WatchGuard Blog

Modern SOCs and MDR services V : Modern SOC Key Functions

At a high level, the SOC's core mission remains to help the enterprise manage cyber risk, but what has changed is the sophistication of cyber threats and the mechanics of the SOC to operate. To successfully protect and respond to threats, SOCs need deep visibility into organization activity and automate key but repetitive functions while freeing analysts to focus on more valuable functions such as threat hunting and vulnerability management. 

Key Functions Performed by a Modern SOC 

1- Preventative security:

This step includes all actions to complicate the success of an attack and force the attacker to abandon, including regularly maintaining and updating existing systems, updating firewall policies, patching vulnerabilities, application whitelisting, and blacklisting, among others. 

2- Data lake normalization and management:

The modern SOC collects, maintains, and regularly reviews events and logs of networks, users, endpoint activity, and communications in the organization. This data helps threat hunters to uncover undetected threat actors and is used for remediation and forensics. 

3- Continuous proactive monitoring and suspicious activity detection:

 Tools used by the modern SOC monitor the activity 24/7 and flag any suspicious activities. Monitoring around the clock allows for identifying emerging threats, giving them the best chance to prevent or mitigate harm. Monitoring tools automate behavioral analysis, minimizing the amount of triage and analysis humans must domains. 

4- Indicators of compromise and attack triage, prioritization, and correlation:

 Supported by automated security analytics (ML/ AI), SOC analysts look at each alert and indicator of attack, discard any false positives, and determine the criticality of threats. This allows them to triage emerging threats appropriately, handling the most urgent issues first. 

5- Threat hunting:

It is an analyst-centric process that enables organizations to proactively uncover hidden, advanced threats missed by automated preventative and detective controls, to stop them before the damage is done, and automate mechanisms to trigger indicators of attack to be investigated to detect the threat earlier. 

6- Root cause investigation:

In the aftermath of an incident or during the attack, the modern SOC is responsible for figuring out exactly what happened – when, how, and why. During this investigation, modern SOC analysts use logs, events, threat intelligence, and security analytics to help them respond efficiently and prevent similar problems. 

7- Threat response:

As soon as an incident is confirmed, the modern SOC can act as a first responder, performing containment actions like isolating endpoints, terminating harmful processes, deleting files, and more. The goal is to respond while reducing the impact on business continuity. 

8- Remediation and recovery:

 In the aftermath of an incident, the modern SOC will work to restore the systems. This may include wiping and restarting endpoints reconfiguring systems, or in the case of ransomware attacks, deploying viable backups to circumvent the ransomware. 

9- Lessons learned:

While often overlooked, lessons-learned sessions are crucial to improving an organization’s security posture and readiness to face security incidents in the future. They help evaluate the organization’s security risks and incident response performance, identify challenges, and improve incident response capabilities in the future. 

10- Optimization of the security operations model:

An effective defensive strategy requires an adaptive security architecture that enables organizations to enact optimized security operations, increasing efficiency through integration, automation, and orchestration while improving the organization’s security posture. 

Technology enables SOC functions to scale 

Each of the SOC functions is critically dependent on technology. The right technological approach will significantly influence the organizational capabilities and cost when minimizing the time to detect and respond to threat actors. Security operations teams ideally tend to demand a modern and highly integrated Cloud-based platform that delivers all of the following: 

  • Centralized visibility and search: Centralized search into all data from across the distributed IT infrastructure, including immediate access to security alerts and complete telemetry to accelerate threat investigation and incident response with real-time visibility. 
  • Holistic threat analytics: The application of artificial intelligence, TTP- based scenario analytics, and deep contextual analytics across the forensic data to detect advanced threats and accurately prioritize all threats across the entire attack surface. 
  • Incident case management: Capabilities enabling security teams to engage in collaborative and efficient workflows with a centralized and secure case management platform for managing and accelerating threat investigation and incident response efforts. 
  • Task automation: The automation of routine and time-consuming tasks to support threat investigation and incident response, including automated execution of mitigations and countermeasures for threat containment and neutralization. 
  • Operational metrics: The ability to easily capture metrics and effectively report on the business’s key performance indicators (KPIs) and service-level. agreements (SLAs). 

You can find all the information needed to start modernizing a security operations team in the e-books: Modern SOCs and MDR services: what they are and why they matter and Empowering the SOC: Security Operations Maturity Model

If you would like to learn more about modern security operations centers, don't miss our series of articles: