Security Operations Centre – part 1
What is a Security Operations Centre (SOC)?
As with many concepts, there isn’t one single definition as to what a Security Operations Centre (SOC) is. According to the SANS Institute, SOC is a combination of people, processes and technologies securing an organization’s information systems through their proactive design and configuration, ongoing monitoring of the system’s state, detection of unintended actions and undesirable system state, and limiting the outcomes of unwanted effects.
Types of Security Operations Centres
Same as with the definition of what SOC is, one can find slight differences as to its typology. For the purpose of this article, we will classify the types of SOCs into six categories. The type of the SOC solution implemented by the organisation will depend on such factors as to organisation’s size, budget, HR availability or other strategic and long-term goals.
1. SOC as a Service
With the advance of cloud computing in recent years and the trend for companies to increasingly use this kind of services, Security Operating Centres’ services follow the same pattern with organisations outsourcing their security operations load to third parties of Managed Security Service Providers.
This form of SOC might be best suited for companies who don’t have the human resources available for this job, lack the necessary technological infrastructure or simply have other priorities regarding the allocation of their resources.
The downside of this solution is in making sure finding somebody truly reliable who can deliver the desired service at the right price.
2. Hybrid SOC (co-managed)
This model combines the use of in-house employees and Security Operation Cent as a Service (outsourced). Responsibilities are divided depending on the capreabilities and organisation structure of the business. For example, internal staff may be available on during normal working hours while external analysts provide their service 24/7. Often in this model, internal employees constitute a higher line of support than external employees such as Tier 3 threat hunting and complex incident response. Control over the process and efficiency depends on how much of the SOC is outsourced.
3. Dedicated SOC
In the dedicated Security Operations Centre model, the centre’s headquarters are located in-house, with internal employees performing only cybersecurity-related duties 24/7. Typically, it is the large organizations prone to regular cyberattacks that house a dedicated SOC. The undisputed benefit of this SOC model is the complete decision-making ownership with team members gaining organisation-specific knowledge over time.
4. Multifunctional SOC/NOC
The organisation’s combined Security Operations Centre and Network Operations Centre has a dedicated headquarters in-house. Team members comprise internal employees available 24/7. A SOC/NOC structure can be usually found in organisations that rely on complex IT environments (such as telecom companies) requiring a high level of service availability. Sharing existing infrastructure and staff can help these organizations reduce costs.
5. Virtual SOC
There is no dedicated office in this model. Team members can be available part-time and may be in different locations coordinating processes through secure communications. Its main role lies in the implementation of reactive actions in the event of an incident. The model is mainly used for SOC outsourcing.
6. Command SOC
This Security Operation Centre manages and coordinates the work of other SOCs located in various geographical locations or business units, usually comprised of the most qualified cybersecurity employees. It provides additional substantive support, rarely performing every day, standard duties.
Some SOC statistics
In the ‘Common and Best Practices for Security Operations Centers’ survey conducted by The SANS Institute in 2019, 57% of respondents reported a lack of skilled staff as the top challenge facing centralised SOCs. This was followed by 43% complaining of too many tools not being integrated into the system, and a lack of processes was mentioned by 36% of respondents.
Next week we will continue with the Security Operation Centres’ technologies.
Do you require help with Managed Security for your solution on Amazon Web Services?
SEQRED offers AWS level 1 Managed Security Services.
To discuss your requirements, contact SEQRED at [email protected]
About this guide
The idea for this article was inspired by an in-house presentation by Józef Sulwiński which you can watch here.