Our journey in creating our SOC as a Service offering

We will take you behind the scenes and unveil the secrets of creating our state-of-the-art Security Operations Centre to provide fanatical cyber defence.

Peter Bassill
August 5, 2023
min read
Our journey in creating our SOC as a Service offering

Welcome to the world of cutting-edge security! In this exciting journey, we will take you behind the scenes and unveil the secrets of creating our state-of-the-art Security Operations Centre (SOC). As technology continues to evolve, so do the threats we face in the digital landscape.

Our SOC is the epitome of innovation and excellence, designed to combat these ever-evolving security challenges head-on. We have assembled a team of brilliant minds who work tirelessly to ensure the safety and security of our organisation and its valuable assets. Join us as we dive deep into the intricate processes, cutting-edge technologies, and strategic methodologies shaping our SOC's success. Get ready to witness the power of innovation and the dedication it takes to stay one step ahead in cybersecurity. Let's embark on this incredible journey together!

Importance Of A State-Of-The-Art SOC

In today's digital landscape, organisations face many security threats that can compromise sensitive data, disrupt operations, and damage reputation. That's where our state-of-the-art SOC comes into play. The SOC is the central nerve centre, continuously monitoring, detecting, and responding to security incidents for clients worldwide. Our SOC acts as a shield, protecting clients from the ever-evolving threats lurking in the digital realm.

The Security Operations Centre goes beyond the traditional reactive approach to security. We embrace proactive strategies, leveraging advanced technologies and skilled professionals to detect and mitigate threats in real-time. By engaging with our SOC as a Service offering, clients gain a modern SOC, staying ahead of attackers, minimising the impact of security incidents, and safeguarding their valuable assets.

The Key Components Of Our SOC

A modern SOC comprises several vital components that harmonise to create a robust security infrastructure. Ours is the same, although how we achieve it is different. Within our SOC, we have all of the typical components you would expect to see; advanced security tools, comprehensive threat intelligence feeds, well-defined processes, and a highly skilled team of cybersecurity experts. Since 2018 we have had an AI entity in training in the background. Hedgey, our AI, is one of the most efficient SOC AI entities available.

Let us look at each of the components:

  1. The first component is advanced security tools. These tools include next-generation firewalls, intrusion detection systems, security information and event management (SIEM) solutions, and endpoint protection platforms. These tools provide the necessary visibility and control to effectively monitor and respond to security incidents. We partner with Wazuh, Fortinet and Ubiquiti to offer an effective solution to clients who do not currently have these devices.
  2. The second component is comprehensive threat intelligence. Threat intelligence involves gathering, analysing, and applying actionable information about potential threats. It helps our SOC teams understand the tactics, techniques, and procedures used by attackers, enabling them to proactively identify and mitigate emerging threats. We take feeds from many of the leading threat intelligence vendors, which we collate within our Wazuh SIEM which we offer to organisations as a fully managed Wazuh / SIEM solution.
  3. The third component is well-defined processes. We have in place and follow a set of well-defined processes and workflows to ensure efficient incident detection, analysis, and response. These processes include incident triage, escalation, investigation, and remediation. By establishing standardised procedures, our SOC teams respond to incidents consistently and effectively.

Planning And Designing Our SOC

Building a state-of-the-art SOC requires careful planning and design. The first step was to define the objectives and goals of the SOC, which involved identifying specific security requirements, such as compliance regulations, CREST requirements, industry standards, and risk tolerance. A wide variety of needs came into play here as our client base is vast and diverse, meaning we had to employ a stacked set of conditions that would fit almost all combinations of requirements.

With the objectives clear, the next step was to determine the scope of the SOC. The scope included defining the assets to be protected, the types of threats we would monitor, and the level of monitoring required for different levels of clients. It was crucial to align the scope with our overall security strategy and risk management approach and with each client.

After defining the objectives and scope, the next step was to design the physical and virtual infrastructure of the SOC. The build included selecting the appropriate hardware, software, and network architecture to support the SOC's operations. It is essential to ensure scalability, reliability, and redundancy to handle the increasing volume and complexity of security events.

