Examining the Role of Security Operations Centres (SOCs) in the Age of Cybercrime

December 8, 2020

680

Abstract

The ubiquitous spread of the Internet and Internet-enabled devices has fastened communication but commensurately introduced crimes perpetrated over cyberspace. Cybercrime is a big concern to governments and private firms the world over. The very many facets of cybercrime include: malwares, spywares, Denial of Service (DoS), cryptomining and banking malwares, Trojans, Botnets, Rootkits, viruses, worms, etc.

Companies will employ security protection strategies that will determine whether there is business continuity after a data breach or whether they remain totally handicapped after an incident. The use of the Security Operations Centre (SOC) provides the means through which organizations can detect, triage, analyze and report cybersecurity incidents, as well as prevent further damage to systems or future occurrences.

There is no universally acceptable standard of building SOCs. Organizations build their own models based on the complexity of their networks. A typology of a generic SOC comprises automated threat intelligence, monitoring, filtering, vulnerability assessment and forensic analysis modules. In future, SOCs will use more of Artificial Intelligence and machine learning tools for detection, analysis, reporting and remediation in the face of rising number of complicated cyberattacks and the huge number of Internet of Things (IoTs).

1. Introduction

The Global Diffusion of the Internet (GDI) and the spread of telecommunication systems have made online transactions simpler but they have also come with their own challenges of increased exposure to sophisticated crimes within the cyberspace.

Governments and private corporations have been targets of cyberattacks and other related threats in the past few years. Cybercriminals work round the clock to disrupt the normal operations of corporations either for fun, to test the efficacy of their software, or to seek ransom before they can release critical data back to the rightful owners. There have occurred a number of cases of cyber espionage, cybercrime and hacktivism in the recent years; and this trend is likely to continue into the future.

Cybersecurity professionals have continuously been facing the challenges of developing countermeasures to mitigate the negative effects of insecurity caused through the cyberspace. Effective countermeasures help to ensure continuity of operations and cyber-resiliency by staying a step ahead of the cyber adversaries. Organizations therefore have come up with Security Operations Centres (SOCs) that assist in predicting, detecting, triaging, analyzing, and protecting against cyberthreats through well-defined mechanisms.

This paper assesses the role of the SOC in the challenging world of cybercrime. Section 2 discusses the SOC in detail, including its main functions and the design requirements. Section 3 gives the conclusions of the discussion. Section 4 lists the references that have been used to produce this paper.

2. Related Literature

2.1. Cybercrime and Security Operations Centre (SOC)

The vulnerability of government installations, private corporations and individual information technology (IT) users to cybersecurity attacks has been increasing each year. Computer hackers are working round the clock to steal data and paralyze several essential services either for fun or to get ransom. The society is today heavily-dependent on IT for online digital payment systems and other retail services, such as registration for courses in schools and colleges, or club membership payments, hospital records, air ticketing information, etc. All these procedures leave digital traces that can eventually be used by cybercriminals to conduct their nefarious acts.

In their work, Schinagl et al. (2015) observe that many public institutions and even private individuals do not have enough money to modernize their IT systems and in the process, they remain more vulnerable to cyber-related crimes than do private companies. Symantec (2018) reveals that most cybercriminals who have been using ransomware to generate revenue have lately shifted focus to cryptomining as an avenue to steal computing power and clog central processing units (CPUs) from consumers. It further indicates that the increase in the number of Internet of Things (IoT) enabled devices and the spread of malicious coin mining led to a sharp rise in overall IoT attacks by over 600% in 2017.

Global Technology Audit Guide (2016) also recognizes that there could be several reasons why cybercriminals perpetrate their actions, including but not limited to financial gain, theft of critical data, misuse of data, hacktivism/activist causes, denial of service, disruption of critical infrastructure or other important services for an organization or the government. A countermeasure towards the increasing severity of cyber-related crimes is to build a Security Operations Centre (SOC).

Zimmerman (2014) delves into attempting to define a SOC primarily by what it does – Computer Network Defense (CND) and goes ahead to note that a number of terms have been used to refer to a team of experts who have been assembled to monitor, detect and respond to CND incidents. Backman (2015) concurs with Zimmerman’s approach, and argues that the rapid development of the digital environment has led to the emergence of different terminologies for organizations performing cybersecurity incident handling and response. Some of the commonly used and often confused terms are:

Computer Security Incident Response Team (CSIRT)
Computer Incident Response Team (CIRT)
Computer Incident Response Centre (or Capability) (CIRC)
Computer Security Incident Response Centre (or Capability) (CSIRC)
Security Operations Centre (SOC)
Cybersecurity Operations Centre (CSOC)
Computer Emergency Response Team (CERT)

Based on the above name variations because of the lack of a standard nomenclature, cybersecurity professionals prefer to use the acronym SOC, which comprises a team of analysts charged with the responsibility of detecting, triaging, analyzing, responding to, reporting on, and preventing cybersecurity incidents (Zimmerman, 2014).

