8 Security Operations Center Essentials

8 Security Operations Center Essential Components.jpeg

By Jorge Alago

If you’re building a security operations center (SOC) or working to ensure that the security operations team you already have in place has all its bases covered, you must make certain that you’re properly protecting your digital assets — but knowing where to start and where to focus can be a challenge.

8 Security Operations Center Essentials

To help you chart your course, here’s a quick rundown of eight essential components that should be core to your security efforts. Each one generates useful data and a unique perspective to help your team find out exactly what’s going on and determine how to best prevent, contain, and mitigate security threats.

1) Log Collection

Log collection can generate millions of events per day and you need a tool that lets you quickly search, visualize and analyze them all immediately when a security event occurs. The previous 90 days are usually the most critical, but depending on your industry’s compliance regulations, you may be required to store logs for up to seven years.

Considering that the average breach takes about 200 days to find, we recommend keeping at least a year’s worth of logs.

Retaining a thorough log history lets you compare current activity to past activity, which can often uncover the cause of recurring breaches.

2) SIEM Tools

SIEM (security information and event management) tools generate alerts based on rules you set and present dashboards with real-time and historical visual analysis on the logs you collect. This systematic approach can help you immediately identify strange behaviors and quickly diagnose security issues. SIEM tools also help you monitor who logs into your systems and from where. This can make it easy to identify whether an attacker has infiltrated your network.

3) Endpoint Detection and Response

Endpoint detection and response covers all servers and workstations and helps you identify processes that create security issues and domain-name system look-ups executed by user accounts. With a sound endpoint detection and response, you can see which files were left open and which ones were saved just prior to a security incident.

The data helps you know if there’s an advanced threat or malware outbreak on your network and identify precisely where it exists. That way, when you encounter a legitimate threat, you can virtually isolate any infected machines until the vulnerability is resolved.

4) Threat Hunting Teams

Threat hunting teams find unknown or suspicious malware and network intrusions. Acting like super sleuths, they assume there’s always someone lurking on the network, trying to do harm. By utilizing a tool that scans all machines, they can determine who is currently logged in and establish whether each machine has come across any hash values that indicate an intrusion.

If the SOC team discovers a suspicious process, they can use the endpoint detection and response tool to shut down the attack and quarantine any affected machine(s). Even more importantly, they can make sure the threat does not spread.

5) User and Entity Behavior Monitoring

User and entity behavior monitoring runs real-time analysis on users and entities (workstations and servers) to establish normal baseline behaviors. The SOC team can then compare current activity to a normal day to determine whether something suspicious is going on. They can also compare user activity to peer activity. If a user or entity’s behavior changes, the risk score rises to indicate that something is amiss.

The level of privileges along with combinations of various activities can cause risk scores to rise, raising red flags. For example, in the case of a privileged user logging into 500 servers in eight hours, the risk score would immediately spike so the team would know it needs to investigate the matter immediately.

6) Vulnerability Management

Vulnerability management proactively identifies and prioritizes security defense gaps so that you can quickly close them before a digital asset is compromised. The right vulnerability management tools can manage every user account and every device by loading agents on each machine to run passive scans that do not impact application performance. You can then monitor and receive alerts when a vulnerability emerges. Oftentimes, it’s simply a matter of applying a patch, but without this capability, your team may never know when one is needed.

7) Deception Technology

Deception technology applies decoy devices using unassigned IP addresses to attract cybercriminals — and steer them away from your real digital assets. If a decoy is engaged by a criminal hacker, you receive an alert and can investigate it to try and find out who the cybercriminal is. Look for decoy software that captures information on the methods used to compromise your network so that your team can improve network defenses over time.

8) Threat Intelligence Feeds

Threat intelligence feeds provide information to supplement all the threat information you are collecting internally on your network and help you stay ahead of new types of attacks. By subscribing to the right external feeds, your team can identify threats that your company has not yet encountered. The intelligence improves your contextual understanding as to what might happen inside your network, and by learning about new attacks on other businesses, you can proactively apply measures to block those threats.

Maximize Your Security Operations Center Value

What’s the key to maximizing the value of these eight components? Integrate the data flowing among all the tools. This gives your entire security operations team a filtered view of what the information means. The more perspectives you generate, the better the team can prevent, contain and mitigate problems.

But it’s critical to apply intelligence to all this data to be sure it doesn’t overwhelm your SOC team.

It’s also important to develop an incident response playbook so the security operations center does not have to respond to incidents on an ad-hoc basis — and under the pressure of the business needing a quick fix. The playbook should detail all the procedures and resources required for each type of security incident. It then becomes a living document that evolves as the security operations team learns new techniques, the latest security technologies become available, and new threats come to light.

Given all the user accounts and devices on your network, trying to manage security operations can easily overwhelm your internal team, especially if it is small, so you may want to consider outsourcing some or all the tools and services to a managed service provider.

An approach that some companies take is to subscribe to a cloud service for each tool and to have an outside managed service provider monitor the information that’s generated. Any alerts that indicate a threat might be lurking can then be turned over to your internal team for investigation and mitigation.


About Jorge Alago

Jorge Alago is cybersecurity architecture lead at Veristor and an expert in implementing secure network environments. Veristor is a provider of business technology solutions that helps customers accelerate the time-to-value and security of the software, infrastructure, and systems they deploy.

More About Jorge