The Security Operations Centre (SOC)
Why have a SOC?Dmitri Alperovitch puts it well when he says:
A SOC is necessary in the modern business environment to manage security issues and protect IT systems and their contents. Modern IT systems are complex and generate a lot of information about their state and what is happening with them. Sophisticated attacks can be very easily drowned out in this noise if a team is not dedicated to looking out for them. A SOC also acts as a focal point for the creation, implementation and enforcement of security policies and procedures that help protect the organisation and prevent security breaches. Finally, as alluded to in Alperovitch’s quote, the SOC is there to help pick up the pieces when a compromise has occurred.There are only two types of companies – those that know they’ve been compromised, and those that don’t know.(Gross 2011)
History of SOCsDepending on who you speak to, there have been four or five generations of SOC and it’s worth considering how the SOC has evolved over the years, as this gives us insight into the roles of the SOC and how it might evolve in the future.
Generation 1 – logging and AV (pre-1995)In the early days of the SOC, it was often part of the general systems administration duties and did not involve much more than making sure that your anti-virus was updated regularly (back then, that meant at least once a week), you patched regularly, you had a firewall and things were logged. Apart from the updates and patching, security was very much reactive and most issues were noticed because a system was behaving oddly.
Generation 2 – the rise of the malware (1995–2001)
Want to keep
Coventry University online course,
Generation 3 – botnets and the need to prove security (2001–2006)2001 saw the arrival of the infamous Code Red and Code Red II worms which devastated many IIS servers. With that came the recognition by organised crime that you could gain a lot of money by compromising internet systems and the start of botnets being a serious issue. This, in turn, led to a requirement of companies to be able to prove that their systems were secure, and organisations like the Payment Card Industry Council being formed to help ensure individuals’ credit card details were held in a secure manner. Within organisations, the IT security teams were starting to put in place modern incident response capabilities.
Generation 4 – getting more sophisticated with bigger players (2007–2014)2007 saw what is often acknowledged as the first publicly known cyber war when Russia attacked Estonia in an attempt to DOS key Estonian websites. This continued and was extended into both commercial attacks and organised hactivist groups such as Anonymous. The actors in these types of attacks often had a lot of expertise and resources so it quickly became clear that the SOC would now have to focus its attention on damage limitation and the prevention of data leaving the organisation (exfiltration).
Generation 5 – the rise of intelligence (2014–present day)By 2014 it was obvious that conventional techniques could not cope with the amount of data that needed to be analysed if a SOC was to properly monitor the infrastructure. Concepts from Machine Learning (ML) and Artificial Intelligence (AI) that were being used in data analytics elsewhere in the organisation were re-purposed for use in the SOC. Intelligence, in the military sense, was also being started to be used to look at the behaviour of people who might attack you and to prevent that attack before it even starts.
Generation 6 – more smarts (present day onwards)What will the next generation of SOC look like? Well, it’s likely to be even more reliant on AI and ML to work and there is a lot of interest in advanced concepts such as giving an IT system its own immune system to fight off attacks and to regulate itself in the same way as the human body regulates itself and fights off infection. In terms of attacks, we are now seeing attacks designed to target and fool the ML algorithms that are used by the SOC tools and these are going to increase and become more sophisticated.
ReferenceGross, M. J. (2011) ‘Enter the Cyber Dragon’. Vanity Fair [online] 2 August. available from https://www.vanityfair.com/news/2011/09/chinese-hacking-201109 [30 July 2019]
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.