We stumble upon various cyber-security incidents in our day-to-day life and get worried about securing our data and services and then move on with our lives because we either think that we have substantial amount of safety, enough for a small to medium level organization or the cost of getting our own security is too high to be implemented.
Well, there are various studies out there that suggest that small companies are 3 times more likely to be targeted by cyber criminals than large companies. Also, employees of a small company are 350% more prone to social engineering attacks.
The reason is simple; small companies are easy targets because less priority is given to security measures compared to their business growth and profits. Budding adversaries often find such targets as low-hanging fruits and exploit them for fun and profit.
The good news is that it isn’t that complex to set your low budget security boundaries. We have enough resources to build our own security operations from scratch, thanks to the open-source community, that facilitates a wide range of options to prepare the toolkit required for building a Security Operations Center (SOC).
Let us first understand what the Security Operation Center is, why we are discussing SOC here and how it fulfils your security needs.
What is SOC?
The Security Operations Center is a command center where a team of SOC Analysts protect the organization’s data and assets by analyzing and monitoring security events and activities. Security Operations are built upon data metrics, telemetry of endpoint devices, network devices, intrusion detection systems etc.
SOC analysts collect, enrich, analyze and report events that are suspicious in nature. SOC team members sometimes work closely with other security team members for consultations but mostly are self-reliant and handle incidents and responses.
Why you Need a SOC?
Your organization has hundreds of devices (endpoints/mobiles) connected to your office network that process thousands of valuable records, generating gigabytes of inbound and outbound traffic every single day. Now let’s think about the security of devices constantly being used inside your premises as well as outside.
- Are they being properly sanitized before connecting to your office network?
- What if they were infected with malware that is beaconing to its Command-and-Control Centers (C2) or exfiltrating users’ data to the remote attacker?
- What if an adversary is impersonating your employee and logging into your office devices on Sundays?
- Do you have visibility to any of the activities that are regularly performed on endpoints or your network?
- Is your organization security compliant?
If the answer to any of the above questions is No, then you are at a potential security risk. This may seem like a very common concern but can be fatal when it comes to losing data and the trust of your customers.
Now, what if there is a system in place that regularly monitors your organization’s inbound and outbound traffic, analyzes users’ activities, consolidates security events, correlates events with known threats, and issues an early warning before the actual incident.
An effective SOC can help in maintaining compliance standards like HIPAA, SOX, GDPR, PCI DSS, etc. Of course, this would ease the tension of keeping your data and devices secure because there is an early warning system and a security team which is constantly looking after each activity that is being performed on your network/host.
While the adversaries are getting sophisticated day by day, it is the need of the hour to have your own security in place at least where you have visibility on the activities and events that are performed within your boundaries. SOC facilitates all that and gives you complete visibility of the security posture of your organization.
Components that Drive a SOC
Let’s dive into the components required for a fully functional SOC:
Security Information and Event Management (SIEM)
Acts as a plinth for building an effective SOC. SIEM works as a log aggregator which means SIEM can be fed all types of logs that are generated in log-producing devices. SIEM, when used with threat intelligence, can be used to correlate data and generate alerts for any suspicious events.
Security Orchestration, Automation, and Response (SOAR)
Is a process that accepts input from the security operation team and builds a stack of automated responses that can be triggered to respond to an alert. SOAR adds an advantage to the existing SIEM. In simple terms SOAR functions as an automated way to respond to a given input just like security analysts would respond in a certain condition, rather faster and in a precise manner. SOAR can be trained to perform in a certain way leveraging various third-party tools.
User and Entity Behavior Analytics (UEBA)
Can be used as a module in the SIEM platform to collect, analyze users’ activity and behavioral patterns, and help in creating baselines for these data which can later be used to detect any anomalies.
This is a significant component in SOC that can be used to detect underlying vulnerabilities in the devices and running services. Keeping a check on the systems, EOL products and services is a proactive approach to secure boundaries from any exploits out there in the wild.
Endpoint Detection and Response (EDR)
Is a part of the insider threat program. By discovering assets, it helps in identifying what systems and tools are running in your environment, finding critical systems, and prioritizing its monitoring.
To keep track of the raised alert and assignment is made easy with an effective ticketing system.
SOC is not a silver bullet for all round security, and it has its own set of requirements before one can go ahead to set up their own SOC:
24/7 support system
Assessing your workforce is a good place to start before building a SOC. SOC requires continuous monitoring and support. Security Operation analysts are the driving force for an effective SOC.
Small configuration errors can create havoc and one need to have the right people to respond to that quickly. Members with knowledge of security best practices can come in handy.
In this post we have seen why and how an effective SOC is important for better visibility and security for your enterprise data nodes. Next in this series we will look at the high-level architecture of an effective SOC along with a brief introduction of some of the Open-Source tools which can offer these capabilities. Stay Tuned!!
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.