November 18, 2022
Equipping (or re-equipping) a Security Operations Centre (SOC) can be challenging. With so many tools to choose from, even the most well-funded security teams are forced to make tough decisions.
So what are the most important tools for a modern SOC? Well… it depends.
The Primary Functions of a SOC
While it’s tempting to go straight for the tools, it’s crucial to clearly understand what your SOC needs to achieve first. You should also choose tools that support your needs, environment, and team, instead of trying to mould your team around a set of arbitrarily chosen tools.
So what can a SOC do?
Although many security vendors will provide one, giving an exact definition of a SOC and what it does is impossible. Every SOC is slightly different, with its own remit, metrics, and expectations. With that said, some functions are shared by (almost) every SOC:
- Data collection, correlation, and analysis. This is unquestionably the single most common and most important function of any SOC, and it’s based mainly on the use of system logs. Data flows, network telemetry, packet captures, syslogs, and activity from security tools like firewalls are all commonly collected and used by SOC teams.
- Data enrichment. Log files alone would be too laborious to work with, so enriching logged data with security information and intelligence sources is another crucial SOC function. Enriched data is used to make proactive decisions and better understand security incidents.
- Threat detection. Note this is not the same as incident response. SOC teams are usually responsible for identifying any and all threats to the organisation’s IT assets. This is done variously using risk assessments, scanning tools, behavioural analysis, and threat hunting.
- Monitoring the environment, including the network, users, and all systems and services, for suspicious or malicious activities.
- Security system design, system hardening and preventative maintenance. Security should never be a purely reactive discipline—there should always be tools, policies, and procedures in place to prevent the most common threats at their source. It’s the SOC’s job to put these in place and continually monitor them to ensure they remain current and effective.
- Recovery and remediation following an incident. While Computer Security Incident Response (CSIRT) teams typically handle active security incidents, it’s usually SOCs that handle the broader recovery effort.
- Incident response (only for organisations without a separate CSIRT). Building incident response into the SOC is common in small and mid-sized organisations where budgets don’t permit the maintenance of two separate teams.
Of course, this is far from the extent of what a SOC can do. More advanced functions include:
- Root cause investigation for serious or unusual incidents
- Compliance management
- Past incident analysis to gather information about attack patterns and techniques
- Forensic analysis
- Dedicated threat hunting
Tooling Must Match Responsibilities
While there are some tools you can consider ‘essential,’ in practice, there are huge differences between the tools needed by different SOC teams. These differences are driven by many factors, but perhaps the most common (and important) are:
- Network scope and complexity
- Available budget
- SOC team manpower
Imagine two organisations of roughly the same ‘size’ in terms of revenue. Here’s what makes them different:
Organisation #1 is a retail business with 20 locations, each with dozens of endpoints, its own local backup server, and a large user base with minimal IT training and relatively high turnover. Its main security objectives are maintaining network uptime and protecting customer payment information.
Organisation #2 is a research laboratory that contracts with several government and military agencies. The lab operates from a single site and has under 100 users. Its main security objective is protecting the integrity and confidentiality of sensitive research data.
Each of these organisations needs a SOC—but clearly, they don’t have precisely the same needs. The lesson here is simple. Before you spend too long thinking about which tools to buy, first ensure you know exactly what objectives your SOC must achieve.
The Most Common (and Important) SOC Tools
With all that out of the way, some security tools can be considered a ‘must’ for most SOCs. Notice that each item below relates directly to one of the functions explained earlier in this article.
Tool #1: Incident/Case Management
Every time something suspicious turns up in an organisation’s environment, the SOC must investigate it. Naturally, this happens a lot—and without an effective incident management tool, it’s almost guaranteed things will be lost, forgotten, or missed.
An effective incident management team creates a permanent record of every event, including which team members were involved, what they did, and the outcome. It also aids inter-team collaboration, for example, between the SOC and IT operations.
Tool #2: SIEM + Enrichment Sources
Log collection is one of the top functions of a SOC. The SIEM (Security Information and Event Management) is the primary tool used to aggregate, correlate, enrich, and analyse those logs. A SOC must also rely on various security data, information, and intelligence sources, which the SIEM uses to identify suspicious and malicious activities amongst the torrent of legitimate network activity.
Tool #3: Firewall
A firewall monitors network traffic and allows or blocks incoming or outgoing data packets based on a constantly updated set of security rules. Firewalls can be software installed on each device or a hardware device that sits between an organisation’s network and its gateway. Today, most organisations use both—although software firewalls have been replaced in some cases by alternative technologies.
A firewall creates a barrier between an organisation’s internal network and incoming traffic from the Internet or another network. This allows it to block malicious traffic such as malware before it enters the network. Firewalls also create logs of all incoming and outgoing traffic, which can be valuable for SOC teams when analysing suspicious or malicious activity.
Tool #4: Incident Detection/Prevention Systems (IDS/IPS)
Since firewalls are never failsafe, most organisations also use IDS and/or IPS tools. These tools analyse the network activity to uncover malicious behaviour as early as possible and either alert the SOC or block it directly.
Tool #5: Antivirus (AV) and/or Endpoint Detection and Response (EDR) tools
Historically, one of the hardest places to identify malicious activity has been on endpoint devices such as PCs, laptops, and mobile devices. One of the first attempts to solve this problem was installing an antivirus solution on each endpoint designed to identify and block malicious activity as soon as it occurred. This worked reasonably well, however, as the rate of evolution of threats accelerated, it became harder and harder for these solutions to keep up.
Today, most organisations use EDR tools to continuously monitor endpoints for suspicious activity and report it back to the SOC. More advanced EDR tools use behavioural analysis rather than relying on a database of known threats, as this approach is more able to keep up with the latest threats.
Building a SOC is Expensive
Naturally, all these tools aren’t cheap. Even a basic SOC with just the tools above can cost an organisation hundreds of thousands of pounds each year. Of course, the five tool categories explained above are far from the only tools used by today’s SOCs. Many SOCs use dozens of discrete tools daily to achieve their objectives. These commonly include:
- Security Orchestration, Automation, and Response (SOAR) platforms
- Threat Intelligence Platforms (TIP)
- Web proxies
- Sandboxes
- Forensic analysis and data capture tools
And costs only rise when you factor in the costs of staffing the SOC. Organisations aiming to build a 24/7/365 SOC often reevaluate their options when they realise how much it will cost them.
So, what’s the alternative?
An increasing number of businesses are turning to managed SOC providers to help them handle the rapid pace of digital transformation and the exponential increase in cybercrime. The key drivers for this shift include:
- Lack of qualified in-house resources in the face of the cybersecurity skills shortage
- Potential to miss alerts or respond slowly, with SOC tools difficult to configure correctly
- Growth in network weak points and insecure devices with increases in remote working
- Increased pressure on efficiency and cost
- Meeting continually changing data protection and compliance requirements
At CyberOne, we offer the UK’s most advanced managed SOC service, providing 24/7/365 detection and response from our award-winning Cyber Defence Centre in Milton Keynes. Talk to us about how to secure your business against the risks of ransomware and other security breaches through our unrivalled combination of people, processes and technology.