SOC: what is it and why is it needed?

What are the tasks of the SOC?

• Monitor, search, and analyze intrusions in real-time.
• Proactively prevent cyber threats by continuously scanning computer networks for vulnerabilities and analyzing security incidents.
• Respond quickly to confirmed incidents and eliminate false positives.
• Generate reports on security status, cyber incidents and enemy behavior patterns.

The most time-consuming part of a SOC is constantly analyzing large amounts of data. The Security Center collects, stores, and analyzes from tens to hundreds of millions of security events every day. Do not forget that all this is controlled by experts: they get involved in the work when it is necessary to decide what to do with the threat found.

Why do companies need SOC?

1. Continuous monitoring of the security of the organization. Cyber threats and the cybercriminals behind them have no work hours, weekends, and lunch breaks. Only continuous monitoring and scanning of network activity will help to promptly identify security incidents. The faster an organization responds to cyberattacks, the less it risks security.
2. Information about intrusions and cyber threats is stored and processed centrally. The Security Center becomes a unified knowledge base for all network incidents. The likelihood that meaningful data about attacks or cyber threats will be overlooked tends to zero.
3. The divisions of the organization jointly resolve security issues. At the same time, the situation is excluded when experts within one company work separately and make contradictory decisions.
4. The risks to the organization are reduced. Companies that have implemented SOCs have everything to make it easier to analyze network threats, understand their causes, and prevent re-attacks.
5. Cybersecurity costs are reduced. Whether you’re protecting a small data center, a cloud infrastructure, or a hybrid environment, SOC can help lower your security costs over the long term.

Common mistakes

Statistics from past Micro Focus SIOC reports show that only 25% of SOC projects met their goals.  At the same time, if you cite the six most common mistakes, then you can see the following:

1. Lack of support.
   The SOC is not suspended in a vacuum. Its employees have to interact with most parts of the organization every day. Without leadership support and a clearly defined goal, it is impossible to ensure effective incident investigation work;
2. Emphasis on technical solutions.
   The most common cause of problems is the bias of budgets towards the implementation of technical solutions, which leads to insufficient qualifications and the number of specialists. Most modern threats require a serious qualification of an analyst, as well as a high level of organization of work on the investigation of incidents;
3. Violation of the principle “from simple to complex.”
   Problems with solving basic information security tasks necessarily lead to difficulties in solving higher-level tasks. Management of information assets, correlation of personnel information, categorization of information assets – all this information is key in the investigation of incidents;
4. Lack of focus.
   The solution of unusual, secondary tasks has a significant negative impact on the results of the work of the situation center;
5. Work “for the sake of appearances”.
   Unfortunately, solving the problem of ensuring formal compliance with regulatory requirements or standards does not always lead to a significant increase in the level of security;
6. Lack of a process approach.
   Funding for situation centers often ends during the implementation phase.  Providing resources for their day-to-day work is often extremely inadequate, but essential for their effective operation.

In conclusion, it should be noted that the concept of the Security Operations Center in the developed countries of Europe, America, Asia has long become a reality.  Time will show how close this path will be. For now, we will only note the fact that in Ukraine most of both state and commercial organizations are not yet ripe even to “simply” introduce a SIEM system.