Understanding vSOC: A Guide To Understanding Virtual Security Operations Centers

A virtual Security Operations Center (vSOC) is a security technology which outsources monitoring, detection, and response to cyber threats to a third-party. vSOC is a modern solution for protecting an organization's digital assets and ensuring business continuity. The following are key elements that should be understood when looking for a strong vSOC solution to help protect your organization.

On-prem SOC vs. vSOC

A SOC, or Security Operations Center, is a dedicated facility or team that is responsible for monitoring and managing its organization's security posture. An on-prem SOC is one that is physically located within an organization's own facilities, whereas a vSOC, or virtual SOC, is one that is operated remotely, typically by a third-party provider.

An on-prem SOC has a dedicated team of security professionals who are responsible for monitoring the organization's security systems and responding to security incidents. This team may also be responsible for implementing and maintaining security controls, such as firewalls and intrusion detection systems. An on-prem SOC typically has access to the organization's network infrastructure and systems, which allows it to quickly and effectively respond to security incidents.

A vSOC, on the other hand, is typically operated by an external provider, which offers remote monitoring and management services to organizations. In this model, the security provider's team of security professionals monitors the organization's security systems and responds to security incidents on behalf of the organization. This can be more cost-effective than maintaining an in-house SOC. A vSOC can provide organizations with a level of security expertise that might not be available in-house.

However, compared to on-premises SOC, a vSOC might not have the same level of access to the organization's network infrastructure and systems, which could make it less effective and cause a bottleneck in responding to security incidents. Additionally, a vSOC can not be as adaptive as an on-prem SOC to the specific security needs of an organization.

Who needs a vSOC or SOC?

Typically, large and mid-sized organizations often turn to virtual security operations centers (vSOCs) to protect themselves from potential threats. This is especially true for companies that are well-known, growing rapidly, have special compliance or security needs, or have employees located around the world. These organizations recognize the need for stronger security and may choose to outsource their security monitoring needs to a vSOC or create their own internal operations center. Outsourcing security operations is becoming a more common practice as companies weigh the pros and cons of building an in-house SOC versus using an outsourced vSOC service.

Key terminologies and acronyms

Like all things tech related, there are several key terminologies, acronyms, and jargon associated with vSOCs that are important to understand:

Managed Detection and Response (MDR): MDR is a type of service that combines both threat intelligence and incident response capabilities. MDR providers offer a range of services, including security monitoring, incident detection, and incident response.

Access Control (AC):??ensures resources are only granted to those users who are entitled to them.

Access Control List (ACL):?A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.?

Advanced Encryption Standard (AES): An encryption standard developed by NIST. Intended to specify an unclassified, publicly-disclosed, symmetric encryption algorithm.

Alert fatigue: an instance where an overwhelming number of alerts causes an individual to become desensitized to them. Alert fatigue can lead to a person ignoring or failing to respond to a number of safety alerts.

Blue Team: Security team who perform defensive cybersecurity tasks (typically against their Red Team counterparts, but also real-world threats), including placing and configuring firewalls, implementing patching programs, enforcing strong authentication, ensuring physical security measures are adequate, etc.

Business Continuity Plan (BCP): a plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

Behavioral Monitoring: behavior analysis for maximum effectiveness of security controls

Business Impact Analysis (BIA): – Determines what levels of impact to a system are tolerable.

Cipher: A cryptographic algorithm for encryption and decryption.

Ciphertext: the encrypted form of the message being sent.

Computer Emergency Response Team?(CERT): an organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security.

Compliance: This refers to the set of regulations, laws and industry standards an organization must adhere to. vSOC can help companies in industries like healthcare and finance, which have more stringent compliance requirement, by providing the necessary logging, monitoring and incident response to help with compliance reporting

Cyber Threat Intelligence (CTI): knowledge, skills, and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace.

Endpoint Detection and Response (EDR): An integrated, layered approach to endpoint protection that combines real-time continuous monitoring and endpoint data analytics with rule-based automated response.

Extended Detection and Response (XDR): an evolution of EDR which uses threat detection and incident response tools that natively integrates multiple security products into a cohesive security operations system.

FedRAMP: Federal Risk and Authorization Management Program. A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

GDPR: General Data Protection Regulation (EU Law).

Hash: An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.

HIPAA: Health Insurance Portability and Accountability Act of 1996 (U.S. Law).

Indicators of Attack (IoA): evidence that suggests malicious behavior by an attacker.

Indicators of Compromise (IoC):?evidence that suggests a system or network may have been compromised.

Managed Detection and Response (MDR): MDR is a type of service that combines both threat intelligence and incident response capabilities. MDR providers offer a range of services, including security monitoring, incident detection, and incident response.

