SOC analyst

Security operations center

May 7, 2015 by Steve Lynch

Ensuring the confidentiality, integrity, and availability of a modern information technology enterprise is a big job. Cyber security breaches are becoming common news. The role of security is becoming more and more important in the IT sector. To solve security issues and to provide a rapid solution and response to security related problems, most of the companies are setting up Security Operations Center (SOC). SOC can be simply defined as a centralized unit that deals with security on an organizational level. In these centers, the enterprise’s information and other sensitive areas like websites, databases, servers, networks etc are monitored, assessed and defended. Irrespective of the size or type of organization, it’s important to have a SOC to protect and to handle such kind of issues. Many companies lack a fully functioning SOC due to various reasons, such as the shortage of trained security professionals, cost management, or maybe due to inappropriate tools. Many organizations believe that they are not susceptible to cyber attacks because they haven’t experienced one yet. The reality is that they don’t know whether they are compromised or not. A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cyber security incidents.

To determine the nature of the attack, the SOC incident response team often must perform advanced forensic analysis on artifacts such as hard drive images or full-session packet capture (PCAP), or malware reverse engineering on malware samples collected in support of an incident. Sometimes, forensic evidence must be collected and analyzed in a legally sound manner. In such cases, the SOC must observe greater rigor and repeatability in its procedures than would otherwise be necessary.

When the signs of an attack are understood well enough to encode a computer-readable IDS signature, the attack may be prevented in-line, as with a host intrusion prevention system (HIPS) or network intrusion prevention system (NIPS). While such systems typically are used to prevent the most basic attacks, the extent to which they can automate analysis is limited. Human analysis is always needed to run a major incident to ground. A number of technologies enable the SOC to comb through millions of events every day, supporting the incident life cycle from cradle to grave. SIEM tools collect, store, correlate, and display myriad security-relevant data feeds, supporting triage, analysis, escalation, and response activities. Almost all devices can be integrated to SIEM to fetch logs. Most of the well known devices have been identified by the SIEM vendor and specialized connectors have been developed to fetch logs. SIEM also has the capability to integrate with applications that are developed in house by using a customized collector.

The SOC does not just consume data from its constituency; it also folds in information from a variety of external sources that provides insight into threats, vulnerabilities, and adversary TTPs. This information is called cyber intelligence (intel), and it includes cyber news feeds, signature updates, incident reports, threat briefs, and vulnerability alerts. As the defender, the SOC is in a constant arms race to maintain parity with the changing environment and threat landscape. Continually feeding cyber intel into SOC monitoring tools is key to keeping up with the threat. In a given week, the SOC likely will process dozens of pieces of cyber intel that can drive anything from IDS signature updates to emergency patch pushes. A SOC must discriminate among the cyber intel that it harvests; intel must be timely, relevant, accurate, specific, and actionable about the incident, vulnerability, or threat it describes.

Building Process

By understanding the current capabilities of people, process and technology we can improve security management without investing a lot of capital. The next step to be taken is to assess the existing security technologies and process. The result of this assessment can be used for proper security management. The following are the steps for building up an efficient Security Operations Center:

  • Risk Assessment

    The first step is to perform an assessment. This helps to identify clear priorities related to one’s company. Risk assessment begins by compiling critical assets, information to protect, and other business processes. Next we should identify the threats that may affect our system. Once the threats are identified, based on the severity and impact, they should be prioritized. The output of conducted risk assessment helps to design the SOC accordingly.

  • Business Case

After the completion of risk assessment, the SOC objectives must be defined. The priorities may vary for different organizations. Some of the objectives could be to detect attacks from the Internet, maintain a vulnerability review, monitor the network, etc. A business case should be developed specifying the objective of the SOC, requirements and other details the center should work on. It helps to figure out the advantages, goals and the investment required. Requirements should be considered for both short term and long term objectives. The most important thing in defining these requirements is to start with the basics and to keep it as simple as possible.

  • Staff Skill and Training Requirement

    Skilled technicians, correct methodology and the perfect technology are the key to success for an efficient SOC. Among these skilled staff is an important role in protecting the organization from cyber attacks. Without proper skilled personnel, any number of processor or technologies won’t help in building a proper structure. We have to identify current skills and the required skills to analyze the requirement and work accordingly for a better output. Identifying gaps between the current and required skill set of existing support staff should be the next step. Also, the support team should be given proper training on various fields and environment so that they could work later on a live environment.

