How to squeeze all the juices out of SOC? Preparing to connect an external Incident Monitoring Center
Hello everyone! My name is Anastasia Fedorova. I have been working in the field of information security for over 15 years, and for the last two years I have been the development director of the Incident Monitoring Center in K2 Cybersecurity.
This summer we conducted survey of 100+ medium and large companies and found out that almost half (43%) of them are no longer satisfied with the simple implementation of technological solutions to ensure the cybersecurity of assets. They are looking towards a more comprehensive approach to incident monitoring – SOC. At the same time, 71% estimated the time frame for creating their own Monitoring Center at 2-4 years. Therefore, the majority (58%) responded that they prefer an external SOC based on the MSSP (Managed Security Service Provider) model, which can be implemented on average in one month.
Following our survey, I decided to collect in one place everything you need to know about an external SOC. Below I will tell you what a cybersecurity monitoring center is, what it consists of, how to prepare for implementation and connect a SOC using the MSSP model.
What does SOC consist of?
The Security Operations Center (SOC) is a whole system for prompt and effective monitoring, analysis, and response to cyber incidents. In the picture below, I have collected the important elements of each of these blocks. The first one lists possible sources for monitoring. The second and third ones list the types of work on analysis and response to incidents.
The information security industry has already accepted as an axiom that comprehensive protection is based not only on technology, but also on people, as well as properly configured processes.
These three elements – technology, people and processes – are the fundamental components of Cyber Security Monitoring Centers.
In the diagram above, I presented one of the options for an effective SOC set. Of course, it may differ for each company. Here everything depends on the goals of the business and its size. And, of course, on the chosen SOC model. It can be in-house (if the necessary specialists and other resources are available), external (MSPP model) or hybrid (responsibility is distributed between the teams of the company itself and the service provider). I talked in detail about the types of SOC and who is suitable for which in this article.
Why an external SOC?
By data Anti-Malware, businesses are interested in the MSSP model because of:
shortage of personnel (in 34% of cases);
lack of own expertise (in 28% of cases);
an increase in the number of cyberattacks on the company (in 14% of cases);
tightening of legislation (in 5% of cases);
requirements of corporate information security policies (in 2% of cases);
17% of cases are due to other reasons.
An external SOC has significant advantages:
the client receives a guaranteed service level (SLA);
risks associated with the management of equipment and additional capacities (including data storage systems) are delegated to the provider;
the customer is freed from the need to manage a large team of specialists;
This model ensures optimal operating expenses (OPEX);
creating your own SOC can take years, but an external one can be connected within 1 month.
What to prepare for, we will analyze point by point
SOC = people, technology and processes. Therefore, when preparing for its connection, it is necessary to take into account each of these components.
People
Even if you choose a SOC based on the MSSP model, your internal team of specialists will still have a certain amount of work to do — from implementing and supporting the information security system to communicating with the external team and implementing its recommendations. The picture below describes these areas of responsibility.
As a rule, the company requires:
One or two employees responsible for information security.
Trained IT service, including specialists in networking, workstations and information security.
Therefore, the first step is to define an internal team. These specialists will analyze the recommendations of the SOC service provider and, if necessary, make changes to the structure. A qualified provider helps to identify these areas of responsibility and establishes relationships with employees.
Even before connecting, you need to think about strengthening your specialists – cyber training, advanced training or hiring new employees. Since the market is experiencing an acute shortage of personnel, it is often easier to prepare SOC specialists from scratch. For example, invest in additional training of your information security specialists who are already familiar with the company's processes, or grow personnel from students. This approach is now actively used by leading IT companies and banks in the country.
If the company does not have an information security department, and its function is nominally performed by the IT department, it is necessary to discuss this with the provider in advance. Perhaps, he will allocate additional specialists or help prepare your team.
Technologies
The set of technologies and tools depends on the infrastructure, level and goals of the company. Sometimes you need to build everything from scratch, but more often there are hybrid options, when the company already has some elements, but requires additional expertise.
Most often, the main technological component of any security monitoring center is SIEM (Security Information and Event Management) – software products designed to collect and analyze information about security events. For example, Kaspersky KUMA or MaxPatrol SIEM.
SIEM collects and organizes data from various sources: message logs, operating system logs, endpoints, firewalls, and IDS. SIEM then aggregates information security events and performs correlations to identify and analyze incidents.
SIEM is an important part of the technology stack, but experts and processes are no less important. You also need infrastructure and security subsystems to support SIEM. The standard technology stack includes: SIEM + IRP/SOAR, EDR, XDR, vulnerability scanner, TI platform, sandboxes and a client personal account. And the SOC infrastructure, in turn, consists of servers, storage systems, event delivery systems and security subsystems.
Before implementing a SOC, please consider:
Infrastructure readiness. Upgrading it for future implementation and effective operation of the SOC takes time – from design to procurement and implementation, it can take several months.
Status of network infrastructure. Older networks may need to be upgraded.
The relevance and modernity of equipment and software is especially important for enterprises. For example, rare software will require the development of additional rules.
Priority for connecting not only security equipment, but also all infrastructure elements in general, depending on their degree of importance.
Import substitution opportunities. Analyze the market with the help of the provider to be ready to replace elements of your stack with new Russian analogues.
Processes
Before implementing a SOC, it is important to allocate the necessary resources and establish controlled operation of processes. This will ensure stable and high-quality functioning of the monitoring center.
Key points include managing:
If you have chosen a quality SOC provider, they will most likely help you set up these processes and even take on some of it.
What customers typically require from a SOC
Most often, companies want classic services: monitoring and recommendations for response, standardized SLA. The response service accounts for up to 40% of new requests from customers (now 20% use it, a couple of years ago it was 10%).
Also included in the list of regular requests are:
one stop shop;
fast connection;
hygiene requirements: availability of a personal account, TI;
clear/transparent pricing;
understanding of standard/non-standard sources and their connection times (non-standard ones take longer to connect);
the possibility of refining the correlation/normalization rules.
Choosing a SOC Integrator
When choosing a SOC provider, customers usually pay attention to the specialists on the team, the speed of resource scaling, and the cost of connection and support. However, this is not enough for a full assessment.
It is also important to consider the volume of available resources and the type of SIEM system used. An important factor is whether the provider has certificates of compliance with the standards GOST R 27001, GOST R 20000 and GOST R 9001, confirming the functioning of information security management systems, as well as quality and IT service management systems.
Pay attention to the provider's willingness to help build your internal processes. In addition, it is critical to have experienced experts who can quickly respond to threats in the first minutes of their detection, preventing intruders from gaining a foothold in the system.
Assessing the qualifications and experience of the SOC provider team
When choosing a SOC provider, it is important to quickly assess the qualifications of their team. At the contract negotiation stage, pay attention to the following aspects:
The team structure should be multi-level, including service managers and leads.
Specialists must have higher education in the field of information security and experience working on similar projects.
The provider must have certificates from key manufacturers.
Conclusion
SOC is a complex, comprehensive system. Even connecting it is a quest that requires time, preparation and significant investment.
Moreover, it is not limited to preparatory work and implementation. Next comes: monitoring and analysis of incidents, implementation of new rules, connection of new event sources. Working with SOC is a continuous process that will continue throughout the existence of the enterprise.
Therefore, it is worth approaching the choice of a SOC provider with the utmost seriousness and devoting at least a week to it. Then the results of cooperation will justify the efforts expended.
With the right organization of processes, SOC provides reliable protection even against targeted and complex attacks. The Russian market has a sufficient number of qualified providers capable of providing a level of protection corresponding to current threats.
