“Hacking” started out as something we heard about in geek circles, but it didn’t impact our daily lives that much. Then, it featured in Hollywood movie plots, and today it’s a word everyone is familiar with, especially those who work in IT. While many would like the “white hat” style of hacking to be the default type, the reality is that it’s a constant battle raging between the good and the bad guys — the security researchers trying to prevent malware and viruses from infecting systems throughout the web, and the criminal organizations trying to make money by causing all of this chaos.

With the increase in profit, we’ve seen an increase in sophistication as well. We’re no longer talking about kids scripting from their basements, although that certainly still occurs, but now the focus is on large foreign crime syndicates, using complex means of breaking into systems and stealing sensitive data. In a word, the good guys aren’t always on the winning side, and of course, all of this rages on in innocent businesses and homes. So if you do run a business, or if you are responsible for the security of a corporate network, should you start thinking about moving your ad hoc security measures into a full-fledged Security Operations Center (SOC)? We’ll see what this means, when you should consider doing the switch, and how to do it.

What is a Security Operations Center?

The concept of a SOC is not new, but typically these used to be implemented in large sensitive organizations only, such as government buildings, financial institutions, or large backbone providers. But two things changed this in recent years. First, it has become a lot more affordable to set up an SOC up in your own organization. What used to cost millions of dollars can now be done for just a few thousand. Also, the technical and space requirements are lower than before. Simply said, a Security Operations Center is a centralized facility responsible for every aspect of security in an organization. Think of what a typical business has to deal with. First, you have the physical security layer, from cameras monitoring the working areas, to door locks, alarms, and so on. Then you have data security, things like physical servers, network cables that could be tapped into, network connections which allow people to plug their devices, and so on. There are a lot of different ways your sensitive data can be accessed, and as such there are many aspects of security you need to keep an eye on. Finally, you have virtual security, such as firewalls and intrusion prevention systems, methods that can prevent people on the Internet from breaching your security and getting into your network.

As a typical corporation grows, these security measures are typically implemented one at a time, in a fairly ad hoc way. There is no real centralization, and often a couple of savvy IT people become responsible for one or more security procedures. Cameras may be recording in a basement room, but you may not have the means to pay someone to actively keep a watch on them at all times. Your IDS, or intrusion detection system, may be running and protecting your network from some attacks, but you probably don’t have someone spending their time watching logs for any anomaly, or any malware making it through. Your network ports may be configured not to allow unauthorized devices to connect to your network, but you may not have anybody who periodically checks routers and switches to make sure everything is running correctly. All of these tasks fall into the domain of an SOC. If this describes your current situation, with all sorts of security measures implemented but in a very decentralized way, then now may be the time to consider implementing a SOC.

Implementing an SOC

It used to be that in order to implement a SOC, you would need some serious equipment. In order to provide a central location that can keep an eye on all security for the whole organization, you need to make sure all relevant data is fed into a single room. Thankfully, modern devices and software all allow this type of capability. Windows Servers allow you to set up remote log monitoring using Performance Monitor, your routers can send SNMP messages to a central server, and the use of IP cameras instead of traditional analog ones means you can connect to them and view those feeds remotely. All of this fulfils the first of the two main roles of a SOC: vulnerability assessment.

The staff working in a SOC, which usually includes one or more persons working full time, will use all of that data in order to keep the organization safe from any intrusion. In a well designed SOC, several computers should gather and process logs in order to make it as easy as possible for the IT staff to monitor those systems. This starts by using good tools. One of the most useful tools for an SOC is Cacti, an open source network-graphing solution. Another popular tool is Nagios, also open source, and used to monitor an entire infrastructure. Finally, Zabbix is a great tool to monitor remote servers.

While the technical side of an SOC is fairly straightforward to understand, this facility should also play an organizational role as well. As security becomes a bigger and bigger concern, having good policies is a very important part of any security procedure. If your organization has several hundred employees, it’s not realistic to expect all of them to practice good security on their own. An uninformed employee can compromise your security without even realizing it. And as you start adding policies, they can quickly become complex and hard to maintain if they are simply created by random management people, without being centralized. This is why a SOC should work with every other department to ensure these policies are well made and consistent. This includes everything from the type of passwords people should be using, to what devices they are allowed to bring to work, which documents or servers are sensitive, what happens if there are visitors in the office, etc.

By working with management teams, HR, possibly even unions, you can make sure your SOC will be making effective policies that everyone understands and can agree with. Remember that making a security policy that is too harsh will simply mean people will ignore it. This is why a centralized location that keeps in touch with every facet of the organization is so crucial.