Evolution Of Security Operations Center

As per Gartner’s definition “A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfil and assess regulatory compliance”

 In the past, a traditional SOC or NOC would focus primarily on detection and incident response. Network Operation Center primarily focused on availability as primary objective. NOC’s key responsibilities were Network Device Management and Performance monitoring rather than detecting and responding to security incident

                                              Evolution of Security Operations Center

In the beginning, Security Operations Center was implemented for Government and Defense organizations and the major responsibilities were handling Virus Alerts, Intrusion Detection and Response. After Year 2000, monitoring operations was implemented for large enterprises and banks in addition apart from Government and Military organizations.

Information Security Management Standard was released in 2005 and Compliance also added into SOC’s objectives. Stateful Inspection Firewalls, Anti-Spam, Vulnerability Management and Intrusion Prevention are added from technology front for monitoring and response actions. 

Year 2007-2013 is the golden period for SOC evolution. Many important security solutions which are key for security monitoring such as Data Leakage Monitoring (DLP), Security Information and Event Management (SIEM) entered into cybersecurity ecosystem. Advanced Persistent Threats reached the peak during this period and SOCs played the major role in detecting and preventing APTs. Log Aggregation, Regulatory compliance, Malware Analysis, and Data Leakage Monitoring are key objectives of Security Operations during this time.

Managed Security Services Providers are also emerged during this time for IT /Security Operations. Managed Security Service is a shared model not exclusively dedicated to a single organization or entity. MSSPs was initially adapted by large enterprises and then later small and medium size businesses also started consuming MSSPs for their security operation requirements.

Next Gen SIEM (Security Information and Event Management) also called as User Entity Behaviour Analytics (UEBA) based on Machine Learning which is the subset of Artificial Intelligence enter into security ecosystem and security operations journey.

Organizations deployed UEBA on top of existing SIEM technology to reduce the false positives. SIEM is the rule-based technology which is purely working based on the rule logic and threshold. Threshold is the major challenge for SIEM technology, and we can’t open the threshold for more than few hours. If the threshold is open for a greater number of hours, then performance of SIEM will have huge impact. Identity and Access are core components of security after the advent of Mobile technologies, BYOD and adoption of cloud. UEBA/UBA technologies use Identity and access to define normal and anomalous user and entity behaviours.

Threat Intelligence driven Security Operations, Reverse Engineering and AI/ML based monitoring technologies have changed the SOCs as Next Gen SOCs. Hybrid SOCs - a SOC deployed and operated on a customer’s premises by an MSSP are emerged during this time. Hybrid SOCs also called Remote SOCs. Threat Intelligence Platform (TIP), OSINT, Commercial Threat Intelligence Feeds are core components of Security Operations starting from year 2015. Threat Intelligence enriched the context of incidents and helping security analysts to make the decisions. Threat Intelligence also created visibility on adversaries’ tactics, behaviours, tools and processes. TTPs based threat hunting adding more value to SOCs by early detection and remediation of hidden threats.

Cloud migrations started during this time and Cloud Security Solutions such as CASB entered security market to create visibility on Shadow IT and Shadow Data to the IT and Security Community. SOC’s monitoring responsibilities expanded to cloud and sophisticated threats also increased during this time. Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Based Endpoint Detection and Response, Cloud Based Hunting are the new capabilities added as part of Security Operations. Organizations who are having Operational Technology (OT) and Industrial Controls Systems (ICS) as part of their infrastructure have enabled security monitoring of both OT and ICS in their SOC.  

Cyber Defense Center (CDC), Cyber Fusion Center (CFC), Cyber Security Operation Center (CSOC), Cyber Security Incident Response Team (CSIRT), Joint Operations Center (JOC) are the new names coined for Security Operations Center after 2015. Security Operations journey started as reactive approach then moved to proactive approach and now, we are in proactive with automation phase.

In couple of years, more than 50% of Security Operations Centers will be migrated to modern Cyber Defense Centers integrated with automated threat hunting and incident response capabilities. Organizations not yet started their SOC journey can start their journey with MSSP then moved Hybrid SOC and finally they can reach their own matured Security Operations Center.

Modern Cyber Defense Center/Cyber Fusion Center are providing the following services:

1.      Security Event Monitoring, Detection, Investigation, Triaging

2.      Malware Analysis, Reverse Engineering, Digital Forensics, Insider Threats

3.      Threat Intelligence Platform Management

4.      Threat Hunting

5.      Content Management

6.      Threat and Vulnerability Management

7.      Compliance

8.      Reporting and Notifications

9.      Training

10.  Identity and Access Governance

Challenges of Security Operations Center

False positives are the biggest challenge for SOC and more than 50% of SOC analyst efforts are going to handle false positives. Integration of log sources and enabling out of the box use cases and rules from monitoring solutions without proper validation for relevance are major reasons for false positives. Lack of context to incidents and Threshold based Correlation rules was the challenge for Security Analysts. Threshold based correlation rules are converted as machine learning models after the integration of AI/ML monitoring solutions. Integration of Threat Intelligence solved the problem of context missing.

 Over the period, many siloed and point solutions are added into SOC monitoring and security analysts are toggling between multiple consoles to respond to incidents. Training the resources on multiple technologies in a short span of time is impossible. Documenting and updating the security incident playbooks/ runbooks and maintain up to date knowledge base are key for any security operations center which required lot of human efforts.

Multiple points solutions increased the number of incidents for security analysts. Repetitive tasks and alert fatigue are the major reasons for the security analyst to quit the security operations job.

 Traditional SIEM solutions and even next gen SIEM solutions are not having capabilities to calculate Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) for incidents by default. Manual efforts are required for these kinds of calculations and metrics.

Security Orchestration Automation and Response (SOAR) Solution entered the walls of Security Operations Center after 2017 and solved many of the SOC challenges mentioned above. Orchestration of multiple point solutions along with threat intelligence, end to end automation of repetitive tasks, incident response, dynamic updating of playbooks/runbooks, context enrichment, MTTD, MTTR calculations and incident prioritization have made security analysts life easy. Breach Attack Simulation and Cyber Range are new capabilities to modern SOC recently. Cyber Range is helping SOCs to train security analysts to fight with sophisticated threats through simulated cyber exercises. Breach Attack Simulation technology help security analysts and leaders to understand the effectiveness of implemented security controls against latest threats without disturbing production network/infrastructure. BAS ( Breach Attack Simulation) can also help CISOs to optimize and justify the security investments on various security controls.

Challenges of Security Operations Center After Pandemic

Collaboration and Systems Design: Before Pandemic, Security Operations Team used to sit in the secured place with specialized systems, monitors and network. They can come together and collaborate easily to respond to advanced threats. After Pandemic, Collaboration is the challenge and Virtual Collaboration tools and Virtual War Rooms are helping them to an extent possible.

Remote SecOps and SecOps Tools: Analysts has to respond and mitigate threats through remote access. Access to specialized SecOps Tools is another major challenge for now.

Dynamic change and spike in cyber threats, maintaining secure communication channel, separate VPN for security operation technologies are the challenges we have to overcome in the coming days.

Health and wellness of security operations teams is very critical to any business and organization. Organization leaders have to focus on SOC team’s health and wellness to continue our fight against current and future emerging threats.