A Security Operations Centre, or SOC, is a concept that can sometimes be difficult to understand if you aren’t a cyber security professional. Its definition can vary as well as what is included in it.
To clarify our offering and help businesses navigate the complex topic of SOC, we have created an FAQ designed to demystify the SOC.
SOCs used to be seen as unattainable for smaller businesses as they were expensive and required a lot of resources. As you will discover as you read on, nowadays, there are SOC solutions tailored for almost every kind of company. As the solutions become more scalable and affordable, even SMBs can now realistically invest in a SOC to improve their detection and response capabilities.
This article should provide you with all the answers to your questions and more!
A SOC is an operational centre where the day-to-day security operations take place.
Its mission is to protect businesses by providing detection capabilities to identify and alert in case of incoming cyber threats and respond to them to limit the business impact of a cyber security incident.
Without the proper tools and expertise, the average dwell-time (time until intrusion detection) is 56 days and 53% of companies are still notified by external bodies1. A SOC allows you to effectively monitor your network and servers and detect any threats earlier and respond quicker before they can impact your business.
The mission charter of a SOC needs to be defined and aligned with your business objectives and environment. It varies depending on the size and sector of an organisation as well as its risk profile and appetite. There is no ‘one size fits all’ when it comes to a SOC.
For example, a hospital – driven by patient safety and the protection of their patients’ sensitive information – has completely different challenges than a manufacturing company, driven by the productivity of its activity and potentially the protection of its IP, in a SCADA environment. The security risk profiles are different, leading to cyber security strategies that will have different emphasis.
Therefore, the design and the maturity of the various SOC capabilities will differ to address their respective risk profile. For example, the hospital might be more interested in getting full visibility on any network traffic activity within its perimeter to better monitor the “uncontrolled insiders”, and less in forensics, whereas the manufacturer will protect its plants and monitor unauthorized access on its confidential data.
1 M-Trend 2020 (https://content.fireeye.com/m-trends-fr/rpt-m-trends-2020)
Theoretically, a SOC, or Security Operations Centre, refers to a combination of multiple operational blocks. A SOC may include:
- Command Centre: Above everything, at the heart of the SOC, there is a command centre where everything is centralised including incident response. There is an emergency number to call in the case of a threat which then sets in motion the necessary processes mentioned below.
- Monitoring and Alerting (SIEM): The capability to monitor in real time what is happening on a company’s network and servers, collect logs and based on predefined rules, detect suspicious activity – like unwanted external intrusions or unauthorized internal access.
- Incident Response: In the case of a threat, there is a need to investigate. If it is a confirmed incident, a team can identify what and where the problem is and take action to limit the impact and support in resuming normal business operations.
- Forensics: a specific section of incident response, it refers to an investigation in the case of legal action for example. Through thorough investigation, including malware analysis and reverse engineering, the aim is to collect evidence and determine the root cause of an attack.
- Threat intelligence: The capacity to analyse what is happening on the net and include feeds from other external systems to help determine which threats and threat actors are present. For efficient threat intelligence, the collaboration of both human and AI tools is required.
- Vulnerability Management: The ability to run periodic scans performed on an organisation’s network to identify any flaws, vulnerabilities and unpatched systems.
- Configuration monitoring: This capability aims to control and detect any deviation from approved standards and configurations during changes, such as (but not limited to) file integrity check, baseline configuration on system approvals (compliancy checks), ...
- Penetration testing: Pen testing goes beyond vulnerability scans to model/demonstrate how an adversary would compromise a system and what is at risk.
Today, companies are faced with several different terms when it comes to cyber security. And in the field of Detection and Response, there are 3 terms worth detailing to help better understand what they are:
- Managed Security Services: A managed security service provider delivers beyond the scope of a SOC. For example, it will also manage firewalls, VPN’s, identity and access management platforms, data loss prevention and so on…
- Security Operations Centre (SOC): A SOC refers to a combination of multiple blocks (see question ‘What are the components of a SOC?’). This includes the same features as MDR, but its scope is extended to other solutions including vulnerability management, forensics and assessments.
- Managed Detection and Response (MDR): MDR is a subset of a SOC and usually refers to what we call today a “modern SOC”. This is a more concentrated solution than a SOC. It usually focuses on endpoint or network detection capabilities, incident response (automated and manual), and will generally include threat intelligence. It is based on newer technologies called XDR (Extended Detection & Response) that focus more on behavioural rather than signature-based analysis, leveraging A.I. and able to provide automated response.
Firstly, the main challenge is defining exactly what your business needs are. In theory, a SOC is made-up of multiple blocks and depending on the mission charter, your resources and risk appetite, there is not always a need for a full SOC.
