RSA blog: Considerations Towards Enabling A Virtual SOC Environment

The role of the security operations center (SOC) is changing in a more distributed world. As businesses continue to support remote operations and staff, they need to start thinking about building out a virtual SOC environment to manage their infrastructure long-term.

In the days before the health crisis, physical SOCs were usually found near the data center in the organization’s headquarters. Sometimes, they were more showplaces for management to bring customers by and reassure everyone that the company was serious about security. Well, we need them more than ever, especially as the threat models have changed as staff now works outside of the physical office walls and uses more cloud-based applications and services.

In the past few years, managed security service providers (such as Dell’s SecureWorks) have come up with cloud-based SOCs used to monitor networks and computing infrastructure – no matter where they’re located. The virtual SOC takes this a step further, and provides a wide range of services such as patching and malware remediation along with threat intelligence and defense. Some of these providers are rebranding their offerings, calling them SOC-as-a-Service.

There are several things to consider in building the right virtual SOC. Some of these choices are not as obvious and will require some effort to plan appropriate actions.

First, you must decide how this virtual SOC is going to augment your existing security infrastructure. If you already have a physical, on-premises SOC, will you need to staff it as your organization moves back into the office once you make your SOC completely virtual? Do you need additional technologies to monitor threats that originate in your collection of cloud apps? How will these interact with your existing tools to identify and resolve these threats? How will you define and monitor normal network behavior and keep your eye on the changing work environment?

As you start thinking about this, review the workflow and processes when a security event does happen: How it is described by the SOC staff or tool and how is it ultimately is resolved? For example, before the pandemic, you may not have a very rigorous bring your own device policy.  Or you may not be operating the most thorough endpoint agents and need to capture all kinds of remote events. Both of these probably need some immediate attention.

That brings me to my next point: Take ownership of your cloud apps. This is something I wrote about previously.  In that blog post, I touch on things like evaluating risk-based access, extending network visibility to the cloud and figuring out ways to manage these applications. Chances are, you will need to consider changes to your identity and authentication infrastructure if you have multiple cloud storage services and after an audit has been completed of the cloud portfolio and the existing security controls. This may even lead you towards thinking about using a cloud access security broker.

Thirdly, focus on a particular perspective before you find the right virtual SOC provider. One of the biggest challenges about a virtual SOC is that vendors come from very different security perspectives and origins that span the security marketplace. If you are going to shop around for a virtual SOC provider, know what you’re lacking and whether the SOC vendor can complement rather than compete with your current toolset. For example, you may have a SIEM in place, but does it have the right level of endpoint protection system to handle the remote population? Or, you may have a network operation center (NOC) that is designed to support a centralized staff but doesn’t give visibility into the work-from-home infrastructure. Or, your tools may not be strong in being able to resolve remote threats that occur  As you can see, this isn’t such a simple series of questions to answer, but it’s important to have direction as you seek the right vendor.

Finally, decide whether a virtual SOC is a near-term fix, or will become the de facto mode of future operations. Given the progress of the current disruption, I think organizations will continue working from home for many months.

I must come clean and tell you that I have flipped my original opinion of SOCs. Five years ago, I wrote that SOCs may be going the way of the dodo bird and cynically suggested that one could end up in the Smithsonian museum. Contrary to that notion, I now feel that SOCs – especially virtual ones – are needed more than ever.










Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.