Anatomy of a Managed Security Operations Center

A security operations center (SOC), sometimes referred to as an information security operations center, is becoming necessary for businesses of all sizes and industries. With the COVID-19 pandemic driving a massive surge in mobilization through social distancing and work-from-home measures, companies have had to adapt to cloud and remote platforms. To combat the new and increased risks these entail, managed security operations centers offer businesses maximum protection.

Read on to learn about what they comprise and how they can help your company.

 

Anatomy of a Managed Security Operations Center

Given their importance for all companies, you need to know managed SOC anatomy inside and out. But to understand how management for your SOC might work, it’s essential to understand what any SOC looks like and how SOCs interact with your company’s other segments. In this guide, we’ll break down cybersecurity operations center anatomy into two primary sections:

• A comprehensive overview of what SOCs are, what they comprise, and what they do
• How SOCs relate to the rest of your cybersecurity infrastructure and anatomy

By the end of this blog, you’ll be well equipped to bolster your defenses, with or without the help of external service providers. But first, let’s take a look at why SOC management is essential.

 

Schedule a Free Consultation!

 

Why Managing Security Operations is Critical

According to a 2019 McKinsey report on the risk-based future of cybersecurity, maturity-focused approaches that measure success through control thresholds are doomed to fail. They will tend toward overburdening companies’ internal IT teams as the number and complexity of programs monitored grow exponentially.

This is even more true now in a world impacted by COVID-19, and why managed SOC is critical: an internal SOC solution is rarely feasible to maintain.

While the report identifies SOC development as part of a maturity-focused approach, it doesn’t consider how managed SOC works to anticipate and alleviate these challenges when a managed security services provider (MSSP) presides over it. Because cyberdefense is prohibitively challenging to handle internally, companies need to contract MSSPs.

Security Operations Center (SOC) 101

Whether internally or externally managed, a robust SOC is a critical component of your overall cybersecurity architecture. While SOCs vary in nature, most adhere to the definition of (or risk-informed) security paradigm. Almost all SOCs work in close conjunction with or as a company’s incident response team. The focus is on identifying risks that may turn into events and (often more critically) responding to events that do become cyber-attacks.

The following subsections will look at the infrastructure and personnel that make up an SOC. Then, we’ll look at their functions and one case study of an SOC in action.

 

Infrastructural Components of an SOC

What your SOC comprises depends heavily on both the needs and means of your company and the nature of the MSSP providing it when there are external managed options. Your SOC may be a diverse collection of services covering everything your internal IT team can’t offer. In other cases, it is a limited, tailored set of incident response services distinct from analytical or inventory functions. Per one expert’s breakdown of SOC architecture, it usually includes:

• Perimeter defenses, such as firewalls and proactive web filters, to prevent intrusions
• Security information event management (SIEM) and Intrusion detection systems (IDS)
• Capacities for investigating breaches and deploying real-time responses accordingly

Also, your SOC can include solutions for entire segments of your company, such as identity and access management suites or cloud security services. It all depends on your needs.

 

Personnel, Roles, and Responsibilities

If your SOC is managed internally, its personnel will likely comprise IT staff and individual ambassadors and liaisons from other select departments (finance, research, and development, etc.). For a managed SOC, most or all staffing will be outsourced to the MSSP, who may also contract other suppliers and vendors to adequately staff your SOC, depending on your needs.

Leadership will likewise depend upon your company’s internal IT team. If you employ a C-suite chief information security officer (CISO), or a third-party virtual CISO, they’ll likely be in charge. These same individuals might provide oversight for an entirely third-party managed SOC, but your MSSP may also provide its own managerial suite, depending on your contractual conditions.

Regardless of their position, the company must allocate personnel to accommodate functions such as analysis, investigation, response, assessment, and overall SOC system maintenance.

 

Core SOC Purposes and Functionalities

As noted above, the primary focus of most SOCs is on incident response. In many cases, this branches out into the broader category of incident management, including but not limited to:

• Identification – This is the continuous monitoring for suspicious activity and immediate flagging and engagement of anything that might be a breach, pending confirmation that it is.
• Inventorying – Upon confirmation of an attack or other cybersecurity event, this is the immediate logging and notification to staff responsible for response and recovery measures.
• Investigation – This is the deep analysis of the given security event at multiple levels, including immediate response and recovery measures and long-term reduction of cause(s).
• Assignment – This is the planning of appropriate response and recovery practices, including allocating resources and personnel to implement necessary controls and actions.
• Resolution – Implementing processes planned out in the assignment phase and necessary adjustments fully eradicate the attack and patch any new vulnerabilities.
• Continuity – This is the restoration of normal business operations, including appeasement and customer satisfaction, personnel, partners, and all other impacted stakeholders.

Whether internal or external, your SOC team should handle attacks as they happen. The team also needs to implement continuous prevention, limiting the number of attacks and recovery efforts. SOCs are comprehensive solutions — when risk-focused security is taken to its logical conclusion.

Spotlight Example: Interactive IT Training

As noted above, your SOC can include as much (or as little) of your company’s cybersecurity functions as you need it to, regardless of whether it’s managed internally or externally. One unexpected area where it can shine is in training programs for your staff.