2.2. Justification for a Security Operations Centre (SOC)

The need for SOCs in today’s age of cyberspace cannot be over-emphasized going by research on the effects of cybercrime on national economies. For example, Accenture (2017) conducted a study on the cost of cybercrime across various industry sectors and the findings were rather intriguing. The report highlighted that highest annualized cost of cybercrime was witnessed in the financial services sector, followed by utilities & energy, aerospace & defense, and technology & software in that order. See Table 1.

S/No.	Sector	Average Annualized Cost of Cybercrime ($ millions)
1	Financial services	18.28
2	Utilities and energy	17.20
3	Aerospace and defense	14.46
4	Technology and software	13.17
5	Healthcare	12.47
6	Services	11.05
7	Industrial & Manufacturing	10.22
8	Retail	9.30
9	Public sector	8.28
10	Transportation	7.36

Table 1: Annualized Cost of Cybercrime in the World (Accenture, 2017)

Generally, smaller companies suffer much higher annualized costs of cybercrime than do bigger organizations. This is further evidenced from Accenture (2017) report where these smaller firms suffer more from costs associated with malwares, social engineering, theft of devices, phishing and web-based attacks. On the other hand, bigger firms suffer more from malicious codes, malicious insiders and denial of services. Regardless of the size of the firms, they are still vulnerable to cyber attacks and hence the need for building a resilient SOC to monitor, detect and prevent such incidents from compromising the operations of organizations or data breaches. To further reiterate the need for SOCs, Backman (2015) avers that the digital domain in the world today has witnessed huge connectivity not only between countries, but also between private entities, military and civilians, nationally and internationally. According to her argument, this kind of scenario comes with great advantages as well as leads to greater vulnerabilities from all directions and in different forms.

Ashford (2014) mentions that cybersecurity does not only remain a concern for governments for their critical infrastructure and military networks, but the defense contracting community is also involved since they form the first line of defense whenever cyberattacks have been detected. Due to this intricate web of interactions, some hackers oscillate between government, military and corporate positions as they seek the better paying entity. Thus, hacking has become a full-time well-paying job. Countries resort to developing National Cybersecurity Operations Centre (NCSOC) to thwart against threats and vulnerabilities from Internet-facing gateways (Ashford, 2014).

2.3. Functions of the Security Operations Centre (SOC)

There is a growing volume of enterprise data in the world today and a whole deluge of information security-related messages that literally can confuse IT personnel. Enterprise systems are varied and may comprise firewalls, antivirus software, access control, identity management, intrusion detection systems, database systems, etc (Kelly & Moritz, 2006). The complexity in the nature of enterprise systems and the fact that this kind of scenario will continue, has forced enterprises and governments to re-think how best to manage their data and keep them from any possibility of breaches, which have been on the rise in the recent past. Additionally, this has turned information security as a priority and not an option (Schinagl et al., 2015) within corporations and governments. The management of fragmented security-related information and enterprise data is redressed through real-time centralized monitoring system called the Network Operations Centre (NOC). Almost akin to this is the SOC that provides real-time view into the health status of a network (Kelly & Moritz, 2006).

There are many variants of the SOC but as Schinagl et al. (2015) rightly observe, a SOC can only be effective for “cyberthreat monitoring, forensic investigation, and incident management and reporting under the umbrella of an overall security operations environment and executive support”. It implies that without management support, a SOC cannot be used optimally for offering defense countermeasures. In their work, Tatsuhiko et al. (2018) equally note that countermeasures cannot effectively rely on one type of security products, and there is the need to always enhance defense robustness, which calls for combining multiplicity of products. This assertion underscores the fact that as the Internet of Things and IT-enabled devices increase in the world, SOCs will become more complex. This kind of scenario will commensurately bring complicated infrastructure, large number of IT personnel and processes to manage the SOCs of the future.

Trost (2016) summarizes that the work of any SOC is to “monitor, detect, analyze, triage and respond” to cyberthreats and security vulnerabilities. Marchany (2015) goes a step further and puts the specifics to the functions of a SOC and introduces a business sense. He asserts that a SOC is established for: “detecting network-based attacks, detecting host-based attacks, eliminating security vulnerabilities, supporting authorized users and providing tools for minimizing business loss”.

Borrowing from Schinagl et al. (2015), the role and functions of a SOC can be pictorially illustrated in Figure 1, which is a generic typology with intricate processes, infrastructure (technology), SOC analysts and penetration testers. Thus, every SOC constitutes and balances the IT project components of technology, people and processes.