Secondly, you need to correctly identify which types of technologies are best suited to your business needs and priorities. You should also consider the maturity of existing security capabilities, including prevention, protection and recovery. As an example, have you already invested in end-point detection and response (EDR), or do you need to gain greater visibility on your network with network detection and response (NDR), or do you need to consolidate log data from your different data sources including domain controllers, DNS and critical assets into a SIEM?
In any case, this requires a steep investment that could consume a big chunk of the budget allocated to the company’s cyber security. Thereby leaving very little to invest in other resources.
Thirdly, once you have defined the capabilities that will give you the best ROI, it is important to consider how it will be integrated into your existing infrastructure.
Finally, you need to consider your security and business objectives during the design and implementation phases, as well as during operations. It means that you may need to adapt processes such as your risk management, capacity management, in order to integrate them into the output of the SOC.
Lastly, it is important to remember the crucial role of people. You will always need resources with the competencies to maintain and run whichever technologies you opt for. Although advanced technology can help reduce the amount of people needed and improve their efficiency, you will need highly skilled experts to run and maintain them.
Choosing cloud-based solutions in general means you don’t need to worry about maintaining the hardware, the software, capacity or availability management. As opposed to an on-premises solution, in the cloud, there is no need to manage and maintain your servers. This provides some relief in terms of people and resource usage.
When it comes to SOC, as an example, the set-up of a cloud SIEM is simple and requires very little effort. The maintenance and security of the SIEM is the responsibility of the Security Service Provider. You don’t need to concern yourself with these aspects anymore.
Two major concerns when choosing a cloud-based solution for your SOC capabilities (i.e., SIEM or XDR) are compliance and data sovereignty. Are you sure your information is being stored securely and is not accessible by others? If your business doesn’t want to take the risk or has strict security policies forbidding the use of cloud solutions, then an on-premises solution (or a sovereign cloud solution) is better suited to your business needs.
Another reason to opt for an on-premises SIEM is the technical architecture of the company. A SIEM collects many logs and if they all have to be uploaded to the cloud, this can cause issues such as overloaded network bandwidth.
When it comes to risk, there is no difference between the two options. As digitalisation continues, there are many different access points and neither solution is more secure than the other.
Companies’ needs and resources are very versatile, so multiple options exist to meet all businesses’ requirements:
- Internal: You retain full control and management of your SOC. Your internal resources will be responsible for the day-to-day operations. They will be in charge of monitoring your network and responding to any detected incidents.
- Outsourced: You delegate the running of your SOC to an external team of experts. A third-party provider is responsible for monitoring your infrastructure and responding to any identified threats.
Choosing to outsource frees you up to focus on your core business and leaves your security in the hands of experts.
- Hybrid: Although you retain most of the control, you delegate some tasks to an external partner. For example, you could delegate the Incident Response to a third-party cyber security expert.
By using this hybrid option, you keep control of your SOC but benefit from the expertise of external partners thereby reducing the need to employ hard to find experts.
Ask yourself the following questions to help you identify what model is best suited to your business:
- Which industry are you in? Sometimes, because of nation state protection or regulatory obligations, you may need or prefer to keep a full control of your SOC, whereas in other industries, you want to focus on your core business and let other professionals deliver the services for you.
- What are your resources? Our experience with many of our customers is unanimous and obvious: the more you add technologies for protection or detection, the more you need resources just to maintain them.
Furthermore, the more data you generate to gain visibility, the more it requires expertise to perform good triage and understand what is important versus what is noise. Although many IT people also have good security skills, are you sure they can cope with the everchanging threat landscape and have the ability to perform adequate analysis, investigation and incident response?
Finally, for good reasons, if you consider your users and IT people as your first line of defence, you may also want to separate them from a second line that will monitor suspicious activity (deliberate or not) from that first line too.
- How fast do I need to integrate a SOC in my environment? Building a SOC from scratch takes time and costs a lot. Choosing a good external partner will effectively save you money and time by providing a higher quality SOC service, with strong SLAs.
Today, there are no specific definitions to determine a SOC’s maturity level. This maturity can be assessed through its resources, its processes and its technologies to deliver the various capabilities (such as incident response, monitoring and alerting, threat intelligence, ...). For example, the MITRE ATT&CK framework can be used to measure detection maturity level.
As discussed earlier, there is no “one size fits all” SOC, however there are some minimum sets of resources that are highly recommended to start with.
First, in terms of people, you will need SOC analysts to operate your SOC and, as with most functions, there are different levels of expertise. There are typically 2 or 3 SOC analyst levels in the organisation.
A level 1 (L1) analyst is your "hotline”. They will be in charge of monitoring and identifying real threats amongst false positives. With clear processes and procedures, they can respond to certain events.
