How does a Security Operations Center (SOC) actually work? What are the regulatory requirements and how do they relate to proven best practices? Answers to these important questions were provided by Ramon Weil, Founder & CEO of SECUINFRA GmbH, and David Bischoff, Principal Cyber Defense Consultant at SECUINFRA, at the Security Lab of the Gesellschaft zur Förderung des Forschungstransfers e.V. (GFFT). Last Thursday’s “Insights: Security Operation Center (SOC)” event attracted keen interest from attendees. Both medium-sized companies and representatives of large corporations and universities were registered. They took the opportunity to learn about the efficient use of SOCs and to clarify important questions with the security experts present.
In his keynote presentation, Ramon Weil gave an overview of the current technological status of security operations centers. His company has many years of experience in building and operating SOCs – both with customers and with its own SECUINFRA SOC. In his presentation, Weil showed how even the planning phase is critical to ensuring comprehensive and efficient coverage of the threat landscape. He also recommended using standardized methods such as the MITRE ATT@CK framework. He outlined the requirements to be covered based on the BSI law. In addition, he explained why this alone is not enough, however, as many newer technologies such as Endpoint Detection and Response (EDR) or Security Orchestration, Automation and Response(SOAR) have not even been considered there. At the same time, he stressed the importance of the law: “It’s a step in the right direction and will significantly increase cyber resilience in Germany over the next few years.”
However, Weil and Bischoff also pointed out the problems associated with implementation: For example, the technical and human resources required to operate a security operations center are often too high, especially for medium-sized companies. After all, such a SOC must be available 24 hours a day, because security incidents must not only be detected, but also analyzed immediately. An analysis by a SOC analyst is mandatory and the use of a SOAR system for partial automation is advisable. In addition, an appropriate response is required – and this is almost always time-critical. A cyber detection and response center must therefore be staffed around the clock. “This is a major challenge and not at all easy to implement in view of the shortage of skilled workers,” Weil summed up. “For many companies, therefore, outsourcing a SOC is a more viable alternative.”
A survey of Security Lab participants also showed how different the prerequisites are. For example, the opportunities in large corporations are quite different from those in smaller companies, also in financial terms. The major players have around 2,000 euros per employee available for IT security. At the other end of the scale are the universities, where it is only 50 euros. “In view of these very different conditions, it is important to find solutions that best suit the company in question,” Weil finds. The next opportunity to learn about Security Operations Centers will be at GFFT’s Security Lab in the coming months. More information on this will be announced.