Why Every Company Needs A SOC
A security operations centre has become essential, even for small organisations. But additional security processes don’t have to be a burden, especially with the right partner.
Once upon a time, the security operations centre (SOC) was needed only by the largest corporations and was a particularly heavyweight function. These days, however, more and more organisations are opting for one – and they look substantially different today than in the past.
That’s because, in today’s world, everybody’s a target. Malicious actors and rogue nation-states can launch large numbers of attacks in no time at all, putting small organisations just as much at risk as large ones. Even organisations that aren’t targeted directly can suffer as collateral damage in a larger attack or as a route into a third party. For small organisations, the cost of a breach could be in the millions, so protection is vital.
The SOC doesn’t have to be a huge undertaking. These days, a modern SOC can be managed remotely with a next-gen SIEM (Security Information and Event Management) tool automating much of the work. Increasingly, the most forward-looking organisations are integrating their SOC with their network operations centre (NOC). The resulting SecOps will be at the cutting edge over the next few years. This article explains the journey necessary to get there.
What is a SOC and why do you need one?
Asked to imagine a typical SOC, most people will picture a physical facility with people at banks of computers, facing a wall of screens filled with network and system data. The sort of complex, expensive facility reserved for a tier-one bank, government organisations or NASA.
A SOC is a facility where security staff defend against breaches and identify and mitigate security risks. The analysts and security specialists staffing the SOC monitor everything from governance, risk and compliance (GRC) systems to intrusion prevention and detection systems to next-generation firewalls.
Although SOCs were once large and expensive, the proliferation of the cloud and services supplied by third parties have made the technology more affordable. Just as security becomes a more widespread concern, the SOC has become more accessible. Organisations of all sizes are at risk today and therefore need to implement better security measures.
The SOC is no longer necessary for just the regulated sectors or those handling sensitive data. Helping to increase accessibility is the fact that a SOC no longer needs to be a physical facility. These days, the SOC can be virtual and its staff remote. Some organisations set up a managed or hybrid SOC, combining in-house people and tools with expertise from a managed service provider.
SIEM: The tech that pulls your SOCs up
Every SOC faces challenges, and two notable ones are visibility and noise. First, a centralised SOC might not have visibility across the organisation. Some endpoints might not be connected to the SOC, for example, encrypted data might be inaccessible and so might data from third parties. On the other hand, the data that does come in can be overwhelming. Security analysts can spend large amounts of time dealing with false positives, and the sheer amount of data can make it easy to miss actual alerts.
SIEM tooling can deal with both problems by filtering data to produce actionable insights across security tools, endpoints, cloud services and even SaaS applications.
Next-generation SIEM uses machine learning and advanced analytics to sift through huge amounts of data, reducing false positives and lowering alert fatigue. That frees analysts to spend more time on more pressing or complex threats. The number of sources from which next-gen SIEMs gather data and the intelligent processing they apply means that they detect incidents that less advanced systems miss, such as insider threats and data exfiltration. They can also automate tasks, such as finding unused credentials for employees who have left the organisation or quarantining malware in a sandbox. The SIEM develops a smart baseline for what normal network activity looks like, which means it identifies anomalies more quickly.
The road to SecOps
Of course, having advanced tools like this in place is no use if organisational structure stops them from being effective. The security team was once viewed as an obstacle by operations – and in some organisations, it might still be. While operations are focused on uptime and performance, security can be often seen as slowing things down. This is the wrong approach, and attitudes are changing. Increasingly, we are seeing that, at an organisational level, security is seen as an integral requirement like uptime or performance. It’s no longer an afterthought and security considerations are becoming more baked in rather than added on at the end of a project. Analysts communicate with Ops about threats and incidents, while Ops can use the SOC for advice and guidance. For DevOps organisations, security can be involved even earlier. The resulting SecOps (or DevSecOps) environment is more proactive and, with both teams working together, they can diagnose and address problems much more quickly. Security has gone beyond simply installing the right tools and has become part of the modern trend towards entirely new approaches that require new skills. For many organisations, especially smaller ones, the rate of change is too fast for them to train or hire people with the necessary skills. They might not even be able to justify a security hire, despite the essential need to keep the organisation safe. The answer is to find a third party that can handle this for you. Managed services providers can deliver the entire SOC for you or fill specific gaps in your coverage. This means that someone is always focused on securing the cloud, leaving you to focus on what you do best.
Our specialists have the answer