Depending on the tasks and level of infrastructure maturity, companies choose to build their own rapid response center (the so-called in-house SOC) or use the services of rapid response centers (outsourced SOC). If you are interested in SOC as a service provider, then this article is for you, as we will look at typical problems that arise in each of these cases, as well as give practical advice on building your own SOC.
Table of Contents
SOC And Response to Modern Threats
On average, 90% of companies can be hacked in 7 days, and only in 1 case out of 10 the fact of hacking is detected by the attacked organization on its own. Increasingly, organizations are becoming victims of targeted attacks, and these trends are especially evident in the financial sector. The SOC is in many ways a response to today’s threats. First of all, they help to constantly and carefully monitor the assets in the infrastructure, and secondly, they become the center for managing vulnerabilities, identifying and managing information security incidents, investigating and responding to them, and searching for new threats.
The rapid response center team is one of the key elements of the ecosystem, thanks to which it is possible to build sustainable internal processes and ensure the effective operation of protective equipment. A team that deeply understands the modern cyber threat landscape is able to adapt the information security system to new threats and ensure the continuity of cyber security processes.
The Main Mistakes In Building SOC
Building a SOC is a complex process, during which many people make typical mistakes that do not allow them to achieve high efficiency, for example:
- Excessive reliance on cybersecurity outsourcing, which leads this rating, is sometimes fraught with the fact that the expertise of internal teams stops growing, and cybersecurity turns into blind adherence to the recommendations of the SOC service provider. Bottom line: loss of control over the development of information security, the existing team loses the ability to change the situation (due to losses in the level of competencies), and the company becomes a hostage to the tariffs and SLA level of the service provider;
- Improper planning, or an attempt to buy and implement all the necessary means of protection at once, is a heroic and courageous decision, but, as practice shows, it is also often doomed to failure. Building a SOC is a slow process that requires careful planning.
- Blind adherence to standards and thoughtless application of international practices. Without adaptation to the specifics of a particular organization, the integration of international standards and agile principles is more harmful than useful.
Building a SOC: a Step-by-step Checklist
These were the main mistakes that SOC builders make. In contrast to them, there is another approach, more unhurried, but at the same time, systematic and phased.
Step One: Auditing the Perimeter
The company perimeter is the first defense barrier in the path of an attacker. The number of attack vectors on the infrastructure and the speed of their implementation directly depends on its security. Therefore, first of all, it is important to understand what the perimeter looks like from the point of view of a cybercriminal and what problems need to be eliminated. In the course of a perimeter audit, an inventory and analysis of typical vulnerabilities of external information systems are required. You can perform these tasks yourself, or you can use an external service for advanced border control.
Step Two: Protecting the Perimeter
The initial audit allows you to understand the current level of perimeter security. This will help you decide how to protect the perimeter. And here it is necessary to pay attention to the simplest, but most effective methods of penetrating the infrastructure, which includes, for example, phishing, to which, according to statistics, up to 75% of banks are vulnerable. The basis for closing the main vectors of penetration into the infrastructure of an organization can be formed, for example, by solutions of the class of application-level firewalls. They allow for detecting attacks on the company’s public services.
Step three: Protecting The Internal Infrastructure
When the perimeter is protected, you can move on to protecting the internal infrastructure, which is associated with solving a number of tasks:
- inventory and identification of vulnerabilities of internal information systems;
- detection of malware within the infrastructure;
- identification of traces of compromise in traffic;
- analysis of security events and detection of incidents.
The main tool here can be a vulnerability scanner, on the basis of which the vulnerability management cycle is built.
Step Four: Advanced Security Techniques
Comprehensive protection of the perimeter and internal infrastructure is ready. What’s next? To combat advanced threats, new ways of assessing security are required. Thus, continuous and sustainable development of the information security system is achieved. These methods may seem familiar: regular security assessments (penetration tests, source code audits, retrospective traffic analysis, etc.), incident investigation, Threat Intelligence, and Threat Hunting.
Step Five: SOC Training
Without people, there are no processes and no need for protective equipment. There are catastrophically few ready-made experts on the market, and their training often takes a long time, and the increase in the number of incidents dictates its own rules. It is important to grow experts within companies because their value doubles if applied knowledge is backed up by an understanding of the company’s infrastructure.
Raising the level of expertise is important for specialists of all SOC lines. The first line should be taught in the field of continuous monitoring, the first and second – in the investigation and response to incidents. It is also desirable to have a third line in the state, but if necessary, external expertise can be involved to conduct complex investigations of a cyber incident.
Building a SOC is a painstaking process that requires serious planning and resources. In the process of building it, the level of maturity of the organization’s information security will grow from stage to stage, and the final result will certainly be worth all the effort, money, and time spent. However, there is an easier way – help from SOC as a service provider. For example, UnderDefense is an experienced and trusted provider of cyber threat monitoring solutions.