The COVID-19 crisis has thrown the global economy into a tailspin of changes. While there have been massive changes in many industries — for better or worse — technologies that enable digital transformation in general, and remote work and learning in particular, have seen an exceptional peak.
Like the pandemic, this transition towards a digital-first economy has created a ripple effect that impacts technology sub-sectors. In particular, the information security sector. On the one hand, more workloads are moved to the cloud and require protection. On the other hand, on-premise security is no longer a viable strategy.
This is where hybrid and virtual SOCs come in, offering strategies for remote security fit for the post-COVID-19 age.
What Is a Security Operations Center?
A security operations center (SOC) is an organizational grouping designed to centralize IT security practices, tools, and staff. Organizations create SOCs to promote consistent and effective monitoring, evaluation and response to security events and policies.
Each SOC houses a team that works to detect, analyze, identify and mitigate threats. This team also works to establish security policies, enforce security protections and train staff on best practices. SOC teams often consist of security analysts, engineers, IT response staff and managers.
Responsibilities of the SOC Team
The responsibilities of the team vary by organization and composition of members. However, there are a few basic responsibilities that are always present.
- Investigate, contain and prevent suspicious activities: SOC team’s primary responsibility is to prevent, investigate, and contain suspicious events. While emphasis is placed on preventing threats, SOC teams are also responsible for detecting and identifying suspicious events. Teams use centralized monitoring tools, such as system information and event management (SIEM) solutions to visualize system activity and correlate event data. Any alerts that solutions provide are investigated and if action is needed, the team responds. After response, SOC teams are also responsible for improving systems based on resolved incidents. This can include modifying policies, incorporating new threat intelligence into tools, or adding layers of security.
- Reduce downtime and ensure business continuity: SOC teams are responsible for keeping downtime to a minimum and ensuring business continuity. The longer an organization's systems or services are down, the more potential revenue is lost so speed is vital. These responsibilities involve having backups and failover systems in place, which can be quickly activated. Teams should have backup data and recovery systems in multiple locations to prevent single points of failure and backups need to be taken regularly.
- Support compliance and auditing: SOC teams are responsible for ensuring that compliance regulations are met and auditable. Any security policies or measures that are put in place must meet compliance standards. This requires that teams both understand compliance guidelines and ensure that data is handled and stored properly, including logs. SOC teams may also perform periodic audits of systems and data. This is done to identify overlooked vulnerabilities and to ensure that systems are configured as intended. These audits can help prove that measures for compliance were taken and reduce liability in case of incident.
A Comparison of SOC Models
There are three main SOC models that organizations can employ. The model you choose depends on your environment, your internal resources and your specific security goals.
1. Internal SOC
Internal SOCs are on-premises, physical command centers, staffed by in-house professionals. These SOCs may be responsible for an entire organization's security or may be a command center for distributed teams.
Typically, internal SOCs are adopted by enterprise-level organizations with significant security resources and staff with extensive experience. These organizations have budgets and staffing who can provide 24/7 monitoring and response.
The benefit of internal SOCs is complete control over your operations and data. With an internal team you do not have to worry about third-party vendors withholding or mishandling data. You also have greater control over exactly which policies and practices are put into place and when.
The disadvantage of internal SOCs is the cost of establishing and maintaining your team and tools. Finding and keeping highly trained staff can also be a challenge, as can staffing your center around the clock.
2. Virtual SOC
Virtual SOCs are remote SOC teams. These teams can either be distributed, in-house professionals or third-party services that enable you to outsource security operations. If staff is in-house, they operate the same as an internal team but are distributed across locations. This can enable you to have physical security coverage for more offices or to better leverage expertise without relocating staff.
The benefits of in-house virtual SOCs include the ability to distribute teams across time zones for greater coverage and familiarity with cloud-based or remote resources and tooling. The disadvantages include possibly needing to secure more endpoints, more complex communications and coordination of efforts.
If teams are from third-party providers, the organization pays a subscription fee for managed security services. These services can help organizations with limited space, staff or resources ensure that their security is properly managed. Virtual SOC providers can remotely manage your security tooling and can provide dedicated monitoring, detection and response.
The benefits of virtual SOC providers include expert support, 24/7 coverage, access to enterprise-grade tooling and threat intelligence and low upfront costs. The disadvantages include less control over your data and system access, reliance on third-parties in case of incident and vendor lock-in.
3. Hybrid SOC
Hybrid SOCs combine internal teams, either physical or remote, with outsourced expertise. This structure enables you to retain most of your security operations in-house while supplementing with external services. This can grant access to higher quality tooling, specialized skill sets and knowledge or increased coverage during off-hours for lower costs.
Hybrid SOCs can also enable organizations to outsource lower-level tasks, such as monitoring, while in-house teams focus on more complex tasks, such as incident response or threat hunting. This helps ensure that resources are used wisely and that experts aren’t wasted on tedious tasks.
Virtual and Hybrid SOCs are No Longer Optional
Many SOCs were already responsible for managing and securing distributed devices on their networks before COVID-19 hit. After, this number ballooned as organizations worked to adapt operations to enable remote work. Just like other employees, security staff were also forced to work from home. This meant that many internal SOCs had to suddenly become familiar with remote practices and operations.
For those teams that were physically bound, this created a significant challenge. The authentication and network security required to allow remote access, much less remote monitoring and control is vastly different than in a closed system. Additionally, team members may not have the connections or resources needed to operate existing tooling from mobile workstations.
In contrast, those who were already operating with hybrid teams or using virtual SOCs had to make significantly fewer changes. These organizations already had infrastructure in place to remotely monitor and manage devices.
If organizations were lucky and responded effectively, they have adapted strategies smoothly, incorporating virtual teams and practices. Others have had to sacrifice either security or productivity due to lack of resources.
This inability to successfully adapt may mean the end of some organizations. For others, COVID-19 is a wake-up call to the importance of flexibility and the improved security and reliability that hybrid and virtual SOCs can provide.