The next level (L2) has more expertise and is capable of responding to more serious threats. In case of advanced attacks such as APTs and ransomware requiring deep technical expertise, including reverse engineering or malware analysis, an L3 analyst will handle the response.
Secondly, in terms of key processes, an incident management response plan should be in place and documented. However, you may not necessarily need to start with a full threat intelligence or forensic capability.
Finally, in terms of technology, you may want to start by being able to detect and quickly respond to threats hitting your endpoints (with an EDR), allowing you to quickly detect suspicious activity and take immediate action such as isolating the machine (automatically or manually from a remote console) or deploying other detection capabilities such as honeypots.
At the end of the day, it all comes back to business alignment and risk management.
When choosing your SOC provider, you need to consider the following points:
- If you are an SMB, are you sure you will get the same level of attention from the major players when something goes wrong?
- Do you really need the full stack usually proposed by most SOC providers?
- From where is the SOC operating?
- Is your data safe and will you remain GDPR compliant?
- What languages are supported by the SOC?
- What proximity will you have with your SOC provider during the contract lifecycle and during an incident?
Many organisations have already made an investment in internal SOC capabilities or have made the decision to get the service outsourced by an external provider.
It is key to regularly assess the maturity as well as the performance of your SOC capabilities.
A maturity assessment will typically consist of a 360°-degree review of the various components of your SOC, from the governance aspects and its relevance (i.e., is the SOC still aligned with the risk profile and the business objectives), down to the architecture of each capability, such as the skills, processes and procedures as well as the technology and configuration stack.
It is usually achieved by an expert through reviews and interviews and at the end, the SOC is assigned a score. It can then be benchmarked and used as a starting point for a SOC roadmap to either build or improve your SOC capabilities.
On the other hand, assessing the performance of the SOC allows you to measure the SOC’s effectiveness to achieve a defined objective. For example, measuring how fast it can detect lateral movement on your internal network. Typically, it involves a so-called “red-team” exercise with a team of ethical hackers specialised in hacking techniques, tactics and procedures. The MITRE ATT&CK framework is a good reference to use for such an exercise.
SOC for SMBs
When we refer to Small and Medium Businesses (SMBs) in the context of SOC necessities, we consider companies with between 30 and 2.000 users.
Businesses in all sectors and of all sizes are being targeted by hackers, even SMBs. Malicious actors are, in their vast majority, driven by monetising their activities on a large scale. Therefore, smaller businesses with a lower security maturity become a target of choice.
A SOC means “by definition”, an entity that operates the security activities centrally to limit the impact of a security incident. It has to be adapted to the business it protects (cfr other questions in the FAQ).
Keeping this in mind, SMBs require some level of SOC, as an integral part of a cyber security program (including end-user awareness, basic security hygiene such as patching of systems and protection of password, ...).
Companies may decide to invest only in prevention and protection measures and may not feel the need to invest in a SOC too. However as 100% security can’t be guaranteed, not having a detection and response solution in place almost guarantees that any attack that gets through your defences will be successful and remain undetected until the hacker strikes, and the damage is done. In that case, the company must ensure it has a good recovery strategy in place, including secure back-ups and a business continuity plan.
Having a SOC, whether it is basic or state-of-the-art, lowers the chances of a threat becoming a successful attack. The more developed your SOC is, the quicker your detection and response times will be, reducing the business impact for your enterprise, including financial or reputational.
The only thing that is certain is that if you have no SOC in place, the question is no longer If but when you will be hacked.
As explained in the question ‘What are the components of a SOC?’, a SOC is made-up of several building blocks. However, not all businesses need or can afford to invest in a full SOC. It requires an investment not only in terms of budget but more importantly resources.
In today’s world, with the increase of homeworking, the adoption of cloud services and additional mobile devices, the minimum any organisation needs is to be able to detect and quickly respond to threats targeting their users.
Traditional measures for endpoint protection (such as antimalware) are not enough anymore. Some claim they may even have become obsolete. Nonetheless, EDR solutions alongside a proper monitoring and incident response service is a good and affordable starting point for many SMBs. They usually come with a certain level of embedded threat intelligence and automated response capabilities, helping to minimise the effort of the SOC analysts and making it easier for SMBs at an affordable cost.
Newer technologies such as XDR, NDR and EDR which come with Artificial Intelligence, can detect real threats faster, reduce false positives and provide automated responses, thereby lowering the amount of people needed to monitor, analyse and respond to an attack. It will improve the analyst’s efficiency.
Another strategy for full cloud-based companies is to start with a solution that monitors, detects and responds to threats immediately within your cloud collaboration service (such as O365, OneDrive, Teams, ...).
