What is a SOC?
It’s good to be nervous about the recent explosion of cybercrime, but it’s even better to be prepared. If you’re a business owner, now is the time to invest in your organization’s security posture, but deciding how much to invest, and which tools, strategies, and solutions to invest in, can be difficult, confusing, and stressful. You want to be responsible and keep your business safe, but your budget is limited, which means you’ll have to make tough choices about where and how to spend it. This is especially true for small-to-medium sized business (SMB) owners, who can’t afford the same protective measures as corporate giants. This article is written with you in mind.
One security solution you might have heard about as an SMB owner is a security operations center (SOC — pronounced “sock”). The following discussion will help you answer two questions:
- What is a SOC?
- Should I establish a SOC for my SMB?
We can’t definitively answer the second question for you, as your business’s particular needs are just that — particular (i.e., unique to your situation). But we can provide general guidelines that will assist you in making an informed and responsible decision.
What is a SOC?
Defining a SOC
The term “SOC” is sometimes used to refer to a facility that houses a team of information security experts. But this definition is quickly becoming obsolete, as there are virtual SOCs which do not exist at a single location. A better definition equates a SOC with the cybersecurity personnel themselves, along with the processes and technology they employ to monitor and manage an organization’s security posture in real time (and generally on a 24/7 basis).
The overarching purpose of a SOC is to bolster an organization’s cybersecurity by identifying, mitigating, and preventing risks before they escalate into larger, business-disrupting problems. In our day and age, being proactive about cybersecurity — as opposed to reactive — is a must, and establishing a SOC means fully embracing the proactive philosophy.
Who is in a SOC?
The exact makeup of a SOC will vary, with larger SOCs containing more people and more specialized roles. But, generally speaking, a SOC team will include analysts, engineers, and managers.
Analysts’ primary responsibility is to detect potential security threats and assign them a level of urgency in order to trigger the appropriate response. Your SOC’s analysts are your first line of defense against malicious actors who want to penetrate your organization’s network.
A SOC’s engineers design, implement, and maintain the tools that constitute your organization’s security architecture. This means ensuring that your systems receive regular updates, as well as recommending any changes that seem necessary in light of the ever-evolving security landscape. Security engineers are also responsible for documenting security processes and protocols, which allows the rest of the SOC team to carry out their duties effectively and efficiently, as well as ensures that your organization remains compliant with relevant governmental and industry regulations.
Overseeing the entire SOC are security managers. A security manager’s duties are many, and include coordinating the activities of analysts and engineers, hiring/training new staff, working closely with management (e.g., the chief information security officer) to align security strategies with business goals, and spearheading responses to major security incidents.
Some SOCs will have personnel with highly specialized roles (e.g., compliance auditors and forensics investigators). Also, depending on the size of a SOC, a single person may take on multiple roles.
How does a SOC work?
Security Information and Event Management (SIEM)
A SOC protects your organization by proactively scanning your organization’s entire digital infrastructure — networks, databases, servers, endpoints, applications, websites, etc. — ideally on a 24/7/365 basis.
Most SOCs exhibit a “hub and spoke” architecture, where computer-generated log data from various systems in your organization is continuously collected and analyzed for anomalous (i.e., suspicious) activity. The amount of data we’re talking about here is vast, and the modern SOC employs a security information and event management (SIEM) system to corral all of this information and organize it in a way that makes it amenable to human analysis.
The power of SIEM software comes from its ability to sift through huge batches of data in mere seconds, and employ machine learning to define “normal” network activity. The latter is especially crucial for preventing “threat fatigue,” which arises when a SOC is overwhelmed by simply too many alerts, many of which are false alarms. With an effective SIEM solution, a SOC can rely on technology to weed out false positives, freeing up team members to focus on actual threats.
When a SOC does come across a legitimate threat, it’s all systems go. After the urgency of the threat is established, a sequence of responsive measures is initiated to shrink “breakout time” as much as possible (“breakout time” is the time it takes an intruder to move from the first compromised machine to other parts of your network). These measures can include isolating endpoints, deleting files, stopping harmful processes, and deploying backups to negate ransomware.
In addition to detecting and responding to threats, a SOC is also tasked with preventing incidents from occurring in the first place. One way a SOC achieves this is by analyzing breaches and performing
“root-case analysis,” which allows security personnel to trace a cyberattack back to its source. Finding out where intruders were able to penetrate your network enables your SOC to shore up gaps in your security posture and prevent similar events from occurring in the future. A SOC can also prevent future attacks by proactively searching for weaknesses in your network and system. “Ethical hacking,” for example, involves members of your SOC attempting to breach your network to learn what will and won’t work when actual hackers make similar attempts.
Does Your Organization Need a SOC?
A SOC can do wonders for your organization’s security posture, which raises the question: why would any company choose not to have a SOC?
That one’s easy — a SOC is pricey! Paying the salaries of the personnel alone will set you back a good amount (security experts can command 6-figure salaries).
That said, times have changed, and the chances of experiencing a cyberattack have gone up exponentially in the past few years. The FBI’s Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, a 69% increase from 2019. These complaints caused more than $4.2 billion in losses. We live in dangerous times, and taking extra precautions to keep your business safe isn’t paranoid in the current climate — it’s sensible. Establishing a SOC for your business gives you something that’s hard to put a price tag on: peace of mind.
However, certain businesses need a SOC for more than peace of mind. If your company is in one of the following industries, a SOC isn’t just a good idea, but a necessity, as it will be vital to protecting highly sensitive client information and intellectual property:
- Payment Card Industry
- Financial Services
- Government Agencies
To be clear, even if your business is not in one of the above industries, you should not automatically conclude that you don’t need a SOC. For instance, if you have ongoing security issues or if you’ve suffered a serious breach in the past, investing in a SOC might be a wise business decision. Another reason to seriously consider opting for a SOC is compliance. If you’re facing a bevvy of strict regulations, or if maintaining compliance is something your organization is struggling with, a SOC can help you put those issues to bed.
At the end of the day, deciding whether to set up a SOC is a complex cost-benefit analysis. Whatever decision you make for your business, it’s important to keep in mind the following: a SOC relies heavily on technology, but the strength of a SOC ultimately comes from people. Your organization’s security posture is something that needs to be actively maintained, as the threat landscape is in a state of continual flux. So, if you do opt for a SOC to keep your business protected, you want to focus on building a team of committed professionals who continually strive to keep abreast of trends in the cybersecurity world. Anything less isn’t worth the investment.