The SOC Journey
Network perimeters have expanded. Recent trends such as work-from-anywhere, hybrid cloud, and edge computing have accelerated digital transformation for many organizations. As more users and devices connect to networks from virtually anywhere, the volume of data multiplies overwhelmingly and increases businesses’ security risk posture.
Security Operations Centers (SOC) can help to mitigate many of these risks. Staffed 24/7 with security professionals, SOCs monitor networks to identify and handle incidents that could represent a threat. Organizations with successful SOCs can respond quickly to threats and minimize the impact of cyberattacks.
To be effective, SOCs should perform like clockwork. Here is an overview of the journey followed by comprehensive SOCs:
- Alert notification: Everything starts with the security tools detecting an event. Security Information and Event Management (SIEM) configurations play a relevant role in this first step. Non-optimized SIEM platforms constitute a vulnerability for organizations due to the high level of security noise involved. The better the SIEM platform is configured and the quality of the logs feeding it, the better the alerts received.
- Information gathering: Security analysts should consult run books and applicable use cases to identify true threats. If it is a false positive, the analyst should close the alert and use the case to feed the organization’s run book.
- Investigate Issue: True threats have different levels of prioritization based on their type and severity. Threat analysts and security SMEs are engaged depending on the priority level. The SOC team could also use multiple tools to understand risks and the organization’s exposure level.
- Threat analysis: Escalated events require additional techniques and strategies to gather information. Threat analysts can perform historical investigations of similar attacker IP addresses or network sources for a better understanding of the event. Ticket mining and lessons learned from past threats are also options in the toolkit.
- Threat hunting: For events with a higher priority, analysts could perform proactive reviews to discover potential threats not identified by established SIEM use cases. Threat intelligence sources could include current security trends, information ingested into the SIEM, and even external intel logs. The reporting of findings will be used to develop new SIEM use cases.
- Ticketing system integration: After gathering relevant information to prepare the remediation recommendations, the SOC team leverages the organization’s ticket system to report the event. The remediation team uses the information to respond to the threat quickly
Having a disciplined SOC in today’s technology landscape is a no-brainer; however, building and maintaining a quality, insourced SOC is expensive, not to mention the effort required to find, train, and retain the right security talent to monitor the tools and trigger threat responses. Lumen Virtual Security Operations Center (vSOC) services provide customers with 24/7 security event monitoring and incident handling to detect and analyze cybersecurity threats and incidents and help them align with regulatory compliance requirements. Our vSOC team follows the journey described above to augment your detection and response security strategy and empower you with practical remediation recommendations while minimizing labor and CAPEX expenses. Find more information about Virtual SOC from Lumen here.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents Lumen products and offerings as of the date of issue.