Security operations center (SOC):
The what, why, and how
www.manageengine.com/log-management
�Table of contents
What is a security operations center (SOC)? 01
Why SOC? 04
Five key responsibilities of SOC 05
Performance metrics of SOC 11
About Log360 12
�What is a security operations center
(SOC)?
An SOC houses IT security professionals responsible for continuously monitoring the
security posture of an organization. Its goal is to detect, analyze, respond to, neutralize,
and remediate cyberattacks using strong processes and a wide variety of security tools.
SOCs collect data from other IT infrastructures including network devices, firewalls,
routers, switches, workstations, servers, databases, and cloud resources, and hunt for
threats from these data sources using various behavioral and advanced analytical
techniques. Once a threat is detected, SOC admins quickly investigate the incident pattern,
come up with a response plan to neutralize the impact of the incident or to contain it, and
quickly execute the resolution steps to minimize the damage.
1
� Functions of SOC
1. Tackling Cyber attacks
Logs Behavioral Security Automated
Analytics Analytics Workflow
Management
Net flows
Unstructured Rule - based Log Incident
Data Incident Forensics Report
Detection
External Threat Anomaly
Feeds Detection
Incident Detection Incident Investigation Incident Remediation
2
� Functions of SOC
2. Proving Adherence to compliance mandates
Integrated Compliance
Management
Log archival User auditing
Audit-ready Data access
report templates auditing
Security
change auditing
3
� Why SOC?
A decade back, network operations centers (NOCs), which are responsible for the IT
operations management of a network, were also taking care of the security requirements of
an organization. Gone are those days. Cyberattacks are on the rise, and they're more
sophisticated today than ever. Evolving technologies such as artificial intelligence, machine
learning, and more act as a double-edged sword, helping hackers easily penetrate
networks while also being utilized by organizations' security teams to ward off these
attacks.
Mostly, these hackers are well-funded and go to extreme lengths to achieve their goals. On
the other hand, the enterprises that have to defend themselves against these attacks often
lag in terms of budget, tools, and techniques. The nature of cyberattacks, the evolution of
technologies, and the increasing cost of attacks have pushed enterprises to deploy a 24x7
security watchtower: the SOC.
4
�Five key responsibilities
of SOCs
1. Threat hunting:
This is the process of proactively searching for threat indicators in the
network based on threat intelligence, business context, and behavioral cues.
It is a human-led process, wherein IT security professionals:
Frame use cases and models to look for known threats.
Leverage machine learning, artificial intelligence, and user and entity behavior
analytics (UEBA) to identify risks and anomalies.
Correlate business contextual information with network events to detect
potential threats.
Data needed for threat hunting: Data from network perimeter devices,
endpoint detection and response (EDR) data correlated with network
activity, and log data from all network resources.
5
�2. Advanced threat detection and analysis (ATDA):
This process employs techniques to detect advanced malware and
persistent network accesses that attempt to steal sensitive data, starve or
take down critical resources, and/or encrypt data. Advanced threats are
difficult to detect as the first few stages of the attack—reconnaissance and
intrusion—happen over a long period of time. On top of this, lateral
movement techniques employed by attackers can be so sophisticated that
the indicators of attack are often mistaken as normal network events.
Post-detection advanced analytical techniques are required to investigate
the incidents, and take quick remedial actions.
Data needed for ATDA: Logs and net flows from network resources
(on-premises and cloud); telemetries from other security tools such as
firewalls, host-based intrusion detection systems (HIDSs), intrusion
detection systems (IDSs), intrusion prevention systems (IPSs), EDR systems,
and more.
6
�3. Response and remediation:
Organizations have often relied on a prevention-centric approach, meaning
they work to establish measures to prevent attacks from happening.
However, when it comes to advanced attacks, this approach simply isn't
enough. These advanced attacks leave no trace at the initial stage. The
longer the dwell time (the time during which the attack vectors stay within
the network undetected), the more the data or assets get compromised.
Consequently, the incident will be more damaging and expensive. Therefore,
SOCs should focus on strategies that aid in rapid incident response and
remediation.
Effective incident management techniques that incorporate automatic
workflow management, accountability in resolving security incidents with
the help of ITIL tools, and predefined workflow actions that neutralize or
contain the on-going attack help provide a quicker response to cyberthreats.
7
�Tools needed for response and remediation:
SOCs need security information and event management (SIEM) solutions that offer:
The capability to ingest data from IT operations management and UEBA tools for quick incident detection.
Real-time analytical dashboards for quicker incident detection.
Automatic workflow management comprising predefined workflow actions.
Built-in ticketing systems and/or the ability to communicate to information technology infrastructure library (ITIL)
tools to ensure accountability in incident resolution.
8
�4. Root cause analysis:
After an attack, it's essential to perform root cause analysis and find out how
the attack occurred, why it occurred, and what impact it caused. In this
analysis, all the resources or data that were affected by the attack are
identified, and the security loopholes that caused the intrusion or lateral
movement within the network are discovered. When performed correctly,
root cause analysis will help prevent similar attacks from occurring in the
future.
Data needed for root cause analysis: Log and NetFlow data from the
network.
Tools needed for root cause analysis: A SIEM solution or any security
analytical tool that can effectively conduct forensic analysis. The tool should
have the capability to build search queries automatically and swiftly search
through log data to detect attack patterns and analyze the impact.
9
�5. Compliance management:
With the rise of data theft in the last couple of years, many region-specific
regulatory mandates such as the General Data Protection Regulation
(GDPR), the California Consumer Privacy Act (CCPA), and more have come
into effect. It is the SOC's responsibility to:
Ensure that the security requirements of these compliance mandates are
being satisfied.
Check if the security posture of the organization needs a revamp.
Create awareness about cybersecurity among employees.
Configure specific security policies as mentioned in the requirements to
protect sensitive data.
Tools needed for compliance management: A comprehensive SIEM
solution that offers a compliance check, suggests the policy implementation,
and provides out-of-the-box compliance reports to make audits easier. It
should also possess capabilities such as advanced threat detection, forensic
analysis, post attack impact analysis reports, and more, which are required
by most of the compliance mandate.
10
�Performance metrics of SOCs
There are few key performance indicators (KPIs) with which the efficiency of an SOC is measured. These KPIs are
directly linked to the attack detection, mitigation, and remediation techniques. It is essential to continuously monitor
these KPIs to enhance and optimize the SOC's performance, and align the security strategy of the organization with
cyberattack methodologies.
Mean time to detect (MTTD): The average time taken by the SOC to detect a threat.
Mean time to respond (MTTR): The average time taken by the SOC to remediate or neutralize a cyberthreat.
The primary goal of every SOC is to reduce the MTTD and MTTR. Enterprises must deploy security solutions that will
rapidly drive down MTTD and MTTR parameters by quickly detecting and neutralizing threats before real damage
occurs.
11
�About Log360
Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects,
prioritizes, investigates and responds to security threats. Vigil IQ, the solution's TDIR
module, combines threat intelligence, ML-based anomaly detection and rule-based attack
detection techniques to detect sophisticated attacks, and it offers an incident
management console for effectively remediating detected threats.
Log360 provides holistic security visibility across on-premises, cloud and hybrid
networks with its intuitive and advanced security analytics and monitoring capabilities.
For more information about Log360, visit manageengine.com/log-management/ and
follow the LinkedIn page for regular updates.
Explore Log360 Download free trial Set up demo
12
