What Even Is a SOC?
The security operations center (SOC) is the central command center for security data and systems across the enterprise—from cloud to distributed to mainframe. Think Battlestar Galactica’s Command Central. 🛸
The SOC’s role in enterprise security software is to:
- Proactively prevent security incidents.
- Reduce dwell time and breach impact by quickly detecting and reacting to incidents.
- Analyze and investigate incidents to identify the source and impact.
- Help to remediate security incidents as quickly as possible.
- Report on security incidents for auditing purposes and keep pace with compliance management.
- Quickly share an enterprise’s security posture with key stakeholders.
This requires a concerted effort around people, data, and processes within an organization.
Why Does It Matter?
There is a plethora of security-related data in any one enterprise. It is no wonder the standard discovery time for a breach is an average of 197 days. The SOC is fundamental to optimizing and speeding threat detection and remediation.
This helps to ensure a trusted customer experience, retain customers, meet regulatory requirements, and prevent expensive data breaches.
The main goal: Don’t let an event become an incident.
How Do You Build It?
Is your SOC mature? Are you trying to further develop your SOC?
Let’s discuss a few key points around SOC strategy:
- Define business goals and risk preferences that inform the SOC strategy. This will help determine both your foci for data consumption and analysis and the framework for your remediation or incident response plans.
- Map your SOC infrastructure to regulatory requirements. Compliance is now part and parcel with information security efforts.
- Build data flows to include all relevant data in the SOC and maintain a clear line of sight across the enterprise. This typically includes network and endpoint monitoring, breach detection solutions, and security information and event management (SIEM) tooling.
- Leverage automation and intelligence to filter suspicious activity and reduce the cost of analysis. SIEM tools, for instance, charge by the number of analyses conducted on log and event data. Any tricks to limiting real-time analysis, both in terms of cost-reduction and reducing manual efforts, will benefit the team.
But Are You Forgetting Something?
70% of today’s corporate data resides on the mainframe, including highly sensitive and regulated data. That data has been collected over 50-plus years, and likely does not have the same level of security in place as the rest of the organization. The value, volume, and tenure of mainframe data makes it a lucrative target.
By now, you should be asking yourself, “Does my SOC include a view of the mainframe?” It should! The only way to truly monitor and protect the entire enterprise is to incorporate key data from across the hybrid IT environment.