Security operations centers (SOC) comprise the people, processes, and technology that manage an organization’s cybersecurity strategy and its execution. Designing a security operations center architecture from the ground up or reorganizing an existing team will always revolve around these three components, and each necessitates specific considerations.
Security Operations Center Architecture
Establishing a step-by-step process for how to build a security operations center is challenging, as three main components must be determined in conjunction:
Building a SOC is like assembling a tripod: each leg must be independently sturdy but depends on the other two’s support to remain upright.
Further, different considerations, such as industry regulations and business activity, will predetermine an organization’s security operations center architecture. However, breaking down each component’s strategic and management requirements provides any organization with a SOC blueprint.
What is a SOC?
A SOC comprises all aspects of an organization’s cybersecurity management and execution, although the notion of “center” can be misleading. SOCs do not require a centralized physical space akin to “command centers,” and many organizations leverage remote teams or outsource responsibilities to managed security services providers (MSSPs).
Technically, every organization that utilizes IT resources already has a security operations center framework merely by virtue of the technologies involved and the efforts of whoever manages them. However, these efforts may be informal or lack strategy and documentation.
Relying on ad hoc SOC efforts heavily increases the likelihood that some responsibilities fall through the cracks, cybersecurity infrastructure becomes too confusing to manage, and cyber-attacks go unnoticed. In contrast, building a mature SOC requires dedicated personnel, processes, and technology—as well as ongoing, active management and assessment to help ensure the team continues to function optimally.
Security Operations Center Personnel
Arguably, the most challenging aspect of realizing a well-defined security operations center architecture is assembling the necessary personnel. A SOC generally comprises four to six different types of roles:
- Tier-one analyst
- Tier-two analyst
- Tier-three threat hunter
- Tier-four manager
- Chief information security officer (CISO)
- Cybersecurity engineer/architect
Depending on the size of an organization and its SOC team, some roles may be combined. For example, a CISO may also function as the SOC team’s manager.
Tiers one and two analysts execute the bulk of SOC responsibilities: analyzing collected monitoring data and investigating potential incidents. As cybersecurity efforts have grown too complex to conduct and monitor manually, these roles regularly rely on scanning tools to centrally aggregate data (e.g., network activity) for review.
Tier-one analysts monitor for suspicious activity and cybersecurity vulnerabilities, triaging potential threats and escalating those that warrant a more complex response. This role is critical for sorting through any concerns discovered during scanning and recognizing false positives (i.e., legitimate activity flagged by security information and event management (SIEM) or other tools).
Tier-two analysts investigate the incidents escalated by their tier-one counterparts, conducting a more thorough review to determine whether a flagged incident indicates a threat to mitigate or vulnerability to patch. If action is warranted, a tier-two analyst will carry out these efforts according to predefined response plans or escalate the matter further up the SOC role tiers.
Much as with the potential overlap between tier-four managers and CISO roles, an organization may not establish dedicated tier-one and tier-two analysts. Instead, these lower-level SOC team responsibilities may be determined by employees’ seniority and relevant experience.
Tier-Three Threat Hunter
Tier-three threat hunters fulfill one of the most complex and challenging roles a SOC team needs to be effective. If a tier-two analyst escalates an incident further, threat hunters often have the experience necessary for assessing more complex threats and vulnerabilities. They provide the threat intelligence and expertise to conduct root cause and forensic analysis for these incidents to determine their full extent.
However, daily responsibilities for tier-three threat hunters typically revolve around leveraging that threat intelligence to seek out attacks capable of evading signature detection. Threat signatures are the known and identifiable indicators of particular attack types and are recognized and defined within scanning tools.
Threat hunters provide an essential function, as scanning tools often fail to recognize newly emerging cyberthreat techniques and advanced persistent threats (APTs). Upon reaching tier-three, SOC personnel must have the knowledge and experience to assess their organization’s cybersecurity infrastructure from a hacker’s perspective to determine what exploits may be utilized to bypass security and access targets.
