Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is a Security Operations Center (SOC)?

Security Operations Center

A Security Operations Center (SOC) is a unit within an organization whose role is to continuously monitor, analyze and improve the organization’s security posture. The SOC will typically work around the clock in order to safeguard sensitive data and comply with the relevant data privacy regulations.

The SOC will also be required to investigate, remediate, and report on security incidents, which includes working closely with the incident response team (assuming there is one) to ensure that security incidents are dealt with in a fast and efficiently manner.

The SOC won’t generally get involved in designing policies and procedures but will instead focus on monitoring all areas of a company’s network for anomalous activity, which includes servers, endpoints, databases, applications, and any other network hardware/software.

Additional activities that the SOC might get involved in include reverse engineering malware, using cryptanalysis techniques to identify weaknesses in the organization’s cryptographic systems, and carrying out advanced forensic investigations into previous security incidents.

How a Security Operations Center works

The SOC will typically start by meeting with various departments and executives in order to gather information about the current state of the organization’s network.

This will include asking questions about any security concerns and known vulnerabilities, as well as the preventative measures that are in place to address them.

The SOC will also need to find out exactly what security infrastructure the organization has already deployed, in order to determine if any additional infrastructure is needed. Since one of the key roles of the SOC is to analyze event logs, they will need to ensure that they are able to aggregate data from firewalls, IPS/IDS, UBA, DLP, and SIEM solutions.

They should also be able to collect information via data transmission, telemetry, deep packet inspection, syslog, and other methods, in order to give them a comprehensive insight into all network activity.

Roles Within a Security Operations Center

A Security Operations Center is typically broken up into five roles, which include manager, analyst, investigator, responder, and auditor. However, it should be noted that, depending on the size of the organization, some members may perform multiple roles.

Manager: The role of the manager is to oversee all areas of network security, and be able to step into any role when necessary.

Analyst: The analyst will aggregate, correlate and monitor event logs generated by all network applications.

Investigator: The role of the investigator is to carry out a forensic analysis following a security incident in order to find out what happened and why.

Responder: A responder will be responsible for responding to security incidents in an organized manner. This may include contacting relevant stakeholders, notifying the relevant authorities, and perhaps even communicating with the press.

Auditor: The auditor is required to carry out an audit of all security systems, to ensure that they are operational and are able to meet the relevant compliance requirements.

Best Practices for a Running a Security Operations Center

It should be noted that traditional perimeter defense solutions, such as AV software, firewalls, and intrusion prevention systems are becoming less relevant. This is largely because IT environments are becoming increasingly more distributed.

More employees are working from home, using their own devices, and more organizations are switching to cloud-based services. As such, organizations are shifting to a more data-centric approach, which is essentially about monitoring how users interact with sensitive data.

The SOC must ensure that they keep up-to-speed with the latest threat intelligence, which includes sourcing information from news feeds, briefs, and reports. They will need to ensure that all systems are patched/updated in a timely manner, and receive signature updates and vulnerability alerts. The SOC should automate as many processes as possible, to help streamline security operations and eliminate false positives.

If you’d like to see how Lepide can help your SOC team be more effective through the use of the Lepide Data Security Platform, schedule a demo with one of our engineers.