potential future forensic needs.
6. Implement Solution
During the implementation phase, you deploy the security architecture in testing mode to ensure that all components operate as intended. This process will involve:
- Installing and configuring security tools.
- Establishing communication channels.
- Testing system performance and reliability
In this testing phase, your security engineers should work to address any issues before deploying the solution live in your environment.
7. Deploy End-to-End Use Cases
Once you have the initial deployment in your environment, you can fine tune the use cases further. Your use cases should reflect a range of security events that might face your organization. For example, a minor incident might be a cyber threat attempting to use compromised credentials but not gaining unauthorized access while a significant cyber attack might be ransomware where the threat actor exfiltrates data.
Graylog Security: A Solution for Effective SOC Design
Using Graylog Security, you can rapidly mature your threat detection and incident response capabilities. Graylog Security’s Illuminate bundles include rulesets with content that includes Sigma detections, enabling you to uplevel your monitoring by incorporating threat hunting capabilities and correlations to ATT&CK TTPs.
By leveraging our cloud-native capabilities and out-of-the-box content, you gain immediate value from your logs. Our anomaly detection ML improves over time without manual tuning, adapting rapidly to new data sets, organizational priorities, and custom use cases so that you can automate key user and entity access monitoring.
With our intuitive user interface, you can rapidly investigate alerts. Our lightning-fast search capabilities enable you to search terabytes of data in milliseconds, reducing dwell times and shrinking investigations by hours, days, and weeks.
To learn how Graylog Security can help you implement robust threat detection and response, contact us today.
