A Security Operations Centre (SOC) is a dedicated team of cyber security experts that are focused on preventing and responding to cyber-attacks and security breaches.
Insights
What is a Security Operations Centre?
The purpose of a SOC
SOCs act as a centralised security hub—receiving telemetry from across IT infrastructure, networks, data and endpoints to gain visibility of the activities and events taking place across these environments. They oversee monitoring to detect potential threats, providing advice on preventative and remedial actions to be taken in response to the threat analytics and assessments that the SOC team generate.
SOCs are either provided as a service to customers who choose to outsource this function of their business, or SOCs can be in-house for companies large enough to acquire their own SOC team and resources.
Cutting-edge technology and high levels of technical expertise underpin an effective SOC. Advanced threat identification, protection and analytics software (which typically runs in the cloud) provides the SOC with real-time data on all activity around a given network and will flag (and potentially quarantine) any activity deemed to be unusual, suspicious or dangerous.
The security experts in the SOC will log these events and review them before advising, or executing, on the necessary action to be taken.
Why use a SOC?
The cyber threat-landscape has changed dramatically in recent years. Organisations of all sizes are being targeted daily by increasingly sophisticated and ever-changing methods of attack. If you don’t believe your organisation is a target—you’re wrong.
The UK Government’s annual Cyber Security Breaches Survey showed that 31 % of micro and small businesses suffered breaches or attacks in the past 12 months—in comparison to 60 % of medium sized businesses and 61% of large firms. 22% of charities also experienced attacks, with 52% of charities experiencing attacks or breaches where their income exceeded £500,000. Although the number of organisations reporting breaches dropped since last year (possibly as a result of better cyber security or even fear of GDPR penalties), the median number of attacks-faced has dramatically increased for those organisations that have reported breaches. This increased from two attacks in 2017 to six attacks in 2019.
These are large numbers. It is important to remember that hackers don’t just want your organisation’s money; hackers also want to compromise your user accounts and hijack your mailboxes to launch more attacks on other organisations and individuals. They want to use your company’s accounts to impersonate your employees and socially engineer attacks on other businesses within your supply chains. They may even want your user credentials simply to sell on the dark web (i.e. quick-win cybercrime). There’s a whole host of reasons why cyber criminals want access to your network, so don’t believe anyone that tells you that their company or charity is “too small to be a target”.
Monitoring and preventing these kinds of attacks is becoming increasingly difficult. This is why SOC services are an interesting proposition for many companies. IT departments are so often stretched enough with the day-to-day demands of managing their organisation’s IT support issues, rolling out new internal projects and moving to the cloud, that they don’t have the time or personnel to keep on top of complicated threats.
By using a SOC, IT managers can focus on their day to day responsibilities, safe in the knowledge that if a threat occurs, they will be advised on how to swiftly respond to it and how to prevent it from happening again.
Which businesses use SOC services?
Many businesses choose to outsource this function. Typically, only the largest businesses can afford an in-house SOC due to the cost of recruiting employees with the required level of technical expertise and experience. If your business wants cutting-edge threat protection, without the substantial costs of bringing the expertise in-house, you might consider partnering with a SOC service provider.
It is predicted that there will be a shortage of 3.5 million security staff by 2021—another reason why so many organisations are now opting for managed security service providers (MSSPs) and outsourced SOC services; it’s not easy to find and retain staff of the required calibre.
Furthermore, the rapid increase in adoption of cloud services has also contributed to a huge paradigm-shift in cyber security. Using an SOC provider may be a preferred option for organisations that don’t have significant cloud expertise in-house, yet still want to move forward with cloud adoption projects while also utilising the incredible cloud-based security solutions which are available to organisations.
What do I get with SOC services?
Processes will differ between SOCs. We provide fundamental security advice and best practice guidance. Our specific SOC process is as follows:
- Monitor – We monitor your network using Microsoft’s advanced threat protection suite
- Alert – We pick up real-time alerts that detect suspicious or never-seen-before activity as they appear
- Investigate – Our SecOps team review any alerts and investigate further to build a clear picture of the threat, scope and potential impact
- Report – Once analysis is complete, we pass on a report to you which outlines key information around the threat, the implications of it and further guidance
Rather than simply passing on alerts for clients to deal with, we actively investigate the alerts and translate them into clear reports and actionable guidance which includes:
- Threat summary and origin
- Reasons for the threat
- How it spread
- Timeline of events
- Guidance and advice
We also issue quarterly reports which report on trends we’ve identified during monitoring—allowing clients to feed this into their IT strategy and ongoing security optimisation.
We can also work with our clients to agree and set up pre-configured automated actions based on incoming threats.
What technologies does a SOC use?
While technologies will vary between SOCs, we are true advocates of Microsoft’s cutting-edge and cloud-based threat protection suite—part of Microsoft 365. We don’t believe that there is any other security offering on the market with such a compelling offering as Microsoft; the value that companies of all sizes can get from Microsoft 365’s enterprise-grade security offering is exceptional.
Microsoft’s products receive 6.5 trillion signals every day from companies using Microsoft products globally. This unparalleled telemetry demonstrates the sheer power of the cloud. As organisations experience threats, this information is fed back to Microsoft’s cloud—which then identifies potential threats and flags and blocks the same threats for other Microsoft customers.
A great example of this in action was the infamous Bad Rabbit malware attack which began in Russia in 2017. Within 14 minutes of the first encounter of this malware, Microsoft’s cloud protection service had used machine learning to establish that this file (which was encountered by nine of its users) was malware. From this point onwards, all other customers of Microsoft’s Windows Defender AV with cloud protection were protected globally.
Therefore, Microsoft have visibility of the threats that organisations are facing around the world at any given time and can adapt and respond to these threats as necessary.
This is why we are experts in Microsoft 365 and why we encourage our clients to move to Microsoft 365; it allows us to provide genuinely powerful security to businesses of all sizes from start-ups, to SMBs and to the large enterprises.
Interested in SOC services?
If you would like more advice or guidance around improving your cyber security, feel free to contact us. We are members of the Microsoft Intelligent Security Association and our SOC MXDR services are Microsoft-verified.
Our Microsoft native SOC services allow organisations of all sizes to benefit from genuinely powerful cost-effective security and expert advice.