Figure 1: SOC Generic Model (Schinagl, 2015)

The Chief Security Information Officer (CISO) of an organization provides the goals which then define the above SOC generic model (typology). The system also has secure service environments (security by design function) where processes for business impact and risk analysis are done to equip the requirements for Confidentiality, Integrity and Availability (CIA Triad) of the intended information or data (Schinagl et al., 2015).

Kelly & Moritz (2006) summarize the roles of a SOC as being “an intelligent brain gathering data from all areas of network, automatically sifting through alerts, prioritizing the risks and preventing attacks before they can be executed and cause costly damage”. Schinagl et al. (2015) agree with Kelly & Moritz (2006) by equally identifying five main functions of the SOC, and these are:

Intelligence function – comprising experienced analysts tasked with the duty of exchanging information with both the internal and external customers. They can define rules for filtering events based on threat analysis.
Security function – consisting of SOC analysts who perform vulnerability and penetration tests so that they can harden both hardware and software.
Monitoring function – consisting of intelligent data loggers that are meant to identify any anomalies in data traffic.
Penetration Test function – comprises knowledgeable individuals with necessary tools who test and determine how the system will react in the event of an attack.
Forensic function – implies the ability to find details in events based on intensive analysis.

Hewlett Packard (2015) suggests that since most modern organizations generate large volumes of data, some of which are either standardized logs or unstructured (chats or Tweets), the next generation of SOCs cannot afford to work without deploying a Security Information and Event Management (SIEM) solution. The SIEM module will be able to correctly identify and separate threats, Indicators of Compromise (IOC) and forensic information – all of these do exist in the large sea of data within the enterprise systems. Tatsuhiko et al. (2018) also join in suggesting that future SOCs will need to develop threat analysis server through the use of Artificial Intelligence (AI) to build learned systems and compare these with expected results in order to quicken the process of complex log analysis. The use of AI in the future SOCs is expected to significantly lead to high detection capability for threats and vulnerabilities; introduce standardization; and contribute to high quality service within the information security sphere. AI systems have the capability of learning patterns of behavior and using that for prediction of future occurrences by comparing learned data with actual data.

2.4. Design Requirements for Security Operations Centre (SOC)

The decision of either building an own SOC or leasing Managed Services depends on an organization’s financial strength or unique business requirements. Depending on individual circumstances of the private entity or government body, building a resilient SOC requires certain minimum thresholds. Some of the few requirements that have been identified are discussed below.

Situational Awareness – ensures that the organization is continuously monitoring network traffic for threats through embedded intrusion detection systems so that SOC analysts can competently detect, alert and remove the end-host, which has generated the activity. SOCs must be able to detect network masqueraders (Kelley & Moritz, 2006; NCTOC, 2018).
Reduce risk and downtimes – the SOC must be able to alert the right individuals about critical risks that have been isolated and their severity. The essence is to reduce system downtimes in the cyberdomain, which has become a significant part of business processes (Kelley & Moritz, 2006).
Threat Control & Prevention – the SOC should be able to notify about suspicious activity and quickly develop a remediation policy to contain the spread of the threat (Kelley & Moritz, 2006).
Ease Administrative Overheads – the SOC must be able to reduce personnel overheads by reducing their number through centralized security information management. This ensures fast and automated responses through the deluge of data (Kelley & Moritz, 2006).
Defendable Perimeter – the SOC is recommended to reduce the number of entities and network elements with direct connections to the Internet. This results in effective coverage of the finite number of Internet-facing gateways and thus reduces the potential attack surface that may be exploited by attackers (NCTOC, 2018).
Regular Updates of software and Hardware – the SOC should use applications that are vendor-supported at all times. Besides, SOCs need to remain regularly updated with current software and hardware because attackers are usually on the prowl to scan unpatched network servers or elements for ease of vulnerability (NCTOC, 2018).
Device Interoperability – the SOC must be capable of integrating and inter-operating with key threat management tools such as firewalls, intrusion detection systems, routers, operating system logs and anti-viruses. The SOC should provide the interoperability with a multiplicity of data sources such as database systems, physical security systems, network management systems, access management, business process applications, etc. The more data the SOC gathers, the more accurate threat intelligence it will be able to build in order to better mitigate and remediate network attacks (Kelley & Moritz, 2006). Additionally, when faced with too much threat intelligence or network activity alerts, the SOC should be able to utilize data science techniques, machine learning tools and AI algorithms to quickly determine actionable steps (NCTOC, 2018).
High Availability – the SOC must always remain running if the network is on 24/7. This ensures complete security of the network.

