CSOC

Cybersecurity threats are becoming more common, more dangerous and

more difficult to detect and mitigate. According to the Ponemon
Institute 2018 Cost of Data Breaches study, organizations take 266 days on
average to detect a breach, and over a month to contain it. Companies of all
sizes need a formal organizational structure that can take responsibility for
security threats and create an efficient process for detection, mitigation and
prevention. This is where a Security Operations Center (SOC) comes in.
In this post you will learn:
 A definition of security operation center
 What is the difference between SOC and a CSIRT
 How security operations centers work
 The benefits of security operations centers
 Challenges of security operations centers
 5 Steps to setting Up your first SOC
 3 security operations center best practices
 Security operations center tools and technologies
A definition of security operation center
A security operations center (SOC) is traditionally a physical facility with
an organization, which houses an information security team. The team
analyzes and monitors the security systems of an organization. The aim of
the SOC is to protect the company from security breaches by identifying,
analyzing and reacting to cybersecurity threats. SOC teams are made up of
management, security analysts, and sometimes security engineers. The
SOC works with development and IT operations teams within the
company.
SOCs are a proven way to improve threat detection, decrease the likelihood
of security breaches, and ensure an appropriate organizational response
when incidents do occur. SOC teams isolate abnormal activity on servers,
databases, networks, endpoints, applications, etc., identify security threats,
investigate them, and react to security incidents as they occur.

A SOC was once believed to be suitable only for very large organizations.
Today, many smaller organizations are setting up lightweight SOCs, such
as a hybrid SOC, which relies on a combination of part-time in-house staff
and outsourced experts, or a virtual SOC which does not have a physical
facility, and is a team of in-house staff who also serve other duties.

WHAT IS THE DIFFERENCE BETWEEN A SOC TEAM AND A CSIRT?

A computer security incident response team or CSIRT, also called CERT
or CIRT, is responsible for receiving, analyzing, and responding to security
incidents. CSIRTs can work under SOCs or can stand alone.
What makes a CSIRT different from a SOC? While the core function of a
CSIRT is to minimize and manage damage caused by an incident, the
CSIRT does not just deal with the attack itself, they also communicate with
clients, executives, and the board.

HOW TO DETERMINE IF YOU NEED A SOC OR TEAM, CSIRT TEAM,

OR BOTH?
The case for a single entity
Often a single entity that unites the SOC and CSIRT is desirable. Why?
Because the distinction between detection and response is not clear cut,
and may even become irrelevant. For example, threat hunting is used to
identify threats, but also operates as a method of response.
Both SOC teams and CSIRT teams use security orchestration, automation
and response (SOAR) tools, which could indicate that these teams need to
be merged, as it is hard to decide who owns the tool and is accountable for
its evolution. Threat intelligence (TI) related activities also provide a case
for a single entity. A single TI consumption position can offer insights into
identification and response methods.

Another reason to unite these groups is related to managing the workforce.

One problem with SOCs is that it is difficult to keep “level 1” analysts
motivated, particularly when they work weekends and night shifts. By
bringing IR and threat hunting together you create the option for job
rotation.

The case for separate entities

Some industry experts argue that keeping SOC teams and CSIRT teams
separate lets them concentrate on their core objectives, namely detection
vs. response. Also, occasionally multiple SOCs are required (because of
multiple regional offices or subsidiaries), yet organizations wish to keep
incident response centralized because of the sensitivity of investigation
results.
 Strategic plans for outsourcing may demand the separation of these two
functions. Today, this may not be an issue as many SOCs operate as hybrid
organizations. Keeping SOC and CSIRT separate, however, may help an
organization clearly define the responsibilities of a partner.

How do security operations centers work?

An organization must first define its security strategy and then provide a
suitable infrastructure for the SOC team to work with. The information
system that underlies SOC activity is a security information and event
management (SIEM) system, which collects logs and events from hundreds
of security tools and organizational systems, and generates actionable
security alerts, which the SOC team can analyze and respond to.

