Security operations centers (SOC) have been around for a while, stretching back to the old room full of live camera feeds. The intent of a SOC is simple: provide the business with the ability to see what is going on in order to take action if necessary. The level of SOC sophistication varied depending on the risks and infrastructure complexity. Consider the humble stretch of road and an analogy for businesses in the very early days of the internet: In low risk, low traffic areas, it was often not necessary to have a constant additional surveillance of this road. Road rules -- basic perimeter-based network security measures like firewalls -- still applied, but it was considered sufficient for any out-of-the-ordinary incidents to be handled reactively.
Then, when a stretch of road became busy, speed limits might have be reassessed. A stop sign might have been introduced. Then a traffic light. Then live monitoring of an intersection.
The days of back-country roads, where traffic was scarce and those traveling on them could be trusted to a degree not to break the rules, are gone. Today's businesses of any reasonable size are setting up next to a well-established highway of attackers who are actively seeking to break in, and in some cases are no longer sole-actors but well-funded criminal groups. Businesses that may have considered themselves to be low interest, and have low amounts of traffic. This is due to the rise of opportunistic nature of attacks, and a new wave of sophistication shown in online criminals.
However, the term Advanced Security Operations Center keeps popping up. It represents another shift in security as attacks take advantage of new technologies and attack vectors. What new challenges do SOCs need to be able to deal with to warrant them being called advanced? And how do you tell if yours is advanced or still in the stone age? Here are three things that are needed for a SOC to earn its "advanced" title.
Increased visibility and modularity
As highways and tunnels increased in scale and complexity, so too did the number of traffic cameras and feeds in the traditional SOC. However, businesses expand at a much faster rate. With attackers automating their attacks and scanning infrastructure without any human intervention required, it has become unacceptable to have any blind spots in newly added or to be configured infrastructure. Yet today's SOC analysts commonly complain that even though they know attacks are occurring, criminals are using techniques and abusing businesses' own infrastructure so they remain hidden.
For a SOC to be advanced, it should provide analysts with the full view of data from multiple sources within the business. A basic SOC may already have a Security Information and Event Management (SIEM) in place to sift through logs, however, as noted in a recent Ernst and Young report on SOCs, a SIEM system alone does not equate to mature security monitoring, and the benefits of a SIEM cannot be fully realised without a well designed SOC.
In addition to the full view of data, an advanced SOC should have the capability to expand with the business at a moment's notice. A modular approach to an advanced SOC should be mandatory, allowing the business to roll out new infrastructure and immediately take advantage of out-of-the-box rules/configurations. This approach should expose the organisaiton to a minimal amount of risk as its infrastructure grows and enable rather than prohibit its business goals.
Increased correlation and analysis
Older SOCs were great for digging through logs. However, this is the age of Big Data, of security analytics, and soon to be of the Internet of Things. While logs will always be in important tool in the SOC analyst's toolkit, they are not enough. To fully realise the benefits of a modular approach to an advanced SOC, these additional data feeds must be able to be analysed, not just logs, and not just structured data.
The advanced SOC pulls in information from multiple sources, whether that be endpoints, gateways, or any networked devices, and determines what is the most important information. Traditionally, if an analyst wanted to investigate an issue, they may get a hint of the incident through a SIEM system, then move from device to device trying to determine from logs alone what had happened. Any wider signs of compromise over multiple devices may be missed, or, mistakenly thought of as "normal" behaviour if the severity of the attack is underestimated.
However, the advanced SOC should be able to use multiple data sources identify anomalous behaviour, and by using big data analystics to build a footprint of known normal behaviour, build a investigative case of an attack. When investigating such an attack, analytics can assist by determining whether, for example, connections to a remote site are performed with regularity that indicates a human user, an innocuous automated process, or malware. This ability moves the advanced SOC away from log driven security and towards intelligence driven security.
Incident workflow and prioritisation
Read more: Tuning the security analysts
Even when a SOC analyst has the tools to identify and analyse an attack, if they are unable to prioritise an incident, they may be sacrificing the forest for a tree. A common complaint from SOC managers is that they want their already great teams to focus on the top issues in order to provide the business with more value.
SOCs that can wear the advanced title do this and more. The combination of increased visibility and analysis already provides the SOC analyst with the tools to be more effective, but to go further, but an advanced SOC goes further, offering a workflow to prioritise the most important incidents, provide an audit trail, and provides the analyst the ability to go into as much or as little investigative depth as necessary.
A simple workflow provides analysts of all levels with the clear business rules on what incidents they are required to investigate, how to escalate these, and importantly the order in which to do so to minimise the risk to the business. From within their workflow, analysts should be able to begin their investigation without having to go to a third party tool or device, with clear instructions or recommendations on what kind of activity has been suspected.
To assist the analyst, information at the time of the attack needs to be available. While the traditional SOC might provide basic logging to reveal basic metadata, an advanced SOC must be able to present the analyst with full packet inspection, instantly provide them with the scope of the attack without the need to manually interrogate each device, and show what information may have been affected.
This combination of visibility, analysis and action is what makes a SOC advanced. Most importantly, however, it is what allows an analyst to answer the CEO's most pressing incident response questions in the minimal amount of time: "How did they get in, what did they do, and are we safe?"