What is a SOC?

It’s good to be nervous about the recent explosion of cybercrime, but it’s even better to be prepared. If you’re a business owner, now is the time to invest in your organization’s security posture, but deciding how much to invest, and which tools, strategies, and solutions to invest in, can be difficult, confusing, and stressful. You want to be responsible and keep your business safe, but your budget is limited, which means you’ll have to make tough choices about where and how to spend it. This is especially true for small-to-medium sized business (SMB) owners, who can’t afford the same protective measures as corporate giants. This article is written with you in mind.

One security solution you might have heard about as an SMB owner is a security operations center (SOC — pronounced “sock”). The following discussion will help you answer two questions:

1. What is a SOC?
2. Should I establish a SOC for my SMB?

We can’t definitively answer the second question for you, as your business’s particular needs are just that — particular (i.e., unique to your situation). But we can provide general guidelines that will assist you in making an informed and responsible decision.

What is a SOC?

Defining a SOC

The term “SOC” is sometimes used to refer to a facility that houses a team of information security experts. But this definition is quickly becoming obsolete, as there are virtual SOCs which do not exist at a single location. A better definition equates a SOC with the cybersecurity personnel themselves, along with the processes and technology they employ to monitor and manage an organization’s security posture in real time (and generally on a 24/7 basis).

The overarching purpose of a SOC is to bolster an organization’s cybersecurity by identifying, mitigating, and preventing risks before they escalate into larger, business-disrupting problems. In our day and age, being proactive about cybersecurity — as opposed to reactive — is a must, and establishing a SOC means fully embracing the proactive philosophy.

Who is in a SOC?

The exact makeup of a SOC will vary, with larger SOCs containing more people and more specialized roles. But, generally speaking, a SOC team will include analysts, engineers, and managers.

Analysts’ primary responsibility is to detect potential security threats and assign them a level of urgency in order to trigger the appropriate response. Your SOC’s analysts are your first line of defense against malicious actors who want to penetrate your organization’s network.

A SOC’s engineers design, implement, and maintain the tools that constitute your organization’s security architecture. This means ensuring that your systems receive regular updates, as well as recommending any changes that seem necessary in light of the ever-evolving security landscape. Security engineers are also responsible for documenting security processes and protocols, which allows the rest of the SOC team to carry out their duties effectively and efficiently, as well as ensures that your organization remains compliant with relevant governmental and industry regulations.

Overseeing the entire SOC are security managers. A security manager’s duties are many, and include coordinating the activities of analysts and engineers, hiring/training new staff, working closely with management (e.g., the chief information security officer) to align security strategies with business goals, and spearheading responses to major security incidents.

Some SOCs will have personnel with highly specialized roles (e.g., compliance auditors and forensics investigators). Also, depending on the size of a SOC, a single person may take on multiple roles.

How does a SOC work?

Security Information and Event Management (SIEM)

A SOC protects your organization by proactively scanning your organization’s entire digital infrastructure — networks, databases, servers, endpoints, applications, websites, etc. — ideally on a 24/7/365 basis.

Most SOCs exhibit a “hub and spoke” architecture, where computer-generated log data from various systems in your organization is continuously collected and analyzed for anomalous (i.e., suspicious) activity. The amount of data we’re talking about here is vast, and the modern SOC employs a security information and event management (SIEM) system to corral all of this information and organize it in a way that makes it amenable to human analysis.

The power of SIEM software comes from its ability to sift through huge batches of data in mere seconds, and employ machine learning to define “normal” network activity. The latter is especially crucial for preventing “threat fatigue,” which arises when a SOC is overwhelmed by simply too many alerts, many of which are false alarms. With an effective SIEM solution, a SOC can rely on technology to weed out false positives, freeing up team members to focus on actual threats.

Incident Response

When a SOC does come across a legitimate threat, it’s all systems go. After the urgency of the threat is established, a sequence of responsive measures is initiated to shrink “breakout time” as much as possible (“breakout time” is the time it takes an intruder to move from the first compromised machine to other parts of your network). These measures can include isolating endpoints, deleting files, stopping harmful processes, and deploying backups to negate ransomware.

Prevention Techniques

In addition to detecting and responding to threats, a SOC is also tasked with preventing incidents from occurring in the first place. One way a SOC achieves this is by analyzing breaches and performing

“root-case analysis,” which allows security personnel to trace a cyberattack back to its source. Finding out where intruders were able to penetrate your network enables your SOC to shore up gaps in your security posture and prevent similar events from occurring in the future. A SOC can also prevent future attacks by proactively searching for weaknesses in your network and system. “Ethical hacking,” for example, involves members of your SOC attempting to breach your network to learn what will and won’t work when actual hackers make similar attempts.

