SOC FAQ

A SOC is an operational centre where the day-to-day security operations take place.

Its mission is to protect businesses by providing detection capabilities to identify and alert in case of incoming cyber threats and respond to them to limit the business impact of a cyber security incident.

Without the proper tools and expertise, the average dwell-time (time until intrusion detection) is 56 days and 53% of companies are still notified by external bodies¹. A SOC allows you to effectively monitor your network and servers and detect any threats earlier and respond quicker before they can impact your business.

The mission charter of a SOC needs to be defined and aligned with your business objectives and environment. It varies depending on the size and sector of an organisation as well as its risk profile and appetite. There is no ‘one size fits all’ when it comes to a SOC.

For example, a hospital – driven by patient safety and the protection of their patients’ sensitive information – has completely different challenges than a manufacturing company, driven by the productivity of its activity and potentially the protection of its IP, in a SCADA environment. The security risk profiles are different, leading to cyber security strategies that will have different emphasis.

Therefore, the design and the maturity of the various SOC capabilities will differ to address their respective risk profile. For example, the hospital might be more interested in getting full visibility on any network traffic activity within its perimeter to better monitor the “uncontrolled insiders”, and less in forensics, whereas the manufacturer will protect its plants and monitor unauthorized access on its confidential data.

¹ M-Trend 2020 (https://content.fireeye.com/m-trends-fr/rpt-m-trends-2020)

Theoretically, a SOC, or Security Operations Centre, refers to a combination of multiple operational blocks. A SOC may include:

• Command Centre: Above everything, at the heart of the SOC, there is a command centre where everything is centralised including incident response. There is an emergency number to call in the case of a threat which then sets in motion the necessary processes mentioned below.
• Monitoring and Alerting (SIEM): The capability to monitor in real time what is happening on a company’s network and servers, collect logs and based on predefined rules, detect suspicious activity – like unwanted external intrusions or unauthorized internal access.
• Incident Response: In the case of a threat, there is a need to investigate. If it is a confirmed incident, a team can identify what and where the problem is and take action to limit the impact and support in resuming normal business operations.
• Forensics: a specific section of incident response, it refers to an investigation in the case of legal action for example. Through thorough investigation, including malware analysis and reverse engineering, the aim is to collect evidence and determine the root cause of an attack.
• Threat intelligence: The capacity to analyse what is happening on the net and include feeds from other external systems to help determine which threats and threat actors are present. For efficient threat intelligence, the collaboration of both human and AI tools is required.
• Vulnerability Management: The ability to run periodic scans performed on an organisation’s network to identify any flaws, vulnerabilities and unpatched systems.
• Configuration monitoring: This capability aims to control and detect any deviation from approved standards and configurations during changes, such as (but not limited to) file integrity check, baseline configuration on system approvals (compliancy checks), ...
• Penetration testing: Pen testing goes beyond vulnerability scans to model/demonstrate how an adversary would compromise a system and what is at risk.

Today, companies are faced with several different terms when it comes to cyber security. And in the field of Detection and Response, there are 3 terms worth detailing to help better understand what they are:

• Managed Security Services: A managed security service provider delivers beyond the scope of a SOC. For example, it will also manage firewalls, VPN’s, identity and access management platforms, data loss prevention and so on…
• Security Operations Centre (SOC): A SOC refers to a combination of multiple blocks (see question ‘What are the components of a SOC?’). This includes the same features as MDR, but its scope is extended to other solutions including vulnerability management, forensics and assessments.
• Managed Detection and Response (MDR): MDR is a subset of a SOC and usually refers to what we call today a “modern SOC”. This is a more concentrated solution than a SOC. It usually focuses on endpoint or network detection capabilities, incident response (automated and manual), and will generally include threat intelligence. It is based on newer technologies called XDR (Extended Detection & Response) that focus more on behavioural rather than signature-based analysis, leveraging A.I. and able to provide automated response.

Firstly, the main challenge is defining exactly what your business needs are. In theory, a SOC is made-up of multiple blocks and depending on the mission charter, your resources and risk appetite, there is not always a need for a full SOC.

Secondly, you need to correctly identify which types of technologies are best suited to your business needs and priorities. You should also consider the maturity of existing security capabilities, including prevention, protection and recovery. As an example, have you already invested in end-point detection and response (EDR), or do you need to gain greater visibility on your network with network detection and response (NDR), or do you need to consolidate log data from your different data sources including domain controllers, DNS and critical assets into a SIEM?

