The Security Operations Centre (SOC)
In a physical security setting, we might have a control room with lots of CCTV monitors, security personnel who will go around checking everything, locks, occupation and motion sensors and cameras.
This is used to protect the physical resources of our organisation and to help control access to parts of the building. In the virtual world, we need an equivalent to secure and control access to our online estate and to defend against intruders, and this is the role of the Security Operations Centre, more commonly called the SOC (and occasionally, the ISOC – Information Security Operations Centre).
The SOC is responsible for the security of the IT infrastructure and all the data on it. This includes reactive activities (dealing with situations) and proactive activities (making sure our security is up to date and can deal with current or potential issues). The SOC is also responsible for working with other parts of the organisation to ensure that security is properly implemented.
Why have a SOC?
Dmitri Alperovitch puts it well when he says:
There are only two types of companies – those that know they’ve been compromised, and those that don’t know.
A SOC is necessary in the modern business environment to manage security issues and protect IT systems and their contents. Modern IT systems are complex and generate a lot of information about their state and what is happening with them. Sophisticated attacks can be very easily drowned out in this noise if a team is not dedicated to looking out for them. A SOC also acts as a focal point for the creation, implementation and enforcement of security policies and procedures that help protect the organisation and prevent security breaches. Finally, as alluded to in Alperovitch’s quote, the SOC is there to help pick up the pieces when a compromise has occurred.
History of SOCs
Depending on who you speak to, there have been four or five generations of SOC and it’s worth considering how the SOC has evolved over the years, as this gives us insight into the roles of the SOC and how it might evolve in the future.
Generation 1 – logging and AV (pre-1995)
In the early days of the SOC, it was often part of the general systems administration duties and did not involve much more than making sure that your anti-virus was updated regularly (back then, that meant at least once a week), you patched regularly, you had a firewall and things were logged. Apart from the updates and patching, security was very much reactive and most issues were noticed because a system was behaving oddly.
Generation 2 – the rise of the malware (1995–2001)
By this time, malware was becoming a serious issue and could quickly take out your infrastructure, so many organisations started to think about having dedicated people to deal with security. Coupled with this was the start of more complex intrusion detection systems (eg SNORT) which could bring together information from a variety of sources and display it to the users. This quickly led to early Security Information and Event Management (SIEM) tools which could help the users correlate security incidents that occurred across multiple systems.
Generation 3 – botnets and the need to prove security (2001–2006)
2001 saw the arrival of the infamous Code Red and Code Red II worms which devastated many IIS servers. With that came the recognition by organised crime that you could gain a lot of money by compromising internet systems and the start of botnets being a serious issue. This, in turn, led to a requirement of companies to be able to prove that their systems were secure, and organisations like the Payment Card Industry Council being formed to help ensure individuals’ credit card details were held in a secure manner. Within organisations, the IT security teams were starting to put in place modern incident response capabilities.
Generation 4 – getting more sophisticated with bigger players (2007–2014)
2007 saw what is often acknowledged as the first publicly known cyber war when Russia attacked Estonia in an attempt to DOS key Estonian websites. This continued and was extended into both commercial attacks and organised hactivist groups such as Anonymous. The actors in these types of attacks often had a lot of expertise and resources so it quickly became clear that the SOC would now have to focus its attention on damage limitation and the prevention of data leaving the organisation (exfiltration).
Generation 5 – the rise of intelligence (2014–present day)
By 2014 it was obvious that conventional techniques could not cope with the amount of data that needed to be analysed if a SOC was to properly monitor the infrastructure. Concepts from Machine Learning (ML) and Artificial Intelligence (AI) that were being used in data analytics elsewhere in the organisation were re-purposed for use in the SOC. Intelligence, in the military sense, was also being started to be used to look at the behaviour of people who might attack you and to prevent that attack before it even starts.
Generation 6 – more smarts (present day onwards)
What will the next generation of SOC look like? Well, it’s likely to be even more reliant on AI and ML to work and there is a lot of interest in advanced concepts such as giving an IT system its own immune system to fight off attacks and to regulate itself in the same way as the human body regulates itself and fights off infection. In terms of attacks, we are now seeing attacks designed to target and fool the ML algorithms that are used by the SOC tools and these are going to increase and become more sophisticated.
Gross, M. J. (2011) ‘Enter the Cyber Dragon’. Vanity Fair [online] 2 August. available from https://www.vanityfair.com/news/2011/09/chinese-hacking-201109 [30 July 2019]
© Coventry University. CC BY-NC 4.0