What is a Security Operations Center (SOC)?

How a Security Operations Center works

The SOC will typically start by meeting with various departments and executives in order to gather information about the current state of the organization’s network.

This will include asking questions about any security concerns and known vulnerabilities, as well as the preventative measures that are in place to address them.

The SOC will also need to find out exactly what security infrastructure the organization has already deployed, in order to determine if any additional infrastructure is needed. Since one of the key roles of the SOC is to analyze event logs, they will need to ensure that they are able to aggregate data from firewalls, IPS/IDS, UBA, DLP, and SIEM solutions.

They should also be able to collect information via data transmission, telemetry, deep packet inspection, syslog, and other methods, in order to give them a comprehensive insight into all network activity.

Roles Within a Security Operations Center

A Security Operations Center is typically broken up into five roles, which include manager, analyst, investigator, responder, and auditor. However, it should be noted that, depending on the size of the organization, some members may perform multiple roles.

Manager: The role of the manager is to oversee all areas of network security, and be able to step into any role when necessary.

Analyst: The analyst will aggregate, correlate and monitor event logs generated by all network applications.

Investigator: The role of the investigator is to carry out a forensic analysis following a security incident in order to find out what happened and why.

Responder: A responder will be responsible for responding to security incidents in an organized manner. This may include contacting relevant stakeholders, notifying the relevant authorities, and perhaps even communicating with the press.

Auditor: The auditor is required to carry out an audit of all security systems, to ensure that they are operational and are able to meet the relevant compliance requirements.

Best Practices for a Running a Security Operations Center

It should be noted that traditional perimeter defense solutions, such as AV software, firewalls, and intrusion prevention systems are becoming less relevant. This is largely because IT environments are becoming increasingly more distributed.

More employees are working from home, using their own devices, and more organizations are switching to cloud-based services. As such, organizations are shifting to a more data-centric approach, which is essentially about monitoring how users interact with sensitive data.

The SOC must ensure that they keep up-to-speed with the latest threat intelligence, which includes sourcing information from news feeds, briefs, and reports. They will need to ensure that all systems are patched/updated in a timely manner, and receive signature updates and vulnerability alerts. The SOC should automate as many processes as possible, to help streamline security operations and eliminate false positives.

If you’d like to see how Lepide can help your SOC team be more effective through the use of the Lepide Data Security Platform, schedule a demo with one of our engineers or start your free trial today.