In any case, this requires a steep investment that could consume a big chunk of the budget allocated to the company’s cyber security. Thereby leaving very little to invest in other resources.

Thirdly, once you have defined the capabilities that will give you the best ROI, it is important to consider how it will be integrated into your existing infrastructure.

Finally, you need to consider your security and business objectives during the design and implementation phases, as well as during operations. It means that you may need to adapt processes such as your risk management, capacity management, in order to integrate them into the output of the SOC.

Lastly, it is important to remember the crucial role of people. You will always need resources with the competencies to maintain and run whichever technologies you opt for. Although advanced technology can help reduce the amount of people needed and improve their efficiency, you will need highly skilled experts to run and maintain them.

Choosing cloud-based solutions in general means you don’t need to worry about maintaining the hardware, the software, capacity or availability management. As opposed to an on-premises solution, in the cloud, there is no need to manage and maintain your servers. This provides some relief in terms of people and resource usage.

When it comes to SOC, as an example, the set-up of a cloud SIEM is simple and requires very little effort. The maintenance and security of the SIEM is the responsibility of the Security Service Provider. You don’t need to concern yourself with these aspects anymore.

Two major concerns when choosing a cloud-based solution for your SOC capabilities (i.e., SIEM or XDR) are compliance and data sovereignty. Are you sure your information is being stored securely and is not accessible by others? If your business doesn’t want to take the risk or has strict security policies forbidding the use of cloud solutions, then an on-premises solution (or a sovereign cloud solution) is better suited to your business needs.

Another reason to opt for an on-premises SIEM is the technical architecture of the company. A SIEM collects many logs and if they all have to be uploaded to the cloud, this can cause issues such as overloaded network bandwidth.

When it comes to risk, there is no difference between the two options. As digitalisation continues, there are many different access points and neither solution is more secure than the other.

Companies’ needs and resources are very versatile, so multiple options exist to meet all businesses’ requirements:

• Internal: You retain full control and management of your SOC. Your internal resources will be responsible for the day-to-day operations. They will be in charge of monitoring your network and responding to any detected incidents.
• Outsourced: You delegate the running of your SOC to an external team of experts. A third-party provider is responsible for monitoring your infrastructure and responding to any identified threats.
  Choosing to outsource frees you up to focus on your core business and leaves your security in the hands of experts.
• Hybrid: Although you retain most of the control, you delegate some tasks to an external partner. For example, you could delegate the Incident Response to a third-party cyber security expert.
  By using this hybrid option, you keep control of your SOC but benefit from the expertise of external partners thereby reducing the need to employ hard to find experts.

Ask yourself the following questions to help you identify what model is best suited to your business:

• Which industry are you in? Sometimes, because of nation state protection or regulatory obligations, you may need or prefer to keep a full control of your SOC, whereas in other industries, you want to focus on your core business and let other professionals deliver the services for you.
• What are your resources? Our experience with many of our customers is unanimous and obvious: the more you add technologies for protection or detection, the more you need resources just to maintain them.
  Furthermore, the more data you generate to gain visibility, the more it requires expertise to perform good triage and understand what is important versus what is noise. Although many IT people also have good security skills, are you sure they can cope with the everchanging threat landscape and have the ability to perform adequate analysis, investigation and incident response?
  Finally, for good reasons, if you consider your users and IT people as your first line of defence, you may also want to separate them from a second line that will monitor suspicious activity (deliberate or not) from that first line too.
• How fast do I need to integrate a SOC in my environment? Building a SOC from scratch takes time and costs a lot. Choosing a good external partner will effectively save you money and time by providing a higher quality SOC service, with strong SLAs.

Today, there are no specific definitions to determine a SOC’s maturity level. This maturity can be assessed through its resources, its processes and its technologies to deliver the various capabilities (such as incident response, monitoring and alerting, threat intelligence, ...). For example, the MITRE ATT&CK framework can be used to measure detection maturity level.

As discussed earlier, there is no “one size fits all” SOC, however there are some minimum sets of resources that are highly recommended to start with.

First, in terms of people, you will need SOC analysts to operate your SOC and, as with most functions, there are different levels of expertise. There are typically 2 or 3 SOC analyst levels in the organisation.

A level 1 (L1) analyst is your "hotline”. They will be in charge of monitoring and identifying real threats amongst false positives. With clear processes and procedures, they can respond to certain events.