A SOC team has two core responsibilities:

 Maintaining security monitoring tools—the team must maintain

and update tools regularly. Without the correct tools, they can’t properly
secure systems and networks. Team members should maintain tools used
in every part of the security process.
 Investigate suspicious activities—the SOC team should investigate
suspicious and malicious activity within the networks and systems.
Generally, your SIEM or analytics software will issue alerts. The team
then analyses and examines the alerts, carries out triage, and discovers the
extent of the threat.
A SOC team comprises several roles:

 Security analyst—responsible for detecting potential security threats

and handling them. Also implements security measures and is involved in
disaster recovery plans.
 Security engineer—in charge of maintaining and updating tools and
systems and is usually a software or hardware specialist. They are also
responsible for any documentation that might be needed by other team
members, such as protocols.
 SOC manager—directs SOC operations, responsible for the SOC
team. Responsible for syncing between analysts and engineers, hiring,
training, and security strategy. Directs and orchestrates response to major
security threats.
 Chief information security officer (CISO)—establishes security
related strategies, policies, and operations. Works closely with the CEO,
informs and reports to management on security issues.
 Director of incident response—responsible for managing incidents
in large companies as they occur and communicating security
requirements to the organization in the case of a significant breach.

Figure 1: The different roles and tiers in the operation of the SOC
SOC analysts are organized in four tiers:

1. SIEM alerts flow to Tier 1 analysts who monitor, prioritize and

investigate them.
2. Real threats are passed to a Tier 2 analyst, with deeper security
experience, who conducts further analysis and decides on a strategy for
containment.
3. Critical breaches are moved up to a Tier 3 senior analyst, who
manages the incident. Tier 3 analysts are also responsible for actively
hunting for threats and assessing the vulnerability of the business.
4. The Tier 4 analyst is the SOC manager, in charge of recruitment,
strategy, priorities and the direct management of SOC staff when major
security incidents occur.
Benefits of security operations centers
 Incident response—SOCs operate around the clock to detect and
respond to incidents.
 Threat intelligence and rapid analysis—SOCs use threat
intelligence feeds and security tools to quickly identify threats, and fully
understand incidents to enable appropriate response.
 Reduce cybersecurity costs—although a SOC represents a major
expense, in the long run it saves the costs of ad hoc security measures and
the damage caused by security breaches.
 Reduce the complexity of investigations—SOC teams can
streamline their investigative efforts. The SOC can coordinate data and
information from sources, such as network activity, security events,
endpoint activity, threat intelligence and authorization. SOC teams have
visibility into the network environment so the SOC can simplify the tasks
of drilling into logs and forensic information for example.
Challenges Facing Security Operation
Centers
 Increased volumes of security alerts—the growing number of
security alerts requires a significant amount of an analyst’s time. Analysts
may attend to tasks from the mundane to the urgent when determining the
accuracy of alerts. They could miss alerts as a result, which highlights the
need for alert prioritization. Exabeam Advanced Analytics uses UEBA
technology to provide security alert prioritization, which relies on the
dynamic analysis of anomalous events. This ensures analysts can find the
alerts which require immediate attention.
 Management of many security tools—as various security suites are
being used by SOCs and CSIRs, it is hard to efficiently monitor all the
data generated from data points and sources. A SOC may use 20 or more
technologies, which can be hard to keep track of and control individually
making it important to have a central source and a single platform.
A security information and event management platform (SIEM) serves
this function in most SOCs. For an example of a next-generation SIEM
solution with advanced analytics and security automation, see
the Exabeam Security Management Platform.
 Resource allocation—staffing or lack of qualified individuals is an
issue. An organization may decide to outsource, however, the issue of
greater vulnerability that comes with remote working conditions arises.
Some organizations are now using managed security service providers
(MSSP) to help them with their SOC services via outsourcing. Managed
 SOCs can be outsourced entirely or in partnership with on-premise
security staff.
Setting up your first SOC
QUESTIONS TO ASK BEFORE SETTING UP A SOC
Availability and hours—will you staff your SOC 8×5 or 24×7?
Format—will you have a stand-alone SOC or an integrated SOC and
network operations center (NOC)?
Organization—do you plan to control everything in- house or will you use
a managed security service provider?
Priorities and capabilities—is security the core concern or is compliance
a key issue? Is monitoring the main priority or will you need capabilities
such as ethical hacking or penetration testing? Will you make extensive use
of the cloud?
Environment—are you using a single on-premises environment or a
hybrid environment?