MITRE ATT&CK: MITRE Corporation’s guideline on Adversarial Tactics, Techniques, and Common Knowledge. This framework classifies capabilities of known threat groups (APTs and others) and their technical objectives. Similar to Lockheed Martin’s Cyber Kill Chain.

NIST: National Institute of Standards and Technology

NIDS: Network Intrusion Detection System?

HIDS: Host Intrusions Detection System

IDS: Intrusion Detection System

ISO: International Organization for Standardization (e.g., ISO 27001)

Incident Response (IR): This refers to the process of identifying, containing, and recovering from a security incident. Incident response teams typically have a set of procedures in place for dealing with different types of incidents, including cyber breaches, data loss, and other types of security incidents.

PCI-DSS: Payment Card Industry Data Security Standard

PHI: Protected Health Information

PII: Personally Identifiable Information

Playbook: processes and procedures a vSOC, or analyst, can use to automate or orchestrate action against incidents. The plays within the playbook can be fully automated (no analyst input) or semi-automated (some analyst input).

Red Team: Security team who perform tests on an organization's defenses by identifying vulnerabilities and launching attacks in a controlled environment. Red teams are opposed by blue teams, and both parties work together to provide a comprehensive picture of organizational security readiness.

RCA: Root Cause Analysis – principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.

Security Information and Event Management (SIEM): This is a type of security technology that aggregates and correlates log data from various sources in an organization. SIEMs are used to detect security incidents and provide information to incident responders.

SOAR: Security Orchestration, Automation, and Response (like a SIEM but more robust. Leverages threat intelligence feeds, endpoint security tools, case management, IR playbooks, etc.)

Threat Actor: Any person or organization that intends to steal, spy, or cause harm in cyber space. Colloquially referred to as a hacker, but Threat Actor serves as a much broader term to include persons such as cybercriminals, hacktivists, terrorists, insider threats, etc.

Threat Intelligence: This refers to the collection and analysis of information about current and emerging cyber threats. Threat intelligence can be used to improve an organization's security posture by providing actionable information to help prioritize and respond to threats.

Threat Hunting: the practice of proactively searing for cyber security threats that are undetected in a system or network. Methodologies include Hypothesis-driven investigations

Workflow: Alert triage >> Alert investigation and documentation >> Situation Assessment >> Containment and mitigation >> Post analysis & disclosure.

vSOC capabilities

Talent and expertise: The vSOC team should have a mix of security professionals with diverse backgrounds and expertise in areas such as incident response, threat intelligence, and vulnerability management. It's important to have a team that can work together effectively and has the necessary skills to detect, investigate, and respond to cyber threats.

Proactive threat hunting: A key aspect of a strong vSOC is the ability to proactively hunt for threats. This can include identifying indicators of compromise, analyzing network traffic, and conducting vulnerability assessments. By proactively hunting for threats, the vSOC team can more effectively detect and respond to attacks.

Automation and orchestration: In order to scale and improve the efficiency of the vSOC, automation and orchestration should be used to manage tasks such as event collection, correlation, and incident response. This can help to reduce the time it takes to respond to incidents and free up the team's time to focus on more complex tasks.

Integration with other systems: In order to have a comprehensive view of the organization's security posture, the vSOC should be integrated with other systems such as firewalls, intrusion detection systems, and endpoint security tools. This allows for the vSOC to receive alerts and events from a variety of sources and use that information to identify and respond to threats.

Communication and collaboration: The vSOC should have strong internal and external communication and collaboration processes in place. This includes clear incident response procedures and communication channels for sharing information with other teams within the organization, as well as with external organizations such as law enforcement and other companies in the same industry.

Metrics and reporting: Metrics and reporting are essential for measuring the effectiveness of the vSOC and identifying areas for improvement. This includes metrics such as incident response times, the number of false positives, and the effectiveness of threat hunting efforts.

Regular testing and training: Regular testing and training of the vSOC team and the security systems are essential to ensure they are able to effectively respond to cyber threats. This includes conducting simulated cyber attacks, tabletop exercises, and training on new threats and techniques.

Continual improvement: A strong vSOC is one that is always improving. This includes regularly reviewing and updating the security systems and processes, as well as staying up-to-date with the latest threats and best practices. It's also important to review and adapt to the changing needs and priorities of the organization.

A strong vSOC requires a combination of people, processes, and technology. By focusing on the key elements outlined above, organizations can select a vSOC partner that is capable of effectively detecting and responding to cyber threats, and keeping their company and clients secure in an ever-evolving environment of threats.

Bryan Brinkman