For example, consider the innovative incident response tabletop exercise RSI Security offers as part of our SOC and MSSP suites. Once your organization has developed an incident response plan (IRP), we will craft multiple scenarios to test it by simulating attacks or threats. These stresses on the IRP will help determine its pain points, places most in need of repair or optimization.

Typical scenarios include individual and complex malware deployment, attacks on wireless networks, and cloud computing-based stress testing — which is increasingly valuable in our highly mobile era.

 

Integrating Managed SOC Architecture

As the above sections illustrate, your SOC configuration can be flexible and scalable to your company’s specific needs and means. The same is true of how it fits within your company’s overall cybersecurity framework, whether the SOC itself is internally or externally managed. For example, an SOC might cover comprehensive incident management, as detailed above, or it might focus on pared-down versions, such as managed detection and response.

The following subsections will identify areas of the ideal synergy between your SOC’s anatomy and your broader organizational approach to cybersecurity. These include both baseline and advanced risk mitigation practices and regulatory compliance and awareness training.

 

Monitor for and Correct Threats and Risks

An SOC primarily focuses on the response to attacks and events. But to effectively respond to them, the SOC also needs to incorporate monitoring practices as part of the SOC function itself or alongside elements of your company dedicated to this function.

Components of a threat and vulnerability management program include but are not limited to:

• Continuous vulnerability scanning; analysis of identified risk or threat factors
• Collection and mobilization of threat intelligence, the company- and industry-wide
• Risk scanning for cloud platforms, applications, websites, and all other assets
• Internet of Things (IoT) assessments for smartphones and connected devices
• Threat lifecycle management and asset or infrastructure lifecycle management

These measures are not limited to your internal resources. Threat management within or alongside your SOC needs to account for third-party risks, as well. Every vendor and supplier you work with brings their own threats, including your MSSPs. Your SOC helps mitigate these.

 

Deep, Complex Analytical Methodologies

For companies facing what some security experts call “advanced persistent threats,” a basic vulnerability management program may not be enough to keep your stakeholders safe. You might need to employ advanced analytical techniques commensurate to those threats.

Enter the practice of penetration testing or pen-testing. This is a form of “ethical” hacking in which a cybersecurity expert or team of experts simulates an attack on your system so that you can study how actual, malicious attacks are likely to look. Whether internal or external, your SOC is an ideal partner to work with the pen-testing team or conduct the pen-tests themselves.

Two primary forms of pen-tests are most common: external and internal. The former also called “black hat,” involves little to no knowledge of your security architecture — the hack is performed from scratch. The latter, also called “white hat,” simulates an insider attack committed by a current employee, a disgruntled former employee, or another party with privileged information to get into your company network.

 

Track and Facilitate Regulatory Compliance

Another area in which your SOC can integrate seamlessly into other systems is in the scanning and maintaining regulatory compliance. Although SOCs are focused on breaches, you can also leverage them to conduct or facilitate compliance-specific audits and assessments.

For example, consider the following possible compliance-focused deployments and integrations:

• A “NIST security operations center” is optimized to scan for compliance violations specific to NIST Special Publication 800-171, Cybersecurity Model Maturity Certification, and other requirements for contractors working with the Department of Defense (DoD).
• A joint task force made up of your SOC, Human Resources, and other departments contracted to monitor for breaches to report, as defined by the Health Insurance Portability and Accountability Act, which applies to covered entities in and around healthcare.
• A facilitated Payment Card Industry (PCI) Data Security Standard (DSS) compliance assessment (required for all companies that process payments via credit cards) is conducted by delegating all PCI-specific monitoring, analytical, and reporting responsibilities to your SOC.

An SOC can facilitate all compliance matters, from building out required controls to gap analysis, patch reporting, and reparative work needed for their long-term maintenance.

 

Broader, Continuous Awareness Training

Above, we detailed one particular use case for managed SOC: innovative training based on interactive practice. Through robust cooperation between your SOC, internal IT, and other MSSPs on your team, you can optimize all your continuous security awareness training.

RSI Security can craft a suite of regular workshops and literature to cultivate awareness across your staff, either as your SOC or in close conjunction with your existing SOC. We offer baseline courses in subjects such as phishing (and vishing/smishing) awareness, as well as tests and activities to put your staff’s knowledge to the test. We can complement these introductory lessons with more advanced training in everything from cryptography to automation.

 

Robust, Professional Security Solutions

To recap, your SOC is a critical element of your cyberdefense framework. Whether internally or externally managed, it’s the best way to keep up with evolving threats and attacks in our mobile business environment. This is because it integrates into and strengthens all internal systems.

RSI Security is happy to help you build out or manage your internal SOC. Our talented team of experts boasts over a decade of experience in all of the services detailed above.

We can also meet your company’s needs with niche packages like open-source scanning (OSS) automation or cybersecurity technical writing. If you need us to manage, improve, or build out controls, we’re happy to help. To optimize your managed security operations center or other elements of your overall cybersecurity, contact RSI Security today! We have you covered.