5 STEPS TO SETTING UP YOUR FIRST SOC

1. Ensure everyone understands what the SOC does
A SOC observes and checks endpoints and the network of the organization,
and isolates and addresses possible security issues. Create a clear
separation between the SOC and the IT help desk. The help desk is for
employee IT concerns, whereas the SOC is for security issues related to the
entire organization.
2. Provide Infrastructure for your SOC
Without the appropriate tools, a SOC team will not be able to deal with a
security threat. Evaluate and invest in tools and technologies that will
support the effectiveness of the SOC and are appropriate for the level of
expertise of your in-house security team. See the next section for a list of
tools commonly used in the modern SOC.
3. Find the right people
Build a security team using the roles we listed above: security analysts,
security engineers, and a SOC manager. These specialists should receive
ongoing training in areas such as reverse engineering, intrusion detection
and the anatomy of malware. The SOC manager needs to have strong
security expertise, management skills, and battle-tested crisis management
experience.
 4. Have an incident response plan ready
An incident response team should create a specific and detailed action
plan. The team can also create a repeatable plan that can be used over time
and adapt to different threat scenarios. Business, PR and legal teams may
also be involved if necessary. The team should adhere to predefined
response protocols so they can build on their experience.
5. Defend
A key responsibility of the SOC is to protect the perimeter with a dedicated
team focused on detecting threats. The SOC’s goal is to collect as much
data and context as possible, prioritize incidents and ensure the important
ones are dealt with quickly and comprehensively.

3 SECURITY OPERATIONS CENTER BEST PRACTICES

1. Detect threats through all stages of an attack
To cope with the increasing number and complexity of cyber threats,
organizations have implemented security solutions that deal with specific
vulnerabilities or attack vectors. Attackers in response have created
sophisticated responses, using multiple techniques.

Point solutions working by themselves cannot identify the relationship

between a series of events. To stop an attacker from penetrating security,
security operations must:

 Deploy prevention and detection approaches throughout the entire

attack chain, the IT environment, and every attack vector.
 Design the technologies to function together and, communicate
information.
For an example of a security tool that provides automated incident
timelines, aggregating data across multiple security tools, users and
devices, see Exabeam Threat Hunter.
2. Investigate all alerts to ensure nothing is overlooked
A copious number of alerts was an early driver for SIEM. SIEM systems
created correlation rules to group similar events into alerts, this helped
teams deal with the tens of thousands of events isolated daily. Today,
organizations state that even with correlation, there are too many alerts to
investigate, which leaves the organization open to risk.
 Organizations need to develop solutions that not only group alerts but
automatically investigate and validate them. They should try to limit the
number of events that must be reviewed by human analysts.

3. Gather forensic evidence for investigation and remediation

To investigate alerts, security teams require in-depth endpoint and network
activity data. This is made available by forensics solutions. However,
forensics tools, specifically on the network, are known to be time-
consuming and complex to use.

Organizations should find solutions for forensics that are simple to use and
automated. It is important to adopt solutions that proactively combine
forensic evidence into investigation procedures. An organization should
also convey the results in relation to the alert or lead the data validates.

Security operations center tools and

technologies
A modern SOC cannot operate without security tools. Traditional tools
used in the SOC include:

 Security information and event management (SIEM)

 Governance, risk and compliance (GRC) systems
 Vulnerability scanners and penetration testing tools
 Intrusion detection systems (IDS), intrusion prevention systems
(IPS), and wireless intrusion prevention
 Firewalls and next-generation firewalls (NGFW) which can function
as an IPS
 Log management systems (commonly as part of the SIEM)
 Cyber threat intelligence feeds and databases
Advanced SOCs leverage next generation tools, specifically next-
generation SIEMs, which provide machine learning and advanced
behavioral analytics, threat hunting capabilities, and built-in automated
incident response. Modern security operations center technology allows the
SOC team to find and deal with threats quickly and efficiently.

Learn more about the SOC, SecOps, and SIEM.