SOC managers oversee team operations to ensure cybersecurity efforts are maintained and effective. Depending on the severity of a given situation, managers also help respond to complex incidents as necessary. Depending on the size of an organization’s team, multiple managers may be required, mainly if the SOC is decentralized among numerous branches or geographically separate departments.
In addition to managing SOC personnel and assisting when warranted, tier-four roles may execute responsibilities that would traditionally fall under CISOs’ purview.
Chief Information Security Officer (CISO)
CISOs oversee an organization’s entire cybersecurity. Those filling the role may occasionally get their hands dirty with analysis and incident response, but they predominately manage the highest level oversight and implementation responsibilities. CISOs also function as a liaison to other executives or a board of directors regarding organization-wide cybersecurity.
CISOs must be experienced and knowledgeable enough to navigate technical implementations and the aftermath of incidents, such as data breaches.
Not every organization employs a cybersecurity executive, and tier-four managers may be called upon to fulfill the role when necessary. Alternatively, an individual may be given the title of CISO but spend most of their time managing other SOC personnel. As another option, many organizations outsource this executive role via contracted virtual CISOs (vCISO).
MSSPs, such as RSI Security, can easily manage an organization’s needs on a fractal (i.e., part-time), temporary, or ongoing basis.
SOC engineers are essential to any organization that relies on in-house development efforts. If your organization utilizes custom-built programs or applications, it needs to ensure integration with broader cybersecurity strategies.
SOC roles typically revolve around detection and response, with the primary exception of engineers/architects. A dedicated engineer can work alongside other SOC roles to ensure that ongoing development or implementation efforts incorporate up-to-date threat intelligence. Organizations who seek to minimize vulnerabilities and potential exploits during resource development stages will save future SOC bandwidth and better set their teams up for success.
Medium-sized organizations and those that do not internally develop software tools may not dedicate an engineer to SOC operations full-time, but only as needed.
As another leg of the security operations center architecture tripod, processes primarily support personnel. Personnel are dependent on their threat intelligence and experience—more so when processes aren’t documented (i.e., exist as “tribal knowledge”)—to perform their responsibilities.
Established and documented processes provide SOC personnel with guidance for executing tasks, filling in gaps when first-hand experience and tribal knowledge prove insufficient. Defined procedures are particularly critical for ensuring that personnel carry out incident investigation, escalation, response, and remediation properly.
One reason that documented processes are so critical to SOC success is that employee turnover is a consistent challenge throughout the field. A 2021 Ponemon survey revealed that SOC personnel spend an average of 26 months with an organization. Unfortunately, this short employment average prevents personnel from acquiring the organizational-specific tribal knowledge necessary to manage discovered incidents without dedicated guidance.
Industries and Business Activity—Regulatory Compliance
Many SOC-specific and organization-wide processes are somewhat predetermined by an enterprise’s industry and business activity. Modern regulatory compliance nearly always involves cybersecurity specifications that must be met with protecting mission-critical data and IT resources.
For example, nearly all organizations collect, store, process, or transmit credit card data, subjecting them to the Payment Card Industry (PCI) Data Security Standards (DSS). The entirety of the PCI DSS revolves around protecting cardholder data (CHD) through cybersecurity measures. DSS specifications for strict authentication, encryption, network perimeter protections, and more fall under SOC purview.
NIST Security Operations Center Framework
When organizations construct their security operations center architecture, they should refer to the National Institute of Standards and Technology (NIST) for guidance. Unlike mandated regulatory compliance, adherence to the NIST Cybersecurity Framework (CSF) is a voluntary effort. However, the framework overlaps with the most applicable regulations and, thus, provides a foundational reference and audit checklist for security operations center architecture.
The CSF provides extensive guidance for SOC responsibilities, spanning all aspects of handling cyberthreats:
- Identification – Establish a comprehensive understanding of the organization’s entire IT environment—the risks, business contexts, and IT resources supporting critical functions.
- Protection – Safeguard the organization’s critical infrastructure, data, and service delivery from cyberthreats, and implement measures to limit those that become successful attacks.