We opted for a significant internal computing environment of highly efficient systems to address our ISO27001 and ISO14001 needs and enable our SOC2 compliance.

Building A Robust SOC Infrastructure

Implementing a state-of-the-art SOC requires a robust infrastructure that can handle the demands of real-time monitoring, analysis, and response. Our infrastructure includes the necessary hardware, software, and network components.

The hardware component includes virtualisation servers, network-attached storage devices, layer three network switches, firewalls and access appliances. These components provide the necessary computing power, storage capacity, and network connectivity to support our SOC's operations.

The software component includes security tools like our Wazuh and MiSP clusters. These software solutions provide the visibility, analysis, and automation capabilities required for effective threat detection and response. We also chose to integrate dope.security for their secure web gateway endpoint agent and to partner with Fortinet for network security appliances.

The network component includes firewalls, intrusion prevention systems, and network segmentation. These components ensure the security and integrity of the SOC's network infrastructure. Implementing network security best practices, such as access control, encryption, and regular vulnerability assessments in an easy-to-deploy and scale solution, is crucial, so we chose Ubiquiti to provide our core networking.

Implementing Advanced Threat Detection And Response Capabilities

One of the key strengths of a state-of-the-art SOC is its advanced threat detection and response capabilities. These capabilities enable our SOC teams to identify and respond to real-time security incidents, minimising client impact. Our internal AI system, Hedgey, provides continual high-volume correlation and threat analysis, which feeds into SOC analysts.

Hedgey started training in 2018 in the art of threat detection, and her algorithms allow her to analyse vast amounts of data and identify patterns indicative of malicious activity. These algorithms can detect anomalies, identify known threats, and predict emerging threats based on historical data.

Advanced threat response capabilities include automated and manual incident response playbooks, which provide step-by-step instructions for responding to specific security incidents. These playbooks enable our SOC teams to react quickly and effectively, reducing the time to contain and mitigate security breaches.

Integrating Threat Intelligence Into Your SOC Operations

Threat intelligence plays a crucial role in the success of a state-of-the-art SOC. By integrating threat intelligence data from multiple sources into our SOC operations, we can stay one step ahead of attackers and proactively defend against emerging threats.

Integrating threat intelligence involves gathering data from various sources, such as open-source feeds, commercial threat intelligence providers, honeypots, and internal security logs. This data is then analysed by our senior SOC team and our Threat Hunters in the Offensive Security team and correlated to identify potential threats and vulnerabilities. Threat intelligence is not just about gathering data but about turning it into actionable insights. Applying contextual information and expert analysis prioritises threats, identifies trends, and recommends appropriate response actions.

Training And Hiring Our SOC Team

Our SOC is only as good as the professionals who operate it. Hiring and training skilled cybersecurity professionals is crucial for the success of our SOC.

When hiring, we are looking for individuals with a strong technical background, relevant certifications, and a deep understanding of the threat landscape is essential. Ideally, these professionals have experience in incident response, threat hunting, and security operations.

In addition to hiring the right people in our SOC, continuous training and development are essential to keep up with the evolving threat landscape. Our SOC team members all receive regular training in the form of SOC training from OffSec and from SANS on the latest security technologies, threat detection techniques, and incident response best practices.

Continuous Monitoring And Improvement Of Your SOC

The SOC is a dynamic entity that requires continuous monitoring and improvement—monitoring the SOC's performance, identifying areas for improvement, and implementing changes to enhance its effectiveness.

Continuous monitoring involves tracking key performance indicators (KPIs) such as mean time to detect (MTTD) and mean time to respond (MTTR). These KPIs provide insights into the SOC's efficiency and effectiveness in detecting and responding to security incidents. By monitoring these KPIs, organisations can identify bottlenecks and areas for improvement.

Continuous improvement involves implementing changes based on the insights gained from monitoring. This may include updating security tools, refining processes, or enhancing training programs. It is essential to have a feedback loop that allows SOC teams to provide input and suggestions for improvement.

Share this post