In addition, if you need to gain more visibility on suspicious behaviour such as lateral movement or reconnaissance within your internal network (ex. insider threats), you may want to deploy some deception capabilities such as honeypots. As such, you will immediately detect abnormal behaviour and be able to react quicker with a maximum ROI.
It is also good advice to secure a Cyber Security Incident Response Team (CSIRT) in the form of a retainer for a fixed amount of hours. With the adequate risk level, it provides assurance that you will have specific expertise on time to help mitigate and recover from a cyber-attack.
For companies wishing to have complete 360° visibility on their network, investing in a more global monitoring and alerting service becomes a critical factor. This requires a SIEM along with monitoring and alerting capabilities, collecting logs from all your data sources (inc. domain controllers, critical databases, security products such as firewalls, VPN, ...). In this case, the collection and correlation of logs will take place 24x7. The question is: do you need 24x7 reactivity? (Read more in the question below).
Companies need to weigh up their needs and determine what is best suited to them.
It’s true that cyber threats don’t operate 8x5. But is your business running 24x7? It is important to understand, that in the event of a security breach, many people from your organisation will be involved in the management of the incident: from your IT administrator, (e.g., to close ports on your router or to lock users in your active directory), potentially up to your CEO if it becomes a crisis.
Secondly, what does 24x7 exactly mean? You can have the capability to collect log activity and have your system trigger alerts 24x7 without having the necessary resources available 24x7 to respond to the alert.
In many instances, and again depending on the business needs and risk appetite (in other words the investment the company is willing to make to balance its cyber risk), deploying monitoring capabilities 24x7 with some level of automated response, along with a response service running 8x5 is a very good starting point.
When choosing to build a SOC, you will need to plan significant capital to start the project. The first thing to do is ensure you have the correct infrastructure in place. Once your infrastructure is ready, you will need to implement and configure multiple security solutions and hire the right people to understand, manage and maintain each of them.
Because of the necessary investment in terms of time, money and resources; building a SOC makes the most sense for medium and large businesses.
If you buy a SOC from a Managed Security Service Provider (MSSP), you are purchasing not only the security solutions but also their expertise. An MSSP will implement and configure all the tools and integrate them into your existing infrastructure. They also provide the resources that will run the SOC thereby guaranteeing you always have the most qualified people focusing on your security while your team concentrates on your core business.
By buying a SOC, an SMB can save enormous amounts of time, money and have a higher SOC service quality. You will also benefit from the experience and data analytics that the SOC provider has gained from its whole customer base.
Our SOC, run by our offensive (red team) and defensive (blue team) experts, is responsible for delivering our managed security services to our customers.
Through our European Security Operations Centre, we can provide solutions that support your organisation to monitor your environment, detect vulnerabilities and threats and respond in case of an incident. We work together with you to assess your current posture and business needs in order to determine what features you truly need.
We are headquartered in Belgium, with an additional delivery centre and data centre based in Luxemburg. You can therefore rest assured that we are handling your data in accordance with EU regulations such as GDPR.
Whether you are currently considering your options, ready to build your own SOC, looking to improve your existing set-up or interested in a fully managed service; our team of experts can support you.
Discover more about our solutions by heading to our SOC page.
Not all businesses, especially SMBs need to invest in a full SOC, it requires significant resources, both in terms of people and budget (cfr. Question “Does an SMB really need a SOC?”).
For SMBs, we are offering a solution which only includes the features you will truly benefit from.
Our MDR standard offer provides the minimum capabilities necessary for an SMB:
- active monitoring in either an 8x5 or 24x7 format depending on your needs and resources
- automated attack blocking to respond to any threats
This solution provides you with the best return on your security investment. And we can always increase your capability maturity and upgrade your SOC later in time if your needs change.
When integrating SOC solutions into your existing infrastructure, we always take care of the following aspects – key factors to get the best security, experience and return on investment:
- Proximity and Culture: we operate out of Belgium and Luxemburg. Being close to our customer, allows us to understand the market demands and your specific needs and act quickly as an extension of your team.
- Compliance: we are ISO 27001 certified. This demonstrates our commitment to protecting the data and information assets of our customers, partners and employees. We ensure all our services, solutions and technological partners are compliant with European regulations such as GDPR and your data stays in Europe.
- Budget & cost control: our solutions are affordable and you only need to invest in solutions you will truly benefit from thereby reducing unnecessary expenses and maximising the return on your security investment.
- Performance and Expertise: We continuously train our people to ensure they maintain the skills necessary to support you. Thanks to our CyberLab, our experts can train in realistic conditions and develop their skills. Thanks to our 360° portfolio of services, our people and our clients benefit also from a solid background and expertise to optimize their cyber security strategy.