No room for complacency – the increasingly important role of a Security Operations Centre (SOC)
Luke Ager, Chief Technology Officer, Cyber & Intelligence
While there is no doubting the substantial benefits, this dependency on data-enabled operations does not come without its own challenges. Reliability, resilience and security are now the name of the game. Make no mistake, with any form of dependency comes vulnerability – and, when that vulnerability is invisible, the risk of inadvertent complacency is never far away.
Digital systems and data networks are no different – even more so with a global pandemic fuelling an increasing move towards remote/home working. It is vital for any organisation to understand the very real and constantly evolving threats to the integrity of all areas of its central and remote digital infrastructure as increasingly capable, astute and evasive cyber criminals will be quick to exploit any weaknesses.
Minimising risks and costs
The consequences of a security breach can be huge. Aside from massive financial penalties and immeasurable reputational damage, the costs and delays arising from operational disruption can be substantial and the investment required to address, restore and recover should not be under-estimated.
It’s for this reason that more and more organisations are taking positive steps to minimise the risks and protect their digital infrastructure from known and emerging malicious cyber threats. In the majority of cases this entails the creation of a Security Operations Centre – or SOC as it is often referred. This provides a dedicated resource for monitoring, analysing and protecting an organisation from any cyber attacks whether from malicious or negligent behaviour or from internal or external sources.
Why is a SOC important?
- A disciplined and focussed operation to minimise the impact of cyber attacks
- The increasing severity, complexity and threat of malicious cyber attacks
- Protects an organisation’s business-critical digital infrastructure
- Eliminates risk of service disruption and minimises the costs of recovery from a cyber attack
- Ensures operational compliance with mandatory service requirements
- Ensures compliance with an organisation’s operating policies and practices
- Protects an organisation from negligent and malicious behaviours
In highly regulated service sectors, a SOC is a mandatory requirement especially where an organisation is storing and processing sensitive personally identifiable information, credit card details or clinical patient records. However, every organisation that has responsibility for using personal data must comply with the rules governing data protection.
The stringent requirements of the Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR) – give very little in the way of wriggle room and reflect the exponential growth in the volume of data being processed in the digital age. Moreover, as many organisations have found from bitter experience, enforcement is unforgiving.
Regulations aside, organisations in practically every area of industry and commerce now recognise the benefits and invaluable role of a SOC in helping to deliver operational resilience and for staying ahead of the curve in the face of increasingly sophisticated threats from well organised and well funded cyber criminals.
The right tools, expertise and focus
The most appropriate composition and remit of a SOC will vary from one organisation to another and it could be an internal resource, outsourced or a combination of both. Whatever option is followed, an effective SOC is relatively self-contained, is well equipped with the latest monitoring, analytical tools and will be operated 24/7 by a specialist team of highly experienced cybersecurity professionals.
A SOC will deliver uninterrupted monitoring of an organisation’s IT network, desktops, laptops, servers, databases, applications, security systems, internet traffic and all other components within the digital infrastructure. Any incidents detected will be investigated and analysed promptly, with alerts raised and immediate action taken to minimise the risk of operational disruption from a potential security breach.
What does a SOC do?
- Monitors, detects, analyses security data throughout an organisation’s digital infrastructure
- Provides 24/7 protection from cyber threats
- Uses advanced tools, automation and specialist expertise to maximise protection
- Full incident reporting
- Vulnerability management
- Raises alerts to ensure a prompt response to any cyber attack
- Forensic analysis of security events
- Behaviour modelling
- Ensures continuous intelligence and awareness of constantly evolving and emerging threats
It is a proactive and dynamic process where business intelligence and knowledge of emerging threats run in tandem with compliance safeguards, forensic analysis and risk-based vulnerability management. Significantly, a SOC will detect and enable an immediate response to be made to any incidents. This is crucial. Speed of response and decisive actions regardless of the time, source and type of cyber attack will help to minimise the risks, impact and costs.
The starting point for any organisation considering the introduction of a SOC or replacing an existing resource is to know what you are up against. Scare stories are in abundance. Certainly, there are a multitude of constantly evolving threats to the security of digital systems and infrastructure of any organisation. Most people will be aware of viruses, ransomware and other forms of malware, but they are now far more sophisticated, intrusive and damaging than ever before and even the toughest firewall is no guarantee of protection.