  • Technology Requirement

    The toolset should be selected according to the skills of the people working with it. The survey conducted in the previous step would help in selecting it. Some of the tools can be basic tools like antivirus, firewall and intrusion detection systems like Snort. Advanced tools like dl[, application security testing, database DAM or an automated vulnerability assessment tool could be used to ensure proper results.

  • Incident Management

    It is very important to have an Incident Response (IR) team to manage a situation. The incident management could be planned according to the capability of the team members and the SOC configuration. First we have to define the response procedures for certain situations. These response procedures are also known as standard operating procedures, which should be followed once an alert is triggered. The following are the phases included in incident management:

    Identification Response Recovery Post Incident Review

Regular exercises on such situations would help the team to speed up their process under pressured conditions and attain maximum efficiency.

There are various advantages of having a SOC. A managed SOC provides a complete solution to security issues related to one’s company by monitoring and governing its activities. A proper SOC should have the following:

  • Security Incident and Event Management (SIEM)
  • Threat Intelligence
  • 24/7 security monitoring
  • Incident response

Crafting a SOC with the features mentioned above could bring complete protection for an organization. The performance could boost up like anything when you don’t have to worry about the security. This kind of implementation provides immunity from advanced threats and risks.

The operations carried out in a Network Operations Center (NOC) are not similar to SOC, even though they monitor and manage network related issues connected to an organization. NOC personnel are responsible for monitoring one or more networks. They should analyze and troubleshoot the issues related to networks by communicating with other responsible personnel. The primary responsibilities of NOC are the following:

  • Network monitoring
  • Communications management
  • Reporting problems

NOC engineers may have to deal with power outages, network failures, etc. They have to ensure that the network is always stable for better communication. The hardware should be properly configured according to their requirements. Networks should be secured in an organization to ensure full security. These days we can see that the line between SOC and NOC is starting to blur out. Most of the companies are planning to combine these two centers. This would give much more efficiency. The professional should be trained in both fields before implementing in a live environment. Many security tools and network management tools can be combined together for a better result. Analysts say that both systems should not be combined entirely, but share some fields, especially where security policy implementation and auditing is concerned.

Integration of security and network operations holds a great deal of promises. But there are certain problems to overcome that needs to be solved when combined. Traditional organizations build separate infrastructure for monitoring security and network events. This makes sense because network operations are concerned with statistics related to server utilization, heat issues, network traffic etc. On the other hand, the security team is tracking security events under the same servers and routers.

In the past few years, Security Information Management Systems (SIMS) have become the type of technology that SOCs are built on. Intrusion detection and prevention systems, firewall, routers, and servers can send their security events to a SIM. With broad functionality and benefit comes complexity in implementation and price issues. Some of the issues are mentioned below:

  • Requires extensive planning
  • Dedicated hardware requirements
  • Technical complexity
  • Identifying exact problems
  • Frequent modifications according to situation

The biggest challenge in a successful SIM project is not deployment, but managing the aftermath of deployment. The number of false alerts are about 80% of the total alerts reported. Without a thorough study and investigation, even the most technically knowledgeable staff won’t be able to identify if it’s false or an actual alert.

Another challenges that companies are facing now is the analysis of huge logs. Now companies are relying on data analytics to analyze huge logs to highlight them in dashboards. More SIM solutions are moving to the functionality of log analysis with the help of big data systems.

Threat Intelligence

Threat intelligence is a comprehensive, real-time, cloud-based threat intelligence service that enables customers to protect against cyber threats across all vectors— file, web, message, and network. Threat intelligence can protect organizations from emerging cyber threats by considering their propagation methods and source. It helps our security infrastructure with shared threat intelligence, making security products to act proactively.

The use of threat intelligence is necessary in SOC to prevent the latest attacks. Certain threat intelligence providers have the capability to predict threats before they occur in the market by using data analytics. These services are in high demand as companies don’t want to risk their reputation. Certain threat feeds are automatically integrated to the SIEM system so the feed updates are done instantaneously.


Cyber attacks cannot be prevented and will continue to occur daily. So companies need to invest in a SOC in order to avoid heavy loss to the company. To start, companies can run a SOC with minimal people and move it to 24/7 as it grows rapidly. In conclusion, an effective SOC needs to be developed carefully to prevent advanced threats and to have a bird’s eye view of your infrastructure.


Posted: May 7, 2015
Steve Lynch
View Profile

Steve has 9 yrs of experience in cyber security space. He worked as a cyber journalist to collect news from various geographic locations associated with cyber security. He has a great experience with linux and holds many technology certificates.

Leave a Reply

Your email address will not be published.