What is a Security Operations Center (SOC)?
It’s a great thing to live in the Age of Information. With a few clicks of a mouse or keystrokes on a keyboard, we can find out almost anything we want, purchase delightful products, and communicate with friends and family on the other side of the world.
Unfortunately, the downside to this age of marvels is that the Internet has become a nonstop cyberwar battlefield. Almost every day, there are new and previously unheard of exploits threatening the operations and data of organizations and individuals.
This is a major problem here in India. We are one of the Top 5 destinations for cyberattacks. We rank third worldwide, behind China and the United States, as a source for malicious cyber activity. And the rate of “reported” cyberattacks on Indian targets has doubled year after year since 2005.
It doesn’t appear as if the situation will be changing for the better in the near future. The Modi Administration’s continued push for a massive increase in digital services may be good for the country overall, but such access to services is fast becoming a magnet for hackers and malicious activity.
Traditionally, warnings of new threats and advice on dealing with them have been shared among IT professionals and organizations in an informal manner via press releases and e-mail blasts. It was, “Hey! Here is a new cyberthreat. Good luck.” Often the alerts come too late to prevent damage to an organization. As the rate of cyberattacks continues to increase, such a process is no longer good enough.
Fortunately, there is a bright new development on the cyber battlefield — organizations of all sizes are establishing in-house Information Security Operations Centers (SOCs). An SOC is a physical location “where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.”
A standard SOC is filled with skilled IT professionals whose responsibility is to provide situational awareness through detection, containment, and remediation of cyberthreats.
The main disadvantage of an in-house SOC is the expense of creating and maintaining it. It is common for it to take 18 to 24 months to fully build out a proper SOC. There is also the challenge of personnel; highly-skilled professionals are in demand, and companies must pay top fees to keep them on board. In many locales, there may also be a costly and confusing morass of governmental regulations to follow.
The advantages include that your organization need not rely on an outside security-as-a-service firm. Because the SOC is responsible for IT security in your specific environment, it will be better able to prevent, identify, understand, and protect against threats in a quicker fashion.
As I said, highly-skilled SOC team members are highly demanded and command large salaries, but working on an SOC team isn’t for everyone. SOC professionals enjoy the “fog” of cyberwarfare. They tend to be competitive and can work in stressful conditions for long periods of time.
Three Critical Aspects of an SOC Team
So, what does it take to build a successful in-house SOC team? The three critical aspects of an SOC team are technology, processes, and personnel. Each of these aspects is crucial, but for the purposes of this article, I’ll focus on personnel and will only briefly touch on technology and processes.
Creating a central location with the ability to monitor and analyze cyberthreats requires cutting-edge equipment and security monitoring tools. Depending on budget and visibility requirements, companies can readily gather a comprehensive set of tools with open-source or commercial solutions.
AlienVault, IBM QRadar, ArcSight, and LogRhythm are all solid sources for SOC tools.
It is crucial for an SOC team to have a repeatable incident management workflow that includes defined responsibilities for each member and actions to be taken from the initial cyberthreat alert to evaluation, escalation, and remediation.
Thankfully, you need not reinvent the wheel. The most common and popular model for incident response is the one developed by the U.S. Department of Energy Computer Incident Advisory Capability (DOE/CIAC). It consists of six stages: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The DOE/CIAC has been in place since 1989 and has been consistently proven to work
In my opinion, people are the most important aspect of an SOC. The reasoning is simple: Tools are only as good as the people using them, and processes only work if followed. Depending on requirements and the extent to which an organization wants to monitor its assets, SOC teams can consist of as few as four or five IT professionals, although larger SOC teams can include 50 or more individuals.
What is most important is that the team members be comprehensively capable of handling their responsibilities. A general recommendation for a comprehensive SOC team is that it includes individuals with the skills to cover the following four roles and tiers:
Tier 1: Detection Analyst
This is triage analysis, the first stage of protection. It involves daily monitoring of system logs, mitigating security alerts, and creating and tracking tickets based on urgency and impact potential, and escalating events to Tier 2 when applicable.
Team members will possess a strong knowledge base in programming, Linux, Windows security, packet analysis, and system administration. Useful certifications include GCIA, GCIH, Security+, and CEH.
Tier 2: Detection Analyst
This is the incident responder who receives and begins acting on Tier 1 alerts that typically require deeper investigation and remediation. If the incident requires more than his Tier 2 actions, he will kick it up to the Tier 3 Team.
In addition to the certifications listed in Tier 1, incident responders will find the CISSP, GCFA, GCFE, ECSA, and OSCP certifications useful. A strong background in Tier 1 skills is mandatory, and so are the ability and willingness to dig deeper to resolve incidents quickly.
Tier 3: Detection Analyst
The “Threat Hunter” is the team member (or members) who acts on high-alert and severity events passed up from Tier 2. Their responsibilities also include doing proof-of-concept reports to come up with new alerts and signatures for deployment.
Threat hunters need to possess all the above skills, as well as the ability to act as a forensic investigator and think like a hacker. In addition to the above-mentioned certifications, it helps to be a licensed penetration tester (LPT).
Tier 4: SOC Manager
This is the operational management stage where the SOC manager is responsible for guiding the team in their activities, as well as for providing ongoing training and resource allocation for the SOC to operate effectively.
A strong SOC manager possesses all the skills and experience mentioned above, as well as the ability to see the larger picture, manage people and resources. and make quick, well thought out decisions. In addition to the above certifications, a CISA and/or CISM credential will help an SOC manager round out his skill set.
The demand for SOCs has created a new breed of cyber security enthusiasts who like to get their hands dirty and work with cutting edge tools. In the U.S., an SOC analyst with two or more years of experience can expect to earn between $80,000 and $110,000 per year.
SOC managers can command an annual salary between $100,000 and $180,000 depending on experience. And, like every other aspect of cyber security, there are more jobs than qualified people to fill them. While salaries and the number of SOC openings in India are presently less than in the U.S. and Europe, demand is steadily increasing.
Costs aside, an SOC team with the correct tools and people can be invaluable for proactively protecting mission-critical assets and data. This is a good time for Indian cybersecurity pros to begin preparing for an SOC career. Remember, it’s not a question of whether a hacker will strike, but when.