In addition to exploiting a known weakness in computer software before developers have resolved the issue, there are countless examples of bad actors launching phishing campaigns, delivering disruptive and often evasive malware as well as ‘denial of service’ attacks, network intrusions and credential theft. That’s not all, though. There are also internal factors to consider. Only through diligent monitoring of system use and identifying any security issues arising from pre-meditated or negligent activities can an organisation maximise compliance with its stated policies and protocols and minimise its vulnerability to any miscreant internal behaviour.
Key considerations when setting up a SOC
- How to ensure compliance with service regulations
- The level of processing, sharing and storing of personally identifiable information
- The composition of an organisation’s digital infrastructure
- The nature and composition of an organisation’s business
- Knowing what to monitor and what data feeds and logs are required by the SOC
- Defining the appetite for risk
- The time and resources required to establish an effective and appropriate SOC
- The need for advanced tools, automated detection systems and specialist expertise
- Evaluating the respective costs and benefits of an in-house or managed service from an external service provider
Faced with such diverse threats, vulnerabilities and variables, the knee-jerk reaction is typically to expect a SOC to ‘do everything’. However, the sheer volume and complexity of security alerts should not be under-estimated. It’s vital to have the advanced tools, security automation and expertise within the SOC team to categorise and prioritise any threat and ensure the most appropriate response is made. The direct and indirect costs to achieve this can be considerable as it requires major and sustained investment in the latest SOC technologies and experienced cyber security professionals who are in very high demand.
Defining the scope
Consequently, it is essential that the SOC remit is not only practical and fit for purpose but that its operational parameters are clearly defined and aligned fully with a robust business case. Operational compliance considerations should always provide the core framework for a SOC. Thereafter and particularly in less regulated sectors, it boils down to the risk appetite of an organisation.
There will always be an accepted degree of exposure to risk, but every organisation will have a tipping point where the risk to business continuity and security becomes unacceptable and the potential costs (reputational, operational and financial) are too great to contemplate - and that is the point that will help to define the role and reach of the SOC.
It is not always easy for senior managers of an organisation to see the wood for the trees when balancing the bewildering array of constantly evolving threats with the complexity and diversity of legacy systems and phased digital upgrades. Seeking external and impartial advice is often the best approach for determining the point at which the level of risk becomes unacceptable.
This will provide a qualitative and quantitative assessment of risk and take into account the unique culture, policies, priorities and infrastructure of the organisation so that an informed decision can be made about the form, composition and activities of the SOC. It is not a one-off exercise, though, as the SOC will require continuous development and must have inherent agility to ensure ongoing relevance, fulfil its obligations and provide the protection required.
This requires a great deal of preparatory work and constant revisiting of processes, procedures and technologies to ensure the SOC receives the right inputs and logs from the organisation at all times. Just as important is the need to define governance, incident reporting procedures, escalation thresholds and responsibilities.
Key benefits of a SOC
- Uninterrupted monitoring and analysis of cyber threats
- Delivers operational advantage and protection at all times
- Maximises response times to any threat and minimises service disruption and costs of recovery
- A co-ordinated and focussed approach to cyber security
- Regulatory compliance
- Maximises control and security of an organisation’s digital infrastructure
When working with an external service provider, clear Service Level Agreements and Key Performance Indicators are a must to ensure expectations are shared and understood, and it is important to establish rules for data sharing, data separation and confidentialities. There must also be a clear demonstration of how SOC architecture is designed and managed and the security precautions that are in place to ensure the SOC is capable of protecting itself - and the data it handles - from cyber attacks.
Trust and confidence
This brings us to two of the most important factors for any SOC operation – trust and confidence. By its very nature a well-structured SOC will receive defined feeds from different areas of an organisation’s digital infrastructure. For such a sensitive and business-critical operation, mutual trust is a prerequisite. This is especially true when an organisation is using a third party to deliver the service.
Here, effective collaboration, transparency and genuine partnership should really set the tone. It is a mutual learning process for both the SOC team and the organisation it is protecting, and the principles of continued improvement will only be possible if both parties work hand in hand to establish a clear understanding of the cyber protection environment. This is particularly important from the outset of a SOC when there will be a disproportionately high number of false positives as the SOC team gains improved understanding of the way an organisation operates and establishes the most efficient reporting processes and working practices.
Such a collaborative spirit helps to eliminate any scope for complacency and creates an environment where authorised users from the organisation can have direct access to SOC tools and monitor and comment on SOC activities through secure incident and reporting portals. It will also enable an organisation to harness the flexibility and scalability of a specialist service provider when it is necessary to flex and adapt the SOC to meet periodic peaks in demand or a global surge in a new form of malicious cyber attack.