Exium’s Autonomous SOC combines data lake technology, visibility into cloud infrastructure, behavioral analytics, and a threat hunting module with powerful data querying and visualization to respond to, contain and remediate sophisticated attacks — faster and more efficiently.
¶ What is a security operations center (SOC)?
A security operations center (SOC) acts as the hub for an organization’s security operations. Also called an information security operations center (ISOC), a SOC is a centralized location where information security professionals use technologies to build and maintain the security architecture that monitors, detects, analyzes and responds to cybersecurity incidents, typically around the clock.
The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems in order to pinpoint potential security threats and thwart them as quickly as possible. They also monitor relevant external sources (such as threat lists) that may affect the organization’s security posture.
A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.
¶ What Is the difference between a SOC and a NOC?
While the SOC is focused on monitoring, detecting and analyzing an organization’s security health 24/7/365, the main objective of the NOC, or network operations center, is to ensure that the network performance and speed are up to par and that downtime is limited.
SOC engineers and analysts search for cyberthreats and attempted attacks, and respond before an organization’s data or systems are compromised. NOC personnel search for any issues that could slow network speed or cause downtime. Both proactively monitor in real-time, with the goal of preventing problems before customers or employees are affected, and search for ways to make continual improvements so that similar issues don’t crop up again.
SOCs and NOCs should collaborate to work through major incidents and resolve crisis situations, and in some cases the SOC functions will be housed within the NOC. NOCs can detect and respond to some security threats, specifically as they pertain to network performance, if the team is properly trained and looking for those threats. A typical SOC wouldn’t have the capability to detect and respond to network performance issues without investing in different tools and skill sets.
¶ SOC deployment models
There are three most common types of SOC deployment models: internal, virtual, and outsourced. Here is how each function within the organization as a whole:
|
Internal SOCs |
Virtual SOCs |
Outsourced SOCs |
|---|---|---|
| The internal SOC comprises a physical room where all the action takes place, usually with a full-time staff based on-premises. | Virtual SOCs are not on-premises and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization. | In an outsourced SOC, some or all functions are managed by an external provider that specializes in security analysis and response. |
Exium supports all three deployment models. In the case of internal and virtual SOCs, we provide our security information and event management (SIEM), extended detection and response (XDR) platforms, and specific services for our customers to support an internal or virtual SOC. In the case of the outsourced SOC model, we handle everything for our customers.
¶ What does a SOC do?
The SOC leads real-time incident response and drives ongoing security improvements to protect the organization from cyber threats. By using a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC has the following core responsibilities:
|
No |
Core responsibilities of a high-functioning SOC |
|---|---|
| 1 |
Maintaining security monitoring tools
|
| 2 |
Investigate suspicious activities
|
| 3 |
Provide proactive, around-the-clock surveillance
|
| 4 |
Offer expertise on all the tools
|
| 5 |
Provide deep analysis
|
¶ What does a SOC do when it’s not detecting threats?
The SOC does more than just handle problems as they arise. What does a SOC do when it’s not detecting threats?
The SOC is tasked with finding weaknesses — both outside and within the organization — through ongoing software and hardware vulnerability analysis, as well as actively gathering threat intelligence on known risks. So even when there are seemingly no active threats, SOC staff are proactively looking at ways to improve security. Vulnerability assessment includes actively trying to hack their own system to find weaknesses, known as penetration testing. Additionally, a core role of SOC personnel is security analysis: ensuring that the organization is using the correct security tools optimally and assessing what is and isn’t working.
¶ Exium SOC team
A SOC team continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks.
There are four key roles on Exium SOC team.
Security analysts are cybersecurity first responders. They report on cyberthreats and implement any changes needed to protect the organization. They’re considered the last line of defense against cybersecurity threats, work alongside security managers and cybersecurity engineers.
Security engineers are usually software or hardware specialists and are in charge of maintaining and updating tools and systems. They are also responsible for any documentation that other team members might need, such as digital security protocols.
The SOC manager is responsible for the SOC team, directs SOC operations and is responsible for syncing between analysts and engineers; hiring; training; and creating and executing on cybersecurity strategy. The SOC manager also directs and orchestrates the response to major security threats.
The director of incident response (IR) is responsible for managing incidents as they occur, and communicating security requirements to the organization in the case of a significant data breach.
¶ Exium SOC team skills
At Exium, we hire the best and train them well: Hiring talented staff and continually improving their skills is central to our success. Almost all of our SOC team understands application and network security, firewalls, information assurance, Linux, UNIX, SIEM, and security engineering and architecture. Our highest-level security analysts should possess these skills:
Ethical hacking: You want one of our people actively trying to hack your system to uncover vulnerabilities within your system.
Cyber forensics: Analysts must investigate issues and apply analysis techniques to both understand and preserve evidence from the investigations. If a case were to go to court, the security analyst must be able to provide a documented chain of evidence to show what occurred and why.