The next level (L2) has more expertise and is capable of responding to more serious threats. In case of advanced attacks such as APTs and ransomware requiring deep technical expertise, including reverse engineering or malware analysis, an L3 analyst will handle the response.

Secondly, in terms of key processes, an incident management response plan should be in place and documented. However, you may not necessarily need to start with a full threat intelligence or forensic capability.

Finally, in terms of technology, you may want to start by being able to detect and quickly respond to threats hitting your endpoints (with an EDR), allowing you to quickly detect suspicious activity and take immediate action such as isolating the machine (automatically or manually from a remote console) or deploying other detection capabilities such as honeypots.

At the end of the day, it all comes back to business alignment and risk management.

When choosing your SOC provider, you need to consider the following points:

• If you are an SMB, are you sure you will get the same level of attention from the major players when something goes wrong?
• Do you really need the full stack usually proposed by most SOC providers?
• From where is the SOC operating?
• Is your data safe and will you remain GDPR compliant?
• What languages are supported by the SOC?
• What proximity will you have with your SOC provider during the contract lifecycle and during an incident?

Many organisations have already made an investment in internal SOC capabilities or have made the decision to get the service outsourced by an external provider.

It is key to regularly assess the maturity as well as the performance of your SOC capabilities.

A maturity assessment will typically consist of a 360°-degree review of the various components of your SOC, from the governance aspects and its relevance (i.e., is the SOC still aligned with the risk profile and the business objectives), down to the architecture of each capability, such as the skills, processes and procedures as well as the technology and configuration stack.

It is usually achieved by an expert through reviews and interviews and at the end, the SOC is assigned a score. It can then be benchmarked and used as a starting point for a SOC roadmap to either build or improve your SOC capabilities.

On the other hand, assessing the performance of the SOC allows you to measure the SOC’s effectiveness to achieve a defined objective. For example, measuring how fast it can detect lateral movement on your internal network. Typically, it involves a so-called “red-team” exercise with a team of ethical hackers specialised in hacking techniques, tactics and procedures. The MITRE ATT&CK framework is a good reference to use for such an exercise.

Our SOC, run by our offensive (red team) and defensive (blue team) experts, is responsible for delivering our managed security services to our customers.

Through our European Security Operations Centre, we can provide solutions that support your organisation to monitor your environment, detect vulnerabilities and threats and respond in case of an incident. We work together with you to assess your current posture and business needs in order to determine what features you truly need.

We are headquartered in Belgium, with an additional delivery centre and data centre based in Luxemburg. You can therefore rest assured that we are handling your data in accordance with EU regulations such as GDPR.

Whether you are currently considering your options, ready to build your own SOC, looking to improve your existing set-up or interested in a fully managed service; our team of experts can support you.

Discover more about our solutions by heading to our SOC page.

Not all businesses, especially SMBs need to invest in a full SOC, it requires significant resources, both in terms of people and budget (cfr. Question “Does an SMB really need a SOC?”).

For SMBs, we are offering a solution which only includes the features you will truly benefit from.

Our MDR standard offer provides the minimum capabilities necessary for an SMB:

• active monitoring in either an 8x5 or 24x7 format depending on your needs and resources
• automated attack blocking to respond to any threats  

This solution provides you with the best return on your security investment. And we can always increase your capability maturity and upgrade your SOC later in time if your needs change.

When integrating SOC solutions into your existing infrastructure, we always take care of the following aspects – key factors to get the best security, experience and return on investment:    

• Proximity and Culture: we operate out of Belgium and Luxemburg. Being close to our customer, allows us to understand the market demands and your specific needs and act quickly as an extension of your team.
• Compliance: we are ISO 27001 certified. This demonstrates our commitment to protecting the data and information assets of our customers, partners and employees. We ensure all our services, solutions and technological partners are compliant with European regulations such as GDPR and your data stays in Europe.
• Budget & cost control: our solutions are affordable and you only need to invest in solutions you will truly benefit from thereby reducing unnecessary expenses and maximising the return on your security investment.
• Performance and Expertise: We continuously train our people to ensure they maintain the skills necessary to support you. Thanks to our CyberLab, our experts can train in realistic conditions and develop their skills. Thanks to our 360° portfolio of services, our people and our clients benefit also from a solid background and expertise to optimize their cyber security strategy.