Does Your Organization Need a SOC?

A SOC can do wonders for your organization’s security posture, which raises the question: why would any company choose not to have a SOC?

That one’s easy — a SOC is pricey! Paying the salaries of the personnel alone will set you back a good amount (security experts can command 6-figure salaries).

That said, times have changed, and the chances of experiencing a cyberattack have gone up exponentially in the past few years. The FBI’s Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, a 69% increase from 2019. These complaints caused more than $4.2 billion in losses. We live in dangerous times, and taking extra precautions to keep your business safe isn’t paranoid in the current climate — it’s sensible. Establishing a SOC for your business gives you something that’s hard to put a price tag on: peace of mind.

However, certain businesses need a SOC for more than peace of mind. If your company is in one of the following industries, a SOC isn’t just a good idea, but a necessity, as it will be vital to protecting highly sensitive client information and intellectual property:

• Payment Card Industry
• Healthcare
• Manufacturing
• Financial Services
• Government Agencies
• Education

To be clear, even if your business is not in one of the above industries, you should not automatically conclude that you don’t need a SOC. For instance, if you have ongoing security issues or if you’ve suffered a serious breach in the past, investing in a SOC might be a wise business decision. Another reason to seriously consider opting for a SOC is compliance. If you’re facing a bevvy of strict regulations, or if maintaining compliance is something your organization is struggling with, a SOC can help you put those issues to bed.

At the end of the day, deciding whether to set up a SOC is a complex cost-benefit analysis. Whatever decision you make for your business, it’s important to keep in mind the following: a SOC relies heavily on technology, but the strength of a SOC ultimately comes from people. Your organization’s security posture is something that needs to be actively maintained, as the threat landscape is in a state of continual flux. So, if you do opt for a SOC to keep your business protected, you want to focus on building a team of committed professionals who continually strive to keep abreast of trends in the cybersecurity world. Anything less isn’t worth the investment.

One of Asia’s top airlines, Cathay Pacific Airways, said a hacker accessed personal information of 9.4 million customers, becoming the target of the world’s biggest airline data breach.

Oh boy.

The airline’s shares sank dramatically, shaving $201 million off its market value, after the Hong Kong-based carrier disclosed the unauthorized access late Wednesday, 7 months after discovering the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, it said, without revealing details of the origin of the attack.

“This is quite shocking,” said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.”

“We are very sorry for any concern this data security event may cause our passengers,” CEO Rupert Hogg said in a statement. The airline is in the process of contacting affected people, he added.

It’s the latest embarrassing data breach to hit a major international airline. British Airways said the hack on its system lasted for more than 2 weeks during the months of August and September, compromising credit-card data of some 380,000 customers. Delta said in April that a cyberattack on a contractor last year exposed the payment information of “several hundred thousand customers.”

The hackers who hit Cathay gained access to 27 credit card numbers but without the cards’ security codes, and another 403 expired credit card numbers. They also accessed names, nationalities, dates of birth, telephone numbers, emails, physical addresses, numbers for passports (roughly 860,000), identity cards and frequent-flier programs, and historical travel information according to the airline.

“Upon discovery, we acted immediately to contain the event and to thoroughly investigate,” Hogg said. “We engaged one of the world’s leading cybersecurity firms to assist us, and we further strengthened our IT security systems, too.”

Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. A dedicated website provides information about the event and what affected passengers should do next.

Some local lawmakers criticized Cathay for taking so long to reveal the breach. Lam Cheuk-ting, a member of the Legislative Council’s security committee, told reporters that many people in Hong Kong are angry and the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer, Paul Loo, said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic.”

Cathay is in the midst of a 3-year transformation program, as part of which Hogg has reduced jobs starting with the carrier’s head office in Hong Kong to cut costs and introduced better business-class services on long-haul flights to help lure premium passengers.

Cathay was ranked as the 6th best airline in the world this year by Skytrax, a London-based firm that provides advisory services for carriers and airports.

As I wrote earlier this month, IT problems in the airline industry seem to be growing. And while the causes are complex, when an airline cancels your flight and blames technology, you can’t accept it with a shrug. It sounds like they need to be introduced to an unbeatable IT service with decades of experience and demonstrated expertise to solve their problems…

Contact us.