Cyber security is often associated with hacking and hackers. Although not entirely false, this portrayal overemphasizes the dark side of cyber space. Defense is key. The ultimate goal of cyber security is to defend against the various threat actors that are operating today.

Security Operations Centers are the epicenter of cyber defense and play a crucial role in the battle against cyber crime. Without them most organizations would be easy targets for hackers and advanced persistent threat groups. The primary purpose of a Security Operations Center is to function as a safeguard for the entity it is protecting by monitoring, detecting and preventing cyber threats as well as investigating and remediating any incidents that occur.

Different types of Security Operations Centers exist depending on their mission and purpose. Large corporations, international banks and government agencies typically have their own internal Security Operations Center which is responsible for managing their security posture and responding to any breaches that occur. Since the Security Operations Center is a unit within the entity rather than a third party service provider, it is able to allocate all of its time and resources for the well-being of the entity. Moreover, the Security Operations Center has first hand knowledge about the entity, its internal operations, and its network and security architecture. Especially during an incident response situation, where time is of the essence, this information can be priceless. The second type of Security Operations Center is one that is offered by a cyber security service provider. This is at times referred to as “SOC as a service”. Client corporations can opt either for an on-demand or fixed-term service depending on their budget and needs. Thus, the Security Operations Center becomes a trusted partner of the client corporation, and is responsible for detecting and responding to incidents that occur. Client corporations often have their own security teams that work hand-in-hand with the “SOC as a service provider”. In order for the partnership to be successful, the Security Operations Center needs to do its best to communicate effectively with the client corporation and maintain a customer oriented approach. The third type of Security Operations Center is an integral part of the business operations of a security solutions vendor. In addition to the security product, the vendor provides a team of experts to assist customers during ongoing investigations and incident response situations. These experts have exceptional expertise with the security product, and therefore, can offer expert advice or take the lead in resolving the incident. This service is typically offered on-demand and primarily in urgent situations where immediate assistance is required. As an example, Palo Alto Networks has established the Unit 42 team which brings together top of the line security consultants, threat researchers and incident responders to assist client corporations. Likewise, Microsoft offers a managed threat hunting service known as Microsoft Defender Experts for expert level monitoring and analysis of incidents and anomalies.

Security Operations Centers typically consist of an operative team, an engineering team and a management team. The core concept of a Security Operations Center is to combine people, processes and technology to form a unified command center for security operations. Typically, the operative team is divided into three tiers.

Tier 1 consists of First Responders or Junior Cyber Security Analysts who are responsible for sifting through myriads of incidents and alerts. In technical terms, this procedure is known as Triage. It is an initial investigation, whereby, the Junior Cyber Security Analyst segregates and prioritizes incidents based on their urgency.

Incidents that do not have indicators of malicious or anomalous activity are closed. On the other hand, if it is determined that an incident requires further analysis, the Junior Cyber Security Analyst will escalate it to Tier 2.

Tier 2 is made up of experienced Cyber Security Analysts gained a wealth of experience investigating various types of incidents. Unlike Tier 1, they do not merely assess an incident on a surface level, but rather examine the data more thoroughly. When an incident is escalated to Tier 2, the Cyber Security Analyst will evaluate the nature of the activity. Malicious activity indicates that the incident is a True Positive? Activity that outwardly appears to be malicious, but has no evil intent, such as a penetration test, is categorized as Benign Positive. If an alert is triggered by something that should not trigger it in the first place, the incident is a False Positive. Tier 2 Cyber Security Analysts are responsible for assessing whether harm has already been caused by the incident. It is equally important to determine the nature of the harm caused, who has been affected and to what extent has damage been done. Based on this assessment, Tier 2 will have to determine what remediation actions should be performed to mitigate the damage and preventing it from spreading further within the network.

Tier 3 is responsible for handling major incidents that require high level of expertise. The team is comprised of Senior Cyber Security Analysts, Threat Researchers and Incident Responders whose main responsibilities are containing the threat, identifying the root cause of the incident, investigating whether sensitive information has been exfiltrated, and evaluating the scope of the breach. Each member of the team brings to the table one or more specialist skills such as Threat Hunting, Cyber Threat Intelligence, Digital Forensics, Reverse Engineering and Malware Analysis. Tier 3 is the emergency response unit of the Security Operations Center. They are called upon when a major incident is at hand, and immediate response actions are needed. These scenarios include active attacks by an Advanced Persistent Threat groups, ransomware attacks and serious insider threats.

The Engineering Team is in charge of the backend infrastructure. The team consists of Cyber Security Architects and Cyber Security Engineers whose main purpose is to ensure the smooth running of the Security Operations Center from a technological perspective. They are responsible for matters related to the architecture of the Security Operations Center such as configuring the Security Information and Event Management (SIEM) solution to ingest log data from various sources. By aggregating and correlating these logs and applying logic rules to them, Cyber Security Engineers can generate customized alerts and incidents.

In addition, they maintain the Security Orchestration, Automation and Response (SOAR) platform which functions as a centralized alert handling framework and is capable of performing automated response actions to reduce the number of incidents the Operative Team has to handle manually. Managed Detection and Response (MDR) solutions are also configured by the Engineering Team.

Depending on the size of the Security Operations Center, the SOC Manager may be the only one holding a management level position. As the captain of the ship he is responsible for overseeing the day-to-day operations and liaising with clients and executives. Larger Security Operations Centers will typically have Team Managers who oversee and direct their teams and report directly to the SOC Manager who in turn reports to a higher level executive such as the Chief Information Security Officer.

Security Operations Centers play a crucial role in the fight against cyber crime as they protect governments, large corporations, banks and even critical infrastructure. As threat actors are incorporating increasingly sophisticated techniques to bypass even robust defenses, the Security Operations Center market is growing rapidly. This is an excellent time to join the cyber security industry! Breaking into the field is by no means a piece of cake, especially if you do not have prior information technology (IT) experience. Nevertheless, it is possible! The cyber security industry is not just for geeks and individuals with an exceptional IQ. Anyone with a genuine interest who is willing to put in the hours can land a job in this field.

And what would be a better place to start your career than a Security Operations Center!