If you’ve seen any famous hacker movies like War Games or The Matrix, you might think you know what a Security Operations Center (SOC) looks like. Your vision is probably of a room with walls covered in high-resolution large-screen visual displays, with dozens of sophisticated workstations running multiple monitors each, and lots of dark polished glass — all illuminated by the flickering of consoles. There, analysts gaze with rapt attention at multiple maps and dashboards, ready to stop international cybercriminals in their tracks with a few perfectly timed keystrokes.
Unsurprisingly, the reality is far less glamorous. A better analogy from Hollywood comes from The Wizard of Oz. Look behind the curtain, and you’ll discover that actual security operations centers are often relatively small physical spaces that rarely contain huge wall-mounted monitors. They do, however, represent the brains and nerve center of enterprise-grade cybersecurity operations programs. SOCs house the people and technologies that work together to monitor and protect corporate IT networks, reliably keeping them safe at all times of the day and night.
In essence, an SOC contains all the resources that an organization needs to detect, analyze and respond to cybersecurity incidents. Its most important resource is the people who work there — usually a combination of Tier 1, Tier 2 and Tier 3 analysts. These professionals have developed specific processes for detecting vulnerabilities, identifying threats and responding to incidents, and they leverage a carefully chosen set of technologies to get their jobs done.
In an SOC, analysts work to improve an organization’s security posture by responding to evidence that unusual things are taking place in its IT environment. They must figure out what’s going on as quickly as possible so that they can put a stop to malicious activities before they cause real harm.
Most SOCs rely on security information and event management (SIEM) technologies. These are systems that gather data from many different places, including end user devices, networking equipment, firewalls and other security solutions. A SIEM is like a giant library, where security analysts go to browse or sort through information in order to discover patterns of unusual activity. The analysts rely on logical analytic skills including deductive and probabilistic reasoning to connect the dots, determining which of the SIEM’s alerts are most likely to indicate actual attacks, and which among these pose the severest threats.
Security analysts’ jobs are challenging. There’s a great deal of critical thinking involved, as well as close collaboration within teams. Cybercriminals are constantly cultivating new strategies and inventing new tactics, so security analyst must always be learning about the latest threats if they are to stay ahead of the attackers.
Though the number of people working in an enterprise security operations program typically varies depending on the size of the company, most SOC employees serve in the Tier 1 analyst role. Tier 1 SOC analysts serve on cybersecurity’s front lines. They’re responsible for the initial triage and analysis of alerts that the organization’s security tools generate, as well as for taking calls from end users with security questions. Tier 1 analysts look for trends and anomalies in SIEM log data to help them identify the incidents that are most worthy of further attention and deeper scrutiny.
When Tier 1 analysts need additional support from more senior cybersecurity professionals, they turn to Tier 2 and 3 analysts. These are experienced SOC analysts with deeper expertise in incident handling, correlating information from multiple data sources, or specific areas like malware identification, containment strategies, or threat intelligence.
Depending on the nature of the event in question, security analysts may also call in external specialists in incident response, threat hunting, penetration testing, or forensics. Or, in larger programs, such specialists may be part of the core SOC team.
Building a top-performing SOC is the key to maintaining a highly effective security operations program. Here at BTB, we’re proud to have developed our own proprietary modular technology platform that enables us to identify threats quickly and eliminate them at speed. Called RADAR, it’s customized to gather data from the endpoint devices and security solutions that are already in place in our clients’ environments. This means that we don’t face the same interoperability challenges that bedevil single-vendor SIEM platforms.
RADAR relies, in part, on BTB Threat Analysts and machine learning in order to constantly improve its ability to determine whether or not alerts are evidence of truly malicious activity. Because RADAR is always “learning” from additional data about your environment, its ability to detect attacks gets better and better over time. This allows our analysts to spend less time responding to false positive alerts, and more on higher-value investigative and creative work.
Our SOC also benefits from a unique company culture. We prize diversity — of cognitive and learning style as well as background — and constantly strive to hire analysts with strong logical and analytic skills with a variety of previous work experiences and educational histories. And we focus on creating a welcoming, collaborative environment where anyone with the desire to excel can learn, grow professionally and become a better security analyst.
Are you interested in learning more about how a top-performing security operations center works? Want additional information on how our managed detection and response clients stand to benefit from 24x7x365 cybersecurity monitoring? Contact us to request a free, no-obligation demonstration, today.
