SOC architecture is a vital component to consider when building an effective and reliable SOC. It includes the consideration of SOC locations and centralization, SOC architecture and organizational size, SOC staffing, and SOC mixing up with a cloud. The subsequent sections delve into these essential points in great details.
In the globalized world today, businesses have been expanded all around the world with the power of newly emerging technologies. Multinational corporation as having branches in at least one country other than its home country is seeking for robust security within its all facilities in order to ensure the protection of its critical data assets and meet compliance requirements. Under such circumstances, building a separate SOC for each facility can be expensive for these organizations. Rather, many enterprises do not deploy a fully functioned 24/7 SOC and, therefore, outsource its various features. Organizations can use different SOC architectures based on their needs. SOC functions can be centralized, embedded, or dispersed. Presently, most multinational companies have centralized their SOCs into a single center (61% in accordance with Future SOC: SAN 2017 Security Operations Center Survey). This survey also demonstrates that 28% of organizations have their SOC functions dispersed among distinct security and response groups. Whereas, 25% of enterprises have SOCs both at a central location and distributed regionally. Lastly, 17% of companies fall into the category who put all their SOC features into the cloud.
Generally, the size of each organization can be different in terms of its number of employees, contractors, and consultants. SOC architecture is designed by taking organizational size into consideration. It is imperative to make sure that SOC has enough staffing to ensure a reliable security for a particular organizational size. Lack of coherence between organizational size and SOC architecture will result in poor SOC performance that might lead to security incidents. However, organizational size with workforce under 10,000 doesn’t affect the SOC size. According to a Future SOC: SAN 2017 Security Operations Center Survey, the general SOC size for organizations having a workforce 10,000 or fewer should be five Full-Time Equivalent (FTE) employees’ positions.
To determine the size of the SOC, the organizations usually use following parameters. Duplication Necessary: This parameter determines the potential needs for different types of SOCs in the geographical areas. For instance, a SOC may be built for the protection of data specifically associated with European Union citizens. Performance Parameters: Performance parameters measures how many security professionals are required to perform an effective detection, incident response, forensics duties, and a number of hours spending such as 10 to 4 or 24/7. Capability Dependence: The SOC can perform multiple functions in the organization. For example, a SOC can be built especially for compliance purposes as it has paramount importance for each enterprise today. Some companies require a partial SOC and outsource most of its functions for budget saving approach, though reduces SOC capability. On the other hand, many businesses look for heavily customized and all in-house SOC. Budget: Cost-effective SOCs need less SOC staffing. If most of SOC functions are outsourced, the company does not need to deploy a fully-functioned 24/7 SOC. In this way, the company has less budget to spend on SOC. On the contrary, if an enterprise can dedicate a full budget for SOC, then SOC staffing will be increased automatically to perform 24/7 functions effectively. Under such circumstances, FTE employees may be working in shifts.
Although many companies deploy an in-house SOC, several other organizations have their SOCs cloud-based that are managed by one or more cloud providers. These cloud providers are mostly Managed Security Service Providers (MSSPs). Mostly, companies look for in-house SOCs if they need fewer capabilities. On the other hand, multiple capabilities compel enterprises to mix their SOCs up with the cloud. According to a Future SOC: SAN 2017 Security Operations Center Survey, cloud computing, currently, is the part of 46 percent of SOC infrastructures. The survey also discloses the leading capabilities that companies are looking for. These leading capabilities include digital forensics, legal evidence collection, e-discovery, threat research, and security monitoring and detection.
As a result, it is evident that considering SOC architecture is indispensable for building a SOC. SOC architecture, in fact, creates the balance between organizational security needs and number of SOC staffing to fulfill that needs. For example, if your SOC staffing is inadequate to deal with your current organizational size, the potential threats may be imminent. Therefore, all SOC architectural critical elements as discussed in this article must be considered when building an effective SOC.
During an incident response, malware analysis plays a vital role in helping the security team in understanding the extent of the incident and finding the affected systems.
GDPR is very well in place from May 25th. Whether your SIEM system is GDPR compliant or not is a question which needs immediate redressal.