In the face of the growing number of cyberattacks, many of you are looking for solutions to protect your organisation. In researching the subject, you have reached the conclusion that the Security Operation Center (SOC) is the solution for securing your information systems.
A SOC's mission is to detect security incidents based on traces or logs and to initiate response actions whenever necessary. A SOC does not replace traditional security measures (patch management, perimeter management, firewalling, hardening, …) which remain essential and must be in place. Implementing incident detection without sound foundations obviously makes no sense.
The missions carried out by an outsourced SOC will differ depending on the mode in which it integrates with its client's organisation. In the first mode, the SOC will analyse logs on the basis of rule sets and then escalate alerts to its client so that the latter can qualify and respond to them.
In such an operating model, the added value of the SOC remains moderate, as it will be difficult to contextualise the information feeds — however, its advantage lies in being quick to implement.
In the second mode, it directly handles the processing and/or monitoring of incidents, for which it will directly engage the client's operational teams and implement remediation actions.
In this mode, the client's operational security teams will remain focused on implementing remediation actions; with supervision functions being handled by the SOC.
Such a distribution of roles and activities requires that the client has an ITSM (IT Service Management) system. It will allow the SOC to submit requests autonomously to the teams in charge of the IS while remaining in contact with the operational security teams for more complex activities.
What needs to be put in place internally to outsource a SOC?
To be effective, a SOC requires contextual information about the IS it monitors. For a SOC project to be successful, it is therefore essential to have an up-to-date internal mapping of equipment and systems — via a CMDB (Configuration Management Database) or equivalent.
When outsourcing a SOC, the goal is to seek expertise in the field of security monitoring. However, it is essential to master the technologies and systems that generate logs in order to feed the SOC correctly with relevant information to address detected threats. If a company wishes to outsource its SOC, it will need to invest both in human resources and technology in this area — which involves defining specific engineering rules so that systems (applications, OS, network or security equipment, etc.) are configured to generate the right logs towards designated systems.
Why must a SOC evolve over time, and how should it be approached?
The traditional security measures put in place may prove insufficient (vulnerabilities, misconfiguration, etc.) and detection becomes a primary focus in the client's defence posture. Furthermore, threats, information systems and security solutions are evolving rapidly.
It is therefore essential to implement a continuous improvement loop to strengthen system resilience over time and reduce blind spots, so that the SOC is able to improve.
One of the key success factors lies in a reciprocal and collaborative challenge between the organisation and its SOC provider. The SOC must know how to challenge its client to help evolve its systems and facilitate the detection of threats and incidents. Among the range of recommendations from a SOC, one may cite the evolution and contextualisation of detection rules, as well as evolution recommendations regarding log sources in order to improve the quality of events to be processed.
Effective collaboration between an organisation and its SOC provider relies on incident reporting and handling, as well as ongoing monitoring of continuous improvement actions.
The contract between the client and the SOC service provider must on the one hand incorporate these topics of continuous improvement and innovation. It must also propose a service catalogue defining evolutions included as standard in the service offering (rules, parsers, PoC R&D, etc.) in order to avoid going through a contracting cycle each time, which can be slow.
Do you have a SOC project? Come and discuss it with our teams and we will help you implement it.