Setting up a Security Operation Centre calls for a lot of planning, to ensure the specialists are not subsequently overloaded with routine tasks. Businesses often adopt a different approach as a consequence.
All sizeable businesses are facing a steady increase in the number of cyber attacks. Security specialists at Deutsche Telekom, for example, observe six million attacks on their honeypots every day. Large-scale companies often set up a Security Operation Centre (SOC) as a way of countering this threat: by bundling resources like security specialists and software tools at a central location, they aim to take the load off particular areas and bolster their defences. SOCs work in shifts, 24/7, all year round, so bringing the professionals together in a central location, all with the appropriate authorizations, will avoid time-consuming problems of coordination and facilitate rapid action. A fundamental tool in these structures is SIEM, a software system for Security Information and Event Management. Sensors analyze events from applications and network components. The more smartly the SIEM works, the more efficiently the SOC can function.
The tasks of an SOC include preventing, monitoring and detecting events impacting on security, and responding to them immediately. Its activities include continuously monitoring the firewall, the IDS and the endpoint protection systems. In addition, they must also run security updates from the manufacturers and observe security warnings from entities like Germany’s Federal Office for Information Security (BSI). Ongoing training for employees is also essential to cope with increasingly refined methods of attack.
Unclear demarcation
But what belongs in the SOC and what is more suitable for the Security department? It is not easy to divide up tasks and functions. Operational administrative processes or developing security strategies are not typical tasks for an SOC and are usually undertaken instead by employees in IT security. Conversely, employees in the SOC are normally divided into analysts, who analyze data flows around the clock, and specialists, who perform focused investigations into suspicious incidents and use forensics, as appropriate, to resolve them. Whereas the employees in the first level normally work shifts, those in the second level are qualified experts working normal office hours.
When companies establish an SOC, they often try to squeeze the entire Security department into it, making the SOC responsible for everything relating to IT security. There are no clearly delineated tasks and responsibilities. But that usually turns out to be a major error, since the SOC then becomes overloaded with routine tasks and hardly has any time left to identify and defend against attacks. The IT security team, on the other hand, is usually structured as a normal department, a line organization, whereas the SOC is more like a team of specialists. The position of an SOC in the hierarchy must equip it with the appropriate mandates and authorities to be able to intervene quickly in work and production flows when a critical situation arises.
As a result, the costs for a unit of this nature are considerable, and so many businesses prefer to make use of third-party service providers. But that means these service providers need access to critical in-house processes. Entrusting security management for your own company network to another business demands a lot of trust, with contracts structured accordingly.