3. Conclusions

Today’s organization and government institutions are becoming vulnerable to cyber threats because of the intensification of computing networks, people, systems, social media, applications and copious data. The sources of the cyber threats can be many and varied including: insiders, service providers, dedicated cybercriminals, nation-states, rival companies, software enthusiasts, hacktivists, and deliberate developers of sub-standard applications. Regardless of the size of the entity that falls victim to cybercrime, the overall costs are still enormous hence the need to find suitable ways of detecting, triaging, analyzing, preventing and remediating systems from attacks.

The use of the Security Operations Centre will continue to occupy a central position in modern day IT companies, private/public corporations and governments to protect critical infrastructure that may be exposed to the cyberspace. SOCs may also become popular as a service as Internet of Things, computing networks, applications, and users become uncontrollably many. The SOC will remain invaluable in continuous monitoring of cyber threats, offering forensic investigation, handling incidents, and providing a reporting capability to preserve the Confidentiality, Integrity and Availability of data. The design of the SOC must ensure that among other things, it remains interoperable with diverse enterprise systems, reduces system downtime, provides 24/7 situational awareness of the network, and reduces human resource demands. The SOC of the future will employ more and more of machine learning tools and Artificial Intelligence agents to scale up their capabilities to that of the human brain for rapid decisions, detection, reporting and remediation measures.

4. References

[1] Accenture. (2017). 2017 Cost of Cyber Crime Study: Insights on Security Investments that Make a Difference. (Ponemon Institute LLC) Retrieved May 8, 2020, from Cost of Cyber Crime: https://www.accenture.com/t20171006T095146Z__w__/us-en/_acnmedia/PDF-62/Accenture-2017CostCybercrime-US-FINAL.pdf#zoom=50.

[2] Ashford, K. (2014). Cyberdefense: Is Outsourcing the Answer. InterAgency Journal, 5(2), 51-61. Retrieved May 26, 2020, from Cyberdefense: Is Outsourcing the Answer: http://thesimonscenter.org/wp-content/uploads/2014/07/IAJ-5-2Summer-2014-51-61.pdf.

[3] Backman, S. (2015). Organising National Cybersecurity Centres. Information & Security: An International Journal, 32, 3206-1 – 3206-18. Retrieved May 15, 2020, from http://procon.bg/system/files/3206_ncscs_backman.pdf.

[4] Global Technology Audit Guide. (2016, September). Assessing Cybersecurity Risk: Roles of the Three Lines of Defense. Retrieved May 10, 2020, from Cybersecurity Risk: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/gtag-assessing-cybersecurity-risk.pdf.

[5] Hewlett Packard. (2015, November). Building a Successful SOC. Retrieved June 19, 2020, from Security Operations Centre: https://community.softwaregrp.com/…/Building%20a%20successful%20SOC.pdf.

[6] Kelley, D., & Moritz, R. (2006, January/February). Best Practices for Building a Security Operations Center. Retrieved May 20, 2020, from Security Operations Center: http://infosectoday.com/Articles/Kelley.pdf.

[7] Marchany, R. (2015). Building a Security Operations Center. Retrieved May 30, 2020, from Virginia Tech: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493840439.pdf.

[8] NCTOC. (2018, March). NCTOC Top 5 Security Operations Center (SOC) Principles. Retrieved May 15, 2020, from Cybersecurity Operations: https://www.nsa.gov/Portals/70/documents/resources/cybersecurity-professionals/top-5-soc-principles.pdf.

[9] Schinagl, S., Schoon, K., & Paans, R. (2015, January). A Framework for Designing a Security Operations Centre (SOC). Retrieved June 8, 2020, from Security Operations Centre: https://www.researchgate.net/publication/308837734_A_Framework_for_Designing_a_Security_Operations_Centre_SOC/download.

[10] Symantec. (2018). Internet Security Threat Report. (Symantec) Retrieved May 10, 2020, from Internet Security Threat: http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_.

[11] Tatsuhiko, A., Yuhiko, Y., & Yutaka, T. (2018, January). Security Operations Center (SOC) and Security Monitoring Services to Fight Complexity and Spread of Cyber Threats. NEC Technical Journal, 12(No. 2), 34-37. Retrieved May 15, 2020, from https://www.nec.com/en/global/techrep/journal/g17/n02/pdf/170207.pdf.

[12] Trost, R. (2016). Pull Up Your SOCs: Best Practices for Building and Operating a Security Operations Center (SOC). Retrieved May 29, 2020, from INTEROP: https://www.coursehero.com/file/22530362/Trost-Ryan-PullUpYourSOCs/.

[13] Zimmerman, C. (2014). Ten Strategies of a World-Class Cybersecurity Operations Center. Massachusetts: The MITRE Corporation. Retrieved June 15, 2020, from https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf.