Modern cyber threats pose a danger greater to technology-dependent businesses than at any time in recent history, making a strong security posture an absolute requirement to avoid damage and loss. One tactic that’s now considered compulsory is the use of a SOC, or Security Operations Center, to monitor and investigate security events.
More recently we’ve seen the rise of SOC-as-a-Service as an effective solution for businesses where a traditional SOC isn’t the right fit.
How do traditional SOCs and SOCaaS compare? Let’s take a closer look to determine which one is right for your business.
What Does the Traditional SOC Architecture Look Like?
For more than a decade, the traditional SOC has been an in-house construct, a brick-and-mortar architecture manned by IT staff specializing in security, and utilizing tools like SIEM (security and information event management system) to aggregate and correlate security data coming in from many streams.
Typically, SOC staff includes managers, engineers, and security analysts along with incident response teams who work in tandem as a correlation point, taking in data from all business assets. This data includes cloud services, infrastructure, networks, and devices.
The SOC team then uses this data to manage, monitor, analyze, and quickly respond any security threats that arise in the interest of preventing attacks and/or breaches.
What is a SOC?
A traditional SOC was typically defined as the specific room in which the IT security team worked. For large enterprises, this setup was perfect. For small and medium-sized businesses the SOC budget often meant merely opting for anti-virus and other low-cost security tools. The overhead of facility and tooling cost was just too great if it meant compromising on manpower.
The arrival of SOC-as-a-Service offerings from managed security services providers brought a timely and more efficient way to comply with security requirements and keep cloud and hybrid environments secure.
Cloud-based apps and staff working remotely has transformed what a SOC is and changed its definition to more of a core security role and function rather than a physical place.
Today, a SOC is a compulsory part of any security posture, and in many cases is a compliance requirement depending on the industry. The relentless and continuous barrage of cyberattacks attempting to access systems, application services, and data in on-premises and cloud environments means the costs associated with data breaches are high and will continue to increase. This includes incident response, ransom payments, remediation of compromised assets to fix whatever allowed the attack to be successful, postmortem analyses, etc.
What are the functions of the security operations center? Typically, a SOC is tasked with:
- 24/7 Monitoring – Gapless monitoring of traffic and security data is the only way to detect attacks or malicious activity in real-time. Attackers are located around the world and will choose the worst possible time to complicate your life.
- Incident Response – If and when an attack achieves a degree of success necessitating intervention, SOC staff will utilize techniques to block traffic, isolate assets, and protect the rest of the network. Often, a specialized team for I.R. will get involved to allow the SOC to continue their primary tasks.
- Real-time Threat Hunting – Threats often reside in a network undetected, hence the term “Advanced Persistent Threat.” Common tools miss them during system scans, leaving it up to threat hunters to manually search for signs of compromise and potential attack.
- Compliance Management – Complying with current industry regulations involves verifying that prescribed measures have been taken to secure data and assets. The SOC must be able to determine that necessary controls are in place during compliance audits.
A SOC or SOC-as-a-Service both can provide these services, but which is a better fit for your business?
What Are the Roles in a SOC and What Do They Do?
A security operations center requires a large staff working 24/7 to keep threats contained. Everyone has specific responsibilities that ensure security issues are mitigated the moment they are detected in an environment.
Typically, a SOC requires a team that covers these roles in a traditional on-premises set up:
The Traditional SOC Team
SOC I Analyst – Often referred to as the Level 1 “eyes-on-glass” analyst, these are first in triggering some kind of response to cybersecurity incidents. They review the most recent SIEM alerts, determining their urgency and relevance.
SOC II Analyst – Level 2 triage – these analysts are tasked with the triage necessary to determine whether a real security incident is occurring. SOC II Analysts also oversee and configure security monitoring tools and apps, handle escalations from SOC 1, and utilize a larger array of tools.
SOC III Analyst – These are the threat hunters who work continuously to seek out weaknesses, conduct penetration tests, look for hidden attackers, and review vulnerability assessments. SOC III’s continually analyze datasets seeking better understanding of what happens during or after an attack.
SIEM Admin – Administers the SIEM and maintains the platform stability as well as managing the alarm, reporting, and log source configurations. A SIEM Admin monitors the system capacity and ensures that the underlying platform is free of resource issues and will also diagnose and resolve any system-level incidents that occur.
SOC Managers – These are the people in charge of training, shift coverage, all internal security operations work, management of the SOC, and analyst staff related to it. A SOC Manager handles the process and technical direction of the security operations center.
SIEM Engineer – Provides management of logging, manages configuration issues for clients, and tracks issues through to resolution. The engineer also implements and configures SIEM software and appliance-based products and largely responsible for SIEM infrastructure care and feeding.
Developers – Software developers are necessary to build custom integrations between systems, utilizing APIs or custom data siphons to bidirectionally populate tools like ticketing.
Comparing SOCaaS to the Traditional SOC
When MSSPs began providing SOC services, it evolved the way many service-oriented industries do—streamline and scale. The SOC-as-a-Service (SOCaaS) concept follows the popular Software-as-a-Service model, which makes services available to a large and disparate customer base while optimizing though a centralize cloud infrastructure and various levels of automation.
The problem here is that while certain roles and functions can be distilled/consolidated/automated, some services simply cannot and require human attention. For example: threat hunting requires eyes on glass. This is actually the one element that makes a SOCaaS very effective. Platform and tooling is centralized and operationalized, leaving humans to do what they do best.
This also brings down the cost of utilizing a SOC, making it much more accessible to SMBs. So why doesn’t everyone use SOCaaS? How does it compare to a traditional on-prem SOC?
An on-premises SOC has a few disadvantages:
- High Cost – hardware and software are costly overhead.
- Talent – attracting, training, and retaining cybersecurity experts is challenging in this world of high demand.
Maintaining updates and continuous threat hunting means your SOC must operate 24/7 because cybersecurity threats never sleep.
Consider the requirements of a good, traditional on-premises SOC: platform, the process, and the people. A good SOC must have these three integral components that all work together, and when all work in harmony a business can achieve its security goals.
Keeping an on-premises SOC running on a budget is challenging. The economy of scale achieved by SOC-as-a-Service can provide all the benefits of an on-premises SOC with minimal disadvantages. It levels the playing field for SMBs and provides a few advantages:
- Time-to-market and response speed are accelerated.
- Security operations and total cost of ownership are optimized.
- The business’s existing expertise is efficiently augmented for minimum overlap.
A SOC is meant to protect your business assets and reputation. Incorporating a SOC-as-a-Service provides the manpower and expertise needed to track and validate security events 24/7 while letting you keep control of your business environment.