Security Operations Center (abbreviated SOC) — is a complex of specialists, processes, and technologies aimed at effective monitoring (detection) and response to information security incidents (primarily external offenders). There are different incidents, which means that identifying the degree of threat, in theory, may require different practices and processes — different specializations, or «subspecies». In the last couple of years, the theory has been confirmed by practice and outsourcing SOC services has been divided into several varieties according to the types of threats they can identify.
Most companies have installed antiviruses, firewalls, and other means of protecting information, but at the same time, they do not have a single picture of what is happening in the infrastructure. All protection elements are individually configured and work correctly, but there is no single link between them. For this reason, the effectiveness of the use of a complex of protection means drops significantly, and there is no way to identify incidents as quickly as possible and take proactive actions.
Definition of the subject area and market for outsourcing services
The Center’s specialists are assigned an unchanging task in the form of regular analysis of continuous information flows. These people are faced with both ordinary and abnormal situations daily, quickly eliminating their consequences. The following is a list of the main responsibilities of such employees:
- search, monitoring, and analysis of the anomalous activity in information flows;
- timely prevention of potential threats;
- regularly checking the boundaries of systems for vulnerabilities with quick intervention if necessary;
- weeding out false alarms of the security system and prompt response to threatening incidents;
- drawing up detailed reports on what is happening in the system, as well as analyzing the actions of potential intruders.
Companies that use a risk-oriented approach as the basis for building an information security system develop a «Risk treatment plan» based on the results of a formalized process of assessing information security risks. This plan usually guides the selection of controls needed to minimize unacceptable risks. Controls can be organizational, technical or legal, and can be implemented in the form of policies, procedures, or firmware.
At the same time, services related to the operation of technical control mechanisms are often in the area of responsibility of the IT service. All technical control mechanisms by their nature can be divided into 3 categories:
- Built into active network equipment, Web servers, app, etc. These mechanisms are configured and supported by the IT service following the policies and standards developed by the information security service.
- Hybrid — carry the functionality associated with the implementation of dedicated security subsystems, such as firewalls, intrusion detection systems, anti-virus tools, and vulnerability scanners. These mechanisms are highly specialized and must be administered by the information security service.
- Autonomous — serve to automate information security management processes. Examples of such controls are SIEM systems and GRC solutions. These mechanisms are used by the information security service and do not directly affect the performance of the system.
The last two types of control mechanisms should be in the area of responsibility of the information security service. However, the company’s management may make a strategic decision to reduce capital and operating costs for non-core activities of the company, transfer them to outsourcing, and concentrate on the main business areas of the company.
Positives moments of SOC Outsourcing
Most small companies cannot afford the cost of running a SOC. As mentioned above, IT security requirements are constantly growing and high-class specialists are needed to maintain the system. For this reason, most firms prefer outsourcing. Listed below are the main benefits of outsourcing over owning your own SOC.
Control of every IT component that is in the organization
Outsourcing is the optimal solution for controlling what is happening inside IT systems, and will also be a tool as external support.
Unified schema when working with a corporate database
All important information about ongoing incidents is stored in one place, which prevents unnecessary loss of information.
Each specialist is part of a well-coordinated mechanism
The outsourcing system implies the joint work of all employees, creating a semblance of a collective mind. This makes it easier for the team to meet and eliminate any threat.
Timely response regardless of the time of day
Attackers can operate outside of business hours for your company. That is why outsourcing is configured in such a way as to immediately eliminate suspicious activity regardless of the time of day.
In the long term, the cost of information security will be lower
Although this solution is not cheap, it is one of the most effective. By eliminating problems in the early stages, the cost of information security when using the SOC will decrease.
Benefit for the company when implementing SOC
With the help of the SOC, it becomes possible to organize a process of continuous improvement of protective measures to ensure safety. Analysis of current events and information security incidents, clarification of the reasons for their occurrence with the involvement of various departments allows you to evaluate the effectiveness of current protection measures, understand their shortcomings, and develop proposals for their replacement or correction.
The implementation of SOC can reduce direct and indirect costs. With a small staff, SOC can reduce the resources required for manual processing of information security events and with an increase in the number of monitored protection measures. At the same time, it does not require an increase in staff, but, on the contrary, allows you to optimize the work of employees by consolidating data on one console and automating the analysis of information security events.
Employing the Information Security Control Center, you can separate the authority to control IT systems. Means of protection, their administration, and operation, as a rule, are under the jurisdiction of the IT department, while information security is assigned only to control functions. SOC is, perhaps, the only control tool in the hands of information security departments, allowing them to track actions in IT systems, which objectively reduces the influence of the human factor and increases the level of information security of the company.
Instead of an afterword
It should be noted that the responsibility for assessing the information security risks associated with SOC outsourcing remains in the area of responsibility of the company’s information security service. The information security service should develop a «Risk Treatment Plan» with an indication of the appropriate control mechanisms, including those that must be implemented by the service provider. Thus, there is a certain gap in the division of responsibilities between who defines the necessary control mechanisms and who is responsible for their implementation and maintenance, which can be eliminated by a clear distribution of roles and responsibilities in the service contract.