Opinion: when defence is the best offence

Setting up a robust security operations centre for organisations will not only identify and respond to security threats, but will also predict possible sources of cyberattacks
Opinion: when defence is the best offence
Protecting data - cybersecurity is becoming a priority for MENA businesses
By Haider Pasha
Sat 24 Aug 2019 12:21 PM

Today, businesses spend heavily on cybersecurity. But to get value for their money, they need an overarching strategy. The state-of-the-art approach is to build an effective security operations centre (SOC).

A SOC is commonly referred to as the central command centre for cybersecurity operations. A team of security analysts uses advanced detection tools to identify, record and repel cyberattacks. The analysts work with a playbook of processes laying out the steps they need to take to keep their organisation secure.

Many large businesses have implemented successful SOCs, especially those dealing with sensitive data such as personally identifiable information (PII). Typically, these include financial and retail companies but also those working with governments and organisations looking to digitise services and use big data.

More mid-sized businesses are following suit, though the majority prefer to outsource their SOC to reduce costs. Companies that offer outsourced cyber protection are known as managed security services providers (MSSP).

Organisations often build a SOC when they have dozens of security tools operating across their network but struggle to make sense of all the data they produce. Large organisations typically have products from between 40 to 60 security vendors, from endpoint protection and intrusion detection systems to firewalls and scanning tools. Each security tool can generate large volumes of data about network activity and any suspicious exploits.

For organisations about to embark on the SOC journey, there are five important questions that boards and chief information security officers should ask before they start building a SOC that is both customised and effective.

1. Why build it? Be clear about what you plan to achieve with an SOC. The aim is to reduce cybersecurity threats, defend the organisation’s data, and protect its reputation. What will be the key performance indicators (KPIs)? These could include incident response times. There should also be agreements between the CISO and the board that set out the level of services the SOC will offer. These can be listed in service level agreements (SLAs) which specify areas such as the speed of response and processes for reporting critical threats.

2. When to deliver? With over 30 possible SOC services, a common pressure is to try and launch everything from day one. Instead, the services should be introduced in logical stages. This could follow a capability maturity model, a methodology for laying out the evolution of software processes, typically in five stages. The SOC would complete the first phase, then the CISO and board would check and assess this before moving on to the following stage. This means each stage is fully implemented and functional before going to the next.

3. How do you deliver? Decide on the processes you need to follow to make the SOC efficient. Playbooks and process diagrams are a key discussion point.

4. Who is responsible? Outside of the security division in an organisation, who else has a say to make the SOC effective? Departments such as human resources, compliance and public relations are some common examples.

5. What is the technology set up? A key decision is which SOC tools should be used. This will depend on the objectives, budgets and preferences of the security analysts and the CISO. Tools usually include a security information and event management system (SIEM). This is a dashboard which analyses all security events – possible threats – which affect an organisation’s computer network. It is important to remember that a SIEM is not a replacement for an SOC, but just one tool in the SOC’s armoury. There must also be a ticketing system, so when a threat is identified, a ticket or record is created. There could also be a security orchestration and response tool (SOAR), which automates the collection and analysis of low-level threat intelligence.

What is so powerful about a SOC is that it goes further than simply identifying and dealing with security incidents.

Threat hunting is a vital part of the work of security analysts. They will work with cybersecurity vendors to list possible threats. And they may work with computer emergency response teams (CERTS), which are industry-wide groups that analyse security incidents.


Haider Pasha, Senior Director and Chief Security Officer, Emerging Markets at Palo Alto Networks

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.