Ownership in Operational Control & Support
The main objective of SOC is to provide a centralized command for a given set of purposes. Over the years, SOCs have transitioned from being a setup for communication centres to a dedicated function to safeguard the assets of enterprises and assess threat preparedness.
In this article series on SOC, we have covered the Introduction of SOC & Enemies of SOC practices. In this article, we get an introduction to how SOC has transitioned over the years in the risk management domain.
A brief history of the origins of the command centre:
While the SOC forms have transitioned over many decades, in this article, our focus will be to elaborate on the period from the 90s onwards.
Until 1995, SOC’s initially was termed Network Operations Centers (NOCs) were primarily used by military organizations to control and secure information from conflict areas. Information such as intelligence, enemy formations, resource supply chains, evacuations, drills, emergency preparedness, logistical supply network & casualties/injuries were controlled from the NOC. This was usually set up across military bases which were connected with NOCs established on the frontlines. The main functions of these NOCs were to gather as much data and communicate actions or activities over the communication channels. Collecting alerts and communicating with operational units was one of the key day-to-day tasks undertaken at these NOCs. Some large-scale government organizations ( railways, public banks ) established similar NOCs to control their daily activities and collect data or information on their various activities. The key activity, therefore, was to collect information through communication channels, share with key stakeholders and share the next steps periodically.
By the year 2000, the NOC was transitioned to end-to-end SOC setup was adopted at large-scale government organizations, large private enterprises & military departments. The activities undertaken here were scaled to the identification of intrusions, alerts on any breaches in captive processes & response workflows.
In Mid 2000’s the SOCs activities scaled to vulnerability assessments, anti-theft activities. Security Management Standard was adopted post-2005 and compliance monitoring was also added into SOC’s objectives. From the technology front for monitoring and response actions, SOCs proceeded to monitor end to end compliance of business practices
From the year 2007 to 2013 SOCs evolved considerably with newly available technology platforms, bandwidth speed, and network connections. Many important solutions that are key for security monitoring such as live monitoring, information management, and incident management entered into the security surveillance ecosystem. Similar activities were adopted at a large scale across the cybersecurity industry as well. The main objectives of SOCs during this time wherein detecting and preventing thefts, log incidents monitoring or compliance with physical security, analyzing and communicating the findings with all the stakeholders. Physical Security Information Management ( PSIM’s ) software made information collection possible during this phase.
From 2013 to 2018, SOCs have transitioned to managed service providers of security. Here the SOC’s activities are designed as per a shared model and not exclusively dedicated to single organizations or entities. Here a common infrastructure is established and multiple organizations hire the services offered by this SOC. Each organization frames critical key performance indicators which have to be met and adhered to by the SOC service organizations. Here SOCs provide services known as SOCAAS ( SOC as a service ). Various large-scale private banks, telecom organizations, retail and warehouse companies have adopted this form of SOC model to reduce their infrastructure costs. In this phase, SOCs agree to identify, communicate, mitigate and respond to physical threats and communicate with remote SOCs that are captive to the customers. The onus of manpower supply, training, communication & MIS as well as accurate identification lies with the service provider. In this method, SOCs integrate their software with the existing infrastructure or partner with Surveillance companies or System Integrators ( security hardware suppliers ). A lot of focus has been laid on threat intelligence by collecting risk alerts, establishing clear communications protocols, data analysis layer for deriving risk intelligence, gathering additional data points through additional data generation points. IoT devises integrations, computer vision analytics, sensors ( motions, acoustics, water, fire etc ) have been utilized extensively to manage the operations at a large scale and has provided scalability to SOCs.
From 2018, SOCs have evolved as an integral function of enterprises. The capabilities of SOCs have increased to business process monitoring, quality control, data validation, quality controls, security automation and automated response ( SOAR ), security playbooks for simulation, training monitoring, live security coverage, threat hunting, virtual security monitoring and risk assessments, investigations etc. SOCs have integrated cybersecurity systems, SCADA systems, CRM and ERP systems to manage and control business operations at large scales and in the ‘API ecosystem’ creation of data lakes to analyze security data with business data has increased substantially. SOC Analysts draw comparisons with business events that correlate to risks to businesses.
Presently few of the activities that are undertaken at SOCs are as follows:
Security Event Monitoring
Detection & Risk Management
Forensics of events
Threat Intelligence & Analysis
Governance of security operations
Training and supervision
In our future series, we will cover the future of SOC in enterprises.