Reverse engineering: This is the process of deconstructing software or rebuilding it to understand how it works and, more importantly, where it’s vulnerable to attacks so that the team can take preventive measures.
Intrusion prevention system expertise: Monitoring network traffic for threats would be impossible without tools. Our SOCs knows the ins and outs of how to use them properly.
¶ Core Processes Exium SOC team carry out
Here are some of the core processes Exium’s SOC team carry out:
Alert triage – The SOC collects and correlates log data and provides tools that allow analysts to review it and detect relevant security events.
Alert prioritization – SOC analysts leverage their knowledge of the business environment and the threat landscape to prioritize alerts and decide which events represent real security incidents.
Remediation and recovery – Once an incident is discovered, SOC personnel are responsible for mitigating the threat, cleaning affected systems, and recovering them to their normal working condition.
Postmortem and reporting – An important function of the SOC is to document the response to an incident, perform additional forensic analysis to ensure that the threat has been fully contained, and learn from the incident to improve the SOC’s processes.
¶ SOC Roles and Responsibilities
SOC analysts are organized in four tiers. First, security alerts flow to Tier 1 analysts who monitor, prioritize and investigate them. Real threats are passed to a Tier 2 analyst with deeper security experience, who conducts further analysis and decides on a strategy for containment.
Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident and is responsible for actively hunting for threats continuously. The Tier 4 analyst is the SOC manager, responsible for recruitment, strategy, priorities, and the direct management of SOC staff when major security incidents occur.
|
Role |
Qualifications |
Duties |
|---|---|---|
|
Tier 1 Analyst Alert Investigator |
System administration skills; web programming languages, such as Python, Ruby, PHP; scripting languages; security certifications such as CISSP or SANS SEC401 | Monitors alerts, manages and configures security monitoring tools. Prioritizes and triages alerts or issues to determine whether a real security incident is taking place. |
|
Tier 2 Analyst Incident Responder |
Similar to Tier 1 analyst, but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. Ethical hacker certification or training is a major advantage. | Receives incidents and performs deep analysis; correlates with threat intelligence to identify the threat actor, nature of the attack, and systems or data affected. Defines and executes on strategy for containment, remediation, and recovery. |
|
Tier 3 Analyst Subject Matter Expert/Threat Hunter |
Similar to Tier 2 analyst but with even more experience, including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing responses to new threats and attack patterns. | Day-to-day, conducts vulnerability assessments and penetration tests, and reviews alerts, industry news, threat intelligence, and security data. Actively hunts for threats that have made their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, teams with the Tier 2 Analyst in responding to and containing it. |
| Tier 4 SOC Manager/ Commander | Similar to Tier 3 analyst, including project management skills, incident response management training, and strong communication skills. | Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy. Manages resources, priorities and projects, and manages the team directly when responding to business-critical security incidents. The organization’s point of contact for security incidents, compliance, and other security-related issues. |
|
Security Engineer Support and Infrastructure |
Degree in computer science, computer engineering or information assurance, typically combined with certifications like CISSP. | A software or hardware specialist who focuses on security aspects in the design of information systems. Creates solutions and tools that help organizations deal robustly with disruption of operations or malicious attacks. |
¶ How Exium measures and continually improve our SOC?
Exium measures the performance of our SOC teams to continuously improve their processes. In the Table below, we list a few important metrics that help us demonstrate the scale of activity in the SOC, and how effectively analysts are handling the workload.
These metrics help us evaluate the effectiveness of our SOC processes. We incorporate these metrics results into evaluation and refinement processes.
|
Metric |
Definition |
What it Measures |
|---|---|---|
| Mean Time to Detection (MTTD) | Average time the SOC takes to detect an incident | How effective the SOC is at processing important alerts and identifying real incidents |
| Mean Time to Resolution (MTTR) | Average time that transpires before the SOC takes action and neutralizes the threat | How effective the SOC is at gathering relevant data, coordinating a response, and taking action |
| Total cases per month | Number of security incidents detected and processed by the SOC | How busy the security environment is and the scale of action the SOC is managing |
| Types of cases | Number of incidents by type: web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc. | The main types of activity managed by the SOC, and where preventative security measures should be focused |
| Analyst productivity | Number of units processed per analyst — alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3 | How effective analysts are at covering maximum possible alerts and threats |
| Case escalation breakdown | Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents | The effective capacity of the SOC at each level and the workload expected for different analyst groups |
¶ What is Next-Gen Autonomous SOC?
Traditional security operations center face several common challenges:
Limited Visibility – A centralized SOC does not always have access to all organizational systems. These could include endpoints, encrypted data, or systems controlled by third parties which have an impact on security.
White Noise – A SOC receives immense volumes of data and much of it is insignificant for security. Security Information and Event Management (SIEM) and other tools used in the SOC are getting better at filtering out the noise, by leveraging machine learning and advanced analytics.
False Positives and Alert Fatigue – SOC systems generate large quantities of alerts, many of which turn out not to be real security incidents. False positives can consume a large part of security analysts’ time, and make it more difficult to notice when real alerts occur.
All three of these challenges are addressed by Exium’s Autonomous SOC that leverages next generation tools, specifically extended detection and response (XDR), which provide machine learning and advanced behavioral analytics, threat hunting capabilities, and built-in automated incident response. Modern autonomous security operations center technology allows the SOC team to find and deal with threats quickly and efficiently.
| Tier | Role |
Traditional SOC |
TraditiAutonomous SOConal SOC |
|---|---|---|---|
| TIER 1 – Event Classification |
Tier 1 Analysts monitor user activity, network events, and signals from security tools to identify events that merit attention.
|
A Traditional SOC leverages SIEM that collects security data from organizational systems and security tools, correlates it with other events or threat data, and generates alerts for suspicious or anomalous events. | Next-generation Autonomous SOC further leverages XDR (extended Detection and Response)’s machine learning and behavioral analytics capabilities to reduce false positives and alert fatigue, and discover hard-to-detect complex events like lateral movement, insider threats and data exfiltration. |
| TIER 2 – Prioritization and Investigation | Tier 1 Analysts prioritize, select the most important alerts, and investigate them further. Real security incidents are passed to Tier 2 Analysts. | A SIEM can help Tier 1 and Tier 2 analysts search, filter, slice and dice, and visualize years of security data. Analysts can easily pull and compare relevant data to better understand an incident | Autonomous SOC is based on data lake technology that allows organizations to store unlimited data at low cost. They also leverage machine learning and User Event Behavioral Analytics (UEBA) to easily identify high risk events and surface them to analysts. |
| TIER 3 – Containment and Recovery | Once a security incident has been identified, the race is on to gather more data, identify the source of the attack, contain it, recover data and restore system operations. | When a real security incident is identified, a SIEM provides context around the incident—for example, which other systems were accessed by the same IPs or user credentials. | XDR used in the Autonomous SOC provides Security Orchestration and Automation (SOAR) capabilities. They integrate with other security systems and can automatically perform containment actions. For example, quarantine an email infected by Malware, download and test the Malware in a threat intel sandbox. |
| TIER 4 – Remediation and Mitigation | SOC staff work to identify broad security gaps related to the attack and plan mitigation steps to prevent additional attacks. | In a Traditional SOC, remediation and mitigation are an ongoing activity, and they require visibility of the status and activity of critical security and IT systems. SIEMs have a cross-organization view which can provide this visibility. | Next-generation Autonomous SOC leverages machine learning and data science capabilities that establish smart baselines for groups of users and devices. This allows faster and more accurate detection of insecure systems or suspicious activity. |
| TIER 5 – Assessment and Audit |
SOC staff assess the attack and mitigation steps, gather additional forensic data, draw final conclusions and recommendations, and finalize auditing and documentation.
|
||
¶ SOC challenges and how technology can help
|
No |
SOC challenges and how technology can help |
|---|---|
| 1 | Incident response – SOCs operate around the clock (24x7x365) to detect and respond to incidents. |
| 2 | Threat intelligence and rapid analysis – SOCs use threat intelligence feeds and security tools to quickly identify threats and fully understand incidents, in order to enable appropriate response. |
| 3 | Reduce the complexity of investigations – SOC teams can streamline their investigative efforts. The SOC can coordinate data and information from sources, such as network activity, security events, endpoint activity, threat intelligence, and authorization. SOC teams have visibility into the network environment, so the SOC can simplify the tasks of drilling into logs and forensic information, for example |
| 4 | Reduce cybersecurity costs – Although a SOC represents a major expense, in the long run, it prevents the costs of ad hoc security measures and the damage caused by security breaches. |
| 5 | Increased volumes of security alerts – The growing number of security alerts requires a significant amount of an analyst’s time. Analysts may tend to tasks from the mundane to the urgent when determining the accuracy of alerts. They could miss alerts as a result, which highlights the need for alert prioritization. Exium’s autonomous SOC uses XDR technology to provide security alert prioritization, which relies on the dynamic analysis of anomalous events. This ensures that analysts can find the alerts requiring the most immediate attention. |
| 6 | Management of many security tools – As various security suites are being used by SOCs, it is hard to efficiently monitor all the data generated from multiple data points and sources. A SOC may use 20 or more technologies, which can be hard to keep track of and control individually. This makes it important to have a central source and a single platform such as Exium’s SIEM+XDR. |
| 7 | Skills shortage – Short staffing or lack of qualified individuals is an issue. A key strategy for dealing with the cybersecurity skills shortage is automating SOC processes, to save time for analysts. In addition, an organization may decide to outsource. Some organizations are now outsourcing to managed security services providers to help them with their SOC services. With Exium managed SOCs can be outsourced entirely or in partnership with on-premises security staff. |
To learn more about implementing SOC for your organization and explore tailored solutions that meet your unique requirements, contact Exium at partners@exium.net for a consultation or demonstration. If you are ready to get started, check out our testing and onboarding process.