2023 OWASP API Security Top 10 Best Practices
After four long years since the original…
The security operations center (SOC) has become a core element of cybersecurity strategy. SOCs take many forms, but what they all have in common is a mission to operationalize security policies and processes. SOCs take action to protect organizations from cyber threats. This article explores the SOC, what it is, and how it works.
A SOC, sometimes referred to as an information security operations center (ISOC), comprises a team of people with specialized tooling whose job is to monitor the IT estate, detect security events, and respond to alerts and security incidents. A SOC typically runs 24 hours a day and is based out of a dedicated physical space. Some SOCs are staffed by full-time employee teams. Other times, an external vendor, such as a managed security services provider (MSSP) delivers SOC services to its clients. A SOC also usually involves itself in developing security policies and undertaking preventive measures.
The word “center” is a key to understanding the nature and purpose of the SOC. A SOC is a centralized security detection and response team. A SOC pulls together sources of security information, such as device logs and other sensors, and analyzes them in a coherent, holistic way. The goal is to unify and coordinate all the various security tools, policies, practices, and workflows that exist in an organization. If the SOC is working as intended, it will provide faster, better responses to security events than is possible with the alternative: a piecemeal approach and scattered, loosely coordinated team members.
The SOC is responsible for defending the organization’s digital assets. These run the gamut from devices to applications to data. The SOC may also be in charge of protecting the network, but that varies by company. The primary enabling factor here is visibility. The SOC cannot defend what it can’t see. For this reason, the SOC employs specialized tooling that gives the SOC team a complete view of endpoints, servers, applications, and databases, as well as threats and security alerts.
Assuming visibility, the SOC’s areas of operation generally belong in one of three categories:
The SOC team usually comprises a mix of backgrounds and roles. In addition to the SOC manager, who is in charge of the SOC and usually oversees security operations in general, there are security engineers, security analysts, and threat hunters. Threat hunters detect and contain advanced threats, such as advanced persistent threats (APTs), zero days or other novel threats that get past existing defenses.
Security engineers build and manage the security architecture. This involves evaluating and testing security tools, and then maintaining them once they are put to work. Security engineers also typically engage with developers and DevSecOps teams to ensure that security is part of the software development lifecycle (SDLC).
Security analysts are responsible for monitoring the IT estate for threats and responding to security incidents. Much of this work involves investigating alerts and performing triage, with the goal of prioritizing the most serious issues. They then oversee the incident response workflow, perhaps using a SOAR solution and its various playbooks. This can be quite challenging, because sometimes a seemingly minor alert is an indication of a major security incident, while many false positives form a problematic distraction. The work can be stressful, with burnout a common difficulty facing security analysts.
The network operations center (NOC) is analogous to the SOC, but it is focused on ensuring reliable network functioning, rather than security. The two team constructs are similar, and this is not an accident. The idea for the SOC grew out of the success of NOCs or “NOC rooms.” A company needs both. It’s not an either/or choice, and the two centers tend to have overlapping responsibilities. A great deal of security monitoring in the SOC involves analyzing network performance because threats often first appear as network anomalies.
The computer security incident response team (CSIRT) is a group that handles security incidents. It is distinct from the SOC in that it is more advanced and multi-disciplinary. The CSIRT focuses on intensive, serious incidents, versus the SOC, which is always on duty for every threat and alert. The CSIRT is also usually responsible for setting security policies and preventive measures implemented by the SOC. The two groups have some overlapping responsibilities and often work together on incident response.
The product security incident response team (PSIRT) is responsible for responding to security incidents involving a company’s products. It does not have a lot to do with the SOC. In contrast to the CSIRT, which teams up with the SOC to handle threats to the organization, the PSIRT is largely externally focused.
The SOC is always on duty, monitoring for threats and attacks around the clock. SOC team members are the frontline responders against malicious actors. The SOC also gets involved in security policy development and preventive measures. By detecting and responding to security incidents, the SOC keeps the organization functioning in the face of serious cyberthreats.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.