Have you ever wondered what goes on “behind the curtain” in a security operations center (SOC)? It’s the SOC’s job to keep the enterprise safe from cyber-threats, but how does it do that?
Typically, today’s security operations center is a dedicated facility that houses a team of highly skilled security analysts, often operating in shifts around the clock. Their mission is to continually monitor cybersecurity health and respond to alerts and incidents. When a security alarm goes off in an SOC, security operations personnel try to handle the incident as quickly as possible so that damage is minimized or a potential breach is avoided altogether.
Security operations center challenges
Given the blinding speed at which alerts pile up in security information and event management (SIEM) logs, the SOC analyst’s job can be overwhelming, with many more alerts than one person can possibly review and no end in sight.
- Twenty-seven percent of SOCs receive more than 1 million alerts each day.
- The average security analyst investigates 20–25 incidents in any given day.
- It takes 13–18 minutes to compare indicators of compromise (IoC) to logs, threat intelligence feeds, and external intelligence.
- Manual research can yield false positive rates of 70 percent or higher.
To make matters worse, as security analysts struggle against an ever-increasing volume of complex alerts, the SOC is facing a talent crisis. Sixty-six percent of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.
In-house security operations center and other options
Depending on the size of your organization, you might run an in-house security operations center; however, this can be costly, as it requires a dedicated facility, presents serious staffing challenges, and will require considerable ongoing attention and resources to be effective. For this reason, many organizations (including some of the largest ones) choose to use other security monitoring options, such as engaging a managed security service provider (MSSP).
Security Operations Center models include:
- Virtual SOC – No dedicated facility, part-time team, reactive when a critical alert or incident occurs
- Dedicated SOC – Dedicated team and facility, fully in-house, typically 24×7 operation
- Distributed/Co-Managed SOC – Dedicated or semi-dedicated team, typically 8×5 operation, co-managed when used with an MSSP
- Command SOC – Coordinates other SOCs, provides threat intelligence, situational awareness, and additional expertise
- Multifunction SOC/NOC – Dedicated facility and team performing not just security but other critical 24/7 IT operations, typically combined to reduce costs
Moving toward “the intelligent SOC”
Whether your SOC is in-house or outsourced, it needs to be increasingly intelligent and self-learning. With an intelligent SOC (iSOC), you can apply the power of AI and other sophisticated tools to be proactive in your cyber-defense strategies, rather than just reacting to alerts and events. To stay ahead of the curve, the iSOC provides:
- Automatic discovery of IT assets and users
- Continuous monitoring for hundreds of breach risk factors
- Real-time visibility across device, application, and user inventory and attack surfaces
- Comprehensive risk assessment using deep learning and other advanced AI algorithms that reveal relevant breach risk insights
- Tools that enable expert security personnel to prioritize by business criticality
- Conceptualization of threats in order to take proactive mitigating steps
Conclusion – the next-gen security operations center
Built around intelligent self-learning tools and highly skilled personnel, the next-gen security operations center model can be characterized as smart, continuous, comprehensive, predictive, and prescriptive. As such, it has the ability to maintain a laser focus on what’s critical to the business, keep its fingers on the pulse of an ever-evolving threat model, and stay ahead of the bad guys.
As hackers and cybercriminals launch increasingly sophisticated attempts to steal sensitive data and worm their way into business-critical applications, security operations centers are the dedicated teams on the front line working to stop them. They stay up-to-date on the latest threats and mitigation techniques so they can act as an early warning system. As traditional SOCs transition to smarter iSOCs, they provide detailed insights and actionable intelligence based on continuous risk assessments. They also have automated tools to continuously measure and enhance the effective cyber-resilience of the network, providing an increasingly critical service to organizations across the globe.