Evolution of the Next Generation SOC
June 2, 2015
The need for security programs to shift from tactical to strategic in focus has never been stronger. Rising threats have forced organizations to recognize the importance of a rapid response center, dedicated to network and security incidents. In the past, the separation between NOC and SOC seemed logical – NOCs were mature while SOCs were the “new kids on the block” – but today the lines are blurring.
Running an entity that is tasked with centralizing network and security operations event management as well as responding to said events requires focus and a strong skill set. A Next-Generation SOC is comprised of complex tools, strict processes and people with a keen understanding of the business being monitored. All too often, organizations leverage resources internally to build an in house SOC, only to misconfigure the technology thereby generating a massive number of events that cannot be investigated in time. Given the sensitive nature of security incidents, response time is of paramount importance.
Within the Next Generation SOC, security analysts are tasked with responsibilities in incident management, across the following phases:
1. Detection – The NG SOC must detect all security events appropriate for the organization being monitored. If the monitored equipment is not configured properly to send events to the SIEM or Analytics platform, then detection is compromised. Enterprise environments are constantly changing, and as servers are upgraded or refreshed, it is critical that the new devices are properly configured to send or make available their security events to the NG SOC detection tool.
2. Analysis – The NG SOC is tasked with taking a large number of events and ensuring that the truly critical ones are highlighted for follow up. The process of eliminating false-positives requires continuous tuning. The remaining events are then analyzed to determine if a response activity is required.
3. Response/Remediation – Once a critical security event is identified, the NG SOC analysts are required to respond to the event in a particular manner. Depending on the particular event, this can be an escalation, remediation, re-classification (if identified as a false-positive), containment or a procedural response of some sort. As every enterprise environment is different and may be subject to compliance or regulatory requirements, the NG SOC must evolve and adapt to such requirements.
4. Communication/Reporting – A key function of the NG SOC is to communicate and report on incidents. This may entail a complex communication plan depending on the regulatory environment, organizational policies and jurisdictions in play.
5. Prevention – In the past, a traditional SOC or NOC would focus primarily on detection and incident response. (NOC may focus even further on availability as a primary metric). As enterprises and the information security realm have grown in complexity, proactive prevention is a must. The NG SOC must be able to see patterns that may lead to a successful attack and respond to it before it becomes a painful reality. While this is likely the most complex piece of the NG SOC puzzle, advanced tools including big data analytics are required. The value of the Next Generation SOC is found in the creation of actionable intelligence.
As discussed, a successful NG SOC implementation requires tools, process and people. The people aspect is critical and often a major challenge. Keeping and improving the skill level of NG SOC personnel requires the team to be exposed to multiple environments, requirements and events. Outsourcing the NG SOC to an expert partner allows organizations to focus on their business while enabling the NG SOC analysts to leverage learnings from multiple sources to enhance their output for the customer.
Whether it be internal or external, the NG SOC should be composed of the following components:
Methodology and processes
Ramping up a NG SOC is challenging and should not be taken lightly. The methodologies and processes required to succeed with NG SOC development are not easily defined and require constant tuning based on the organization’s scope and scale. Organizations need a security management framework, clear escalation process and an inventory of their informational assets to begin the process but both time and resources may be better served to have a trusted advisor and managed services expert on board from day one.
Having the right combination of tools appropriate for each phase of the incident lifecycle is key. There is not a single tool that would work for all phases and defining the correct mix is critical.
Threat Intelligence and Information Sharing
Information sharing when executed correctly can assist in decision making and help your organization be proactive in defending its security posture. For example if you know that a peer organization in your sector is being impacted by a particular malicious actor, you may be able to block such actors before they turn their attention to your organization.
Having the skills to execute NG SOC priorities is key, however, skills must be honed and developed. Knowing how to develop those skills is a skill in and of itself. Having a partner`s support in this area may reduce training cycles and costs.
While incident management is part of the process flow, it needs to be highlighted independently. The entire premise for having a SOC in the first place is to identify incidents. Once an incident occurs, it is imperative you have the right pieces to ensure that timely containment and remediation take place. The NG SOC is also responsible to integrate with NOC activities and must be able to monitor & report on traditional networking events & circuits.
Security professionals recognize that it’s time to transition from a tactical approach to a strategic methodology in proactively planning their security posture’s defense. Malicious security actors have never worked a 9-5 day so organizations must be appropriately staffed and supported 24 x 7 x 365 regardless of the in house, outsourced, on prem, cloud or hybrid management model selected.