Security Operations Centres
Thanks to major technological breakthroughs, operating a business has become much simpler than it used to a few years ago. IT support teams in London leverage IT to come up with solutions to problems haunting their systems. With these benefits, however, come challenges. Over-reliance on the internet has opened doors to new opportunities for hackers who exploit system vulnerabilities to execute cyberattacks. Cybercriminals are more invested, determined and motivated than ever before and are channelising their energy and resources to find new attack vectors. To respond to these evolving threats, many organisations are establishing security operations centres.
Security Operations Centres: An introduction
A security operations centre is a centralised unit that houses the organisation’s team responsible for preventing and responding to security breaches. A typical SOC is staffed with security analysts, engineers and managers who are in charge of security operations.
A SOC uses different tools and technologies to control lighting, vehicle barriers and security alarms. SOC teams use a combination of technologies and processes to respond to security incidents. SOC teams work closely with incident response teams to ensure threats are neutralised in a timely fashion.
SOC teams work in shifts to monitor databases, servers, applications, endpoints and networks round the clock. SOC staff is responsible for identifying suspicious activities that indicate a major security breach and take steps to investigate, analyse and report the incident accurately. SOC teams are also responsible for assessing and ensuring regulatory compliance.
Some SOCs are equipped with advanced capabilities such as forensic analysis, malware reverse engineering and cryptanalysis to evaluate incidents.
Creating a Security Operations Centre
The first step in creating a SOC involves designing a strategy that is aligned with the business’ needs and objectives. To develop a better understanding of the nature and scope of different threats, managers must encourage executives from different teams to provide inputs.
Once SOC strategy is developed, IT support teams in London must focus on developing the infrastructure such as firewalls, breach detection solutions, an event management system and IPS/IDS required to support the strategy. SOC infrastructure must not only help the SOC team collect information about and neutralise threats, but should also have a mechanism in place to ensure compliance with industry and government regulations.
Structure of a typical SOC team
Tier1: Security analyst (triage specialist)
Should possess: Programming and security skills
- Analysing evolving threats
- Creating incident tickets that require a tier 2 review.
- Overseeing the functioning of security monitoring tools.
- Running vulnerability scans and analysing assessment reports.
Tier 2: Security analyst (incident responder)
Should possess: Programming, security and critical thinking skills. Former white hat hackers are suitable for this role.
- Leveraging technology to develop an in-depth understanding of the scope and nature of attacks.
- Collecting data that supports further investigation.
- Supervising remediation efforts.
Tier 3: Expert security analyst
Should possess: Expert programming, security skills and critical thinking skills. Experience of using data visualisation and penetration testing tools is a must.
- Using threat intelligence to track the movement of advanced threats that successfully fly under the radar of IT Security in London.
- Conducting penetration testing to identify system weaknesses.
- Recommending measures to optimise security monitoring tools.
Tier 4: SOC manager
Should possess: All the skills mentioned above. Experience in handling diverse teams is a must.
- Overseeing the functioning of the SOC team.
- Recruiting, hiring, training and evaluating team members.
- Creating a crisis communication plan.
- Reviewing KPIs and coming up with an action plan to improve performance.
Types of Security Operations Centre models
Virtual SOC: More of a makeshift arrangement to respond to an incident; does not usually include a permanent team.
Dedicated SOC: Includes a dedicated team and facility. A dedicated SOC utilises an in-house facility.
Command SOC: Provides inputs to other SOCs, helping improve their capabilities to identify and neutralise threats; usually not directly involved in everyday operations.