What Are the Components of a Security Operations Center?
SOCs are made up of both people and technology designed to monitor and block security threats to the government agency or a statewide enterprise.
“Depending on the enterprise, SOCs may also include team members with specifics skills in forensic analysis, cryptanalysis, malware reverse engineering, and more,” a blog post from BMC notes.
“The team then has actual tasks, like monitoring and analyzing activity across servers and networks, endpoints, databases, applications, websites, and more — always looking to identify anomalies in activity which may indicate a security event occurred or may soon occur,” the post adds. “These tasks can be automated to certain degrees, too.”
A major and common component of a SOC is a security information and event management system, which helps analysts identify security threats and increase their visibility. SIEM platforms collect data from multiple sources, find threat matches, signal specific areas of concern and then take specific action.
As BMC notes, a SIEM system “can include dozens of tools and processes to track and maintain security,” including data correlation from network discovery, firewalls and anti-virus detection, threat intelligence, intrusion detection and prevention systems, log management and more.
There are different ways to structure a SOC, depending on the agency’s objectives, according to the BMC post:
- Control: This involves testing for weaknesses and ensuring compliance
- Monitoring: This focuses on events and responding to them with log monitoring, SIEM administration and incident response
- Operational: This approach focuses on identity and access management and security operations such as firewall administration
MORE FROM STATETECH: Diver deeper into incident response tools for state and local agencies.
What Is the Difference Between a NOC and a SOC?
A SOC and a Network Operations Center (NOC) are related entities for government agencies but are distinct.
According to a blog post from Check Point, the NOC team is responsible for ensuring that the enterprise network infrastructure is capable of meeting the needs of the organization.
“Every organization uses the corporate network for certain purposes, and the NOC optimizes and troubleshoots the corporate network to ensure that it is capable of meeting the needs” of the organization, the post notes.
There are some key differences between a NOC and a SOC, the post notes. Those include a difference in objectives. While the SOC is focused purely on protecting the network and assets from threats, the NOC’s objective is to ensure “that the network is capable of meeting [service level agreements] during normal operations and addressing natural disruptions, such as service outages, natural disasters, etc.”
The NOC and the SOC are also monitoring against different adversaries, according to Check Point. “The NOC is primarily focused on preventing network interference by natural or not human-driven events,” according to the post. “This includes power outages, Internet outages, natural disasters, etc. SOC analysts, on the other hand, protect against human-driven disruptions. Their role is to identify, triage, and respond to cyberattacks that can disrupt operations or otherwise cause harm to the business.”
NOC and SOC analysts require similar skill sets, according to the post, including the ability to monitor the network and identify issues.
However, while NOC analysts focus on diagnosing and correcting “natural” issues within their infrastructure and optimizing network infrastructure, according to the post, SOC analysts are “tasked with protecting the organization against human actors and human-driven threats.” SOC analysts need to know how cyberattacks work and how to remediate infections.
RELATED: What are the top five questions a cybersecurity assessment should answer?
How Are States Evolving Their Use of SOCs?
Recently, some states have taken steps to evolve their approach to SOCs. In October, Arizona Gov. Doug Ducey announced a new Cyber Command Center, which will serve as the state’s main hub for coordinating statewide cybersecurity operations, according to a press release.
“The center will be a central location for cybersecurity professionals and local, state and federal agencies to prevent and respond to cyberattacks,” the release states. “It will provide an ideal location to enhance public-private partnerships to protect Arizonans against cyberthreats.”
The changes in Arizona reflect a desire to better coordinate cybersecurity responses across the state. As StateScoop reports:
The new command center, officials said Monday, is meant to increase threat information sharing between state agencies, as well as their federal and local counterparts. Ducey’s announcement also rebranded a service known as the Arizona Cyber Information Program as the Arizona Information Sharing and Analysis Center, or AZ-ISAC.
Meanwhile, in neighboring California, the state earlier this year abandoned a model that previously required state agencies, departments and other government entities to “absorb the cost of mandated security services,” a state blog post notes. As of July 1, the state stopped billing for SOC services.
And in Texas, a new law earlier this year created a pilot program to test a regional security operations center on the campus of a state university, StateScoop reports. That law also created a new entity to verify the security of cloud services, dubbed TexRAMP.
“Cybersecurity has long been a priority here in Texas,” Texas CIO Amanda Crawford tells StateScoop. “This demonstrates a commitment the legislature and Gov. Abbot have that it remains a priority and becomes a reality. It’s a big bill and we’re excited to get it in action.”