- Detection – Ensure that the organization’s IT environment is actively and continuously monitored to detect threat indicators and anomalous activity.
- Response – Define and document response procedures, performing analysis following their execution (and periodically if they haven’t been executed in some time) to continually improve their effectiveness.
- Recovery – Remediate IT environment operations and service delivery promptly.
Periodically revisiting the CSF and refining SOC processes will help organizations develop their own comprehensive NIST security operations center framework.
Evaluating Documented Incident Response Processes
An essential aspect to continuing an organization’s optimal SOC organization and responsibility execution is reevaluating and revising documented processes. Periodically, SOC teams must review and update processes to ensure they remain effective and adhere to all necessary industry and business activity regulations.
One method many organizations employ to keep their SOC team functioning smoothly and evaluate processes is conducting response exercises for simulated cyberattacks. For example, tabletop exercises allow SOC teams to walk through incident response plans step-by-step, and managerial review or full-team discussions can help identify improvement opportunities.
Generally, response processes should follow:
- Team preparation
- Potential threat identification
- Containment strategy selection
- Threat eradication
- Recovery planning
- Service delivery remediation
- Proper authority and affected party notification
- Training and education to prevent recurrence and improve future SOC response
The technology implementations that SOC teams manage will also be somewhat predetermined by business activity. For example, supporting remote employees will require certain cybersecurity defenses (e.g., virtual private networks, multi-factor authentication). That said, some technology implementations, such as security information and event management (SIEM) systems, are common to most SOCs.
The larger and more complex an organization’s IT environment becomes, the more a SOC team will lean on cybersecurity technologies to simplify their responsibilities. Without the third leg, tripods are guaranteed to fall over. Manual SOC efforts are all but extinct in these scenarios due to the sheer amount of data to review and attack vectors to protect.
Technologies most SOC teams will implement include:
- SIEM – These systems help automate data collection and notifying personnel of potential threat indicators to assist analysts with their scanning and assessment responsibilities. Sophisticated systems will also provide SOC teams with tools to predefine and automate some initial incident response measures, which saves valuable time to investigate.
- Antivirus, antimalware, and filtering – Many cyberthreats still utilize phishing methods to mimic legitimate communications and convince users to click on malicious links or attachments. Antivirus, antimalware, and filtering tools rely on threat signatures to automatically identify, contain, and remove these threats.
- Endpoint security – Endpoints consist of all the devices connected to an organization’s network. Their security can comprise various tools but often involve endpoint detection and response (EDR) and disk encryption. EDR monitors endpoint activity via installed agents that report to a centralized management hub. Disk encryption ensures that data stored on devices cannot be read without the associated cryptographic key.
Whereas tabletop incident response simulations help SOC teams and processes via “fire drill” scenarios to learn and evaluate existing architecture, penetration testing performs the same for implemented technologies. Penetration testing simulates actual attacks on cybersecurity infrastructure to uncover vulnerabilities and test automated system responses.
Testing results provide teams with a beneficial resource that will help guide patch deployment, configuration updates, and identify cybersecurity aspects that may require additional implementations.
Outsourcing SOC Responsibilities
Due to the mission-critical status of proper SOC responsibility execution and the personnel challenges managers often face, many organizations partner with MSSPs. Outsourcing SOC responsibilities to an MSSP allows SOC teams to recover limited bandwidth, gain additional expertise, and execute the assignments that the organization wishes to retain in-house.
Building Your Security Operations Center Architecture
Building and revising security operations center architecture is as mission-critical as the responsibilities a SOC team executes. Without the proper personnel, processes, and technology, any SOC can fail to secure an organization’s IT environment.
As an MSSP specializing in cybersecurity and compliance, RSI Security can help advise your organization on constructing SOC architecture and its revisions. RSI Security’s managed services also allow organizations to outsource SOC responsibilities as needed or desired—from fully remote SOC to “a la carte” delivery.
Contact RSI Security today to learn more about how your organization can optimize its SOC.