• 1000


Since the IT threats continue to evolve and become more advanced and persistent, attackers are using sophisticated ways to avoid being detected and breach security defenses. Many organizations are building security Operation Centers (SOC) to provide a central place for detecting, diagnosing, and remediating a high malware and cyber-attacks volume.

The cybersecurity industry's fast pace forces security operations center (SOC) units to evolve so that the SOC units can defend the organizations from the current and upcoming threats. Reactive defending is not sufficient on its own anymore, as the cyber threat landscape has become increasingly diverse and complicated. Due to the fact that most SOCs are understaffed, not sufficiently skilled, and overworked, this eventually ends up reducing the ability of SOC analysts to keep up with their tasks. Also, since there is no universal technology or a tool that can solely defend and monitor the network on its own, which led to a complicated process of maintaining a situational picture affected by a lack of full integration between these different tools. [1]

Currently, the business landscape is redefining itself with many new and evolving technologies, like mobile computing, big data, digital transformation, social media, IoT, and cloud computing. Along with the new normal of working from homes situation caused by Covid-19, traditional SOCs can no longer provide adequate protection as most of the operations are not within the organization's network boundaries. Therefore the need for the Next Generation SOC (Next-Gen SecOps) arises to assure monitoring data that extends beyond organization into cloud services, mobile devices, and more. [2]

Ashraf Karaymeh

Ashraf Karaymeh

Manager Cyber Response, SOC & Incident Response Services

KPMG in Saudi Arabia

Why Next-Gen SecOps

1.    The main idea of Next-Gen Secops is to ingest automated solutions that can analyze large data sets and effectively identify threats and attacks using machine learning (ML). Hence allows analysts to focus more on the human aspect of attacks and threat hunting. While the most sophisticated threats come from targeted attacks from criminal groups or even state-sponsored groups who are technologically prepared to perform attacks patiently over several weeks and months. Therefore, SOC analysts need to understand more topics like counterintelligence, surveillance, and criminal psychology. [3]

2.    Next-Gen SecOps will foster the transition from reactive to proactive incident prevention. Therefore, new processes for constant threat analysis must be developed to maintain situational awareness. Common vulnerabilities scanning and patch management tools should be integrated and actively updating the necessary patches or deploying other precautions before an attacker can exploit these vulnerabilities. [4]

3.    Cyber Threat Intelligence (CTI) obtained from external resources is useful and contains information about current threat trends and indicators of compromise (IoC). Data acquired from CTI is analyzed using automated tools and correlation engines before being forwarded to the desired destinations. However, it may also contain a lot of unnecessary data that may not be relevant for the organization; for this reason, Next-Gen SecOps rely on Artificial Intelligence (AI) and ML to identify useful and relevant information to automate the filtering of CTI before the correlation.

4.    Another feature in Next-Gen SecOps is the automation of the incident response processes and script execution to collect and organize evidence gathering from different sources, which will increase SOC workflow performance compared to staff time addressing the same incidents.

5.    Next-Gen SecOps uses ML-powered security tools to spot malicious activities by finding behavioral deviations in networks and applications. In addition, Red and Blue teams' roles increase in importance for instant readiness and hunt teams freed from day to day processes. [5]

6.    Cloud computing has added a real challenge to traditional SOCs as more businesses move the bulk of their workloads and applications to the cloud. Traditional Security Information & Event Management (SIEM) and other analytical tools would not be sufficient to monitor and analyze cloud workloads. Modern SIEM solutions can be integrated with cloud resources by the following three methods. [6]

  • Deploying a software in the cloud to collect logs. The log collector forwards the logs to the SIEM.
  • Deploying the log collector physically in the organization's premises, and having the services in the cloud configured to send log data to the log collector.
  • Deploying a SIEM system into the cloud if the organization utilizes the cloud extensively.

How to build Next-Gen SecOps

It would be a complicated process to build a scalable and adaptive SOC unit unless certain aspects are planned in advance. The organization must assess their existing security program, that consists of tools and processes. The organization should have thorough log collection and management programs in place, because the amount of available data directly defines the SOC unit's performance. A SOC is not a magical unit that can protect an entire organization on its own. The main steps to consider before building the Next-Gen SecOps are:

1.  Network Assessment

It is important to assess the suitable visibility into the customer's network when building an MSSP SOC. A SOC unit's effectiveness of threats detection is directly proportional to the visibility they have into the network. However, this can lead to alert exhaustion if SIEM rules are not configured properly. The number of devices that are feeding alerts into the SIEM plays an important role in the extensiveness of a SOC's visibility into the network. Critical alerts from firewalls, NIDS, and HIPS are not enough for a SOC to be able to perform correlation and proactive defense. In addition to the received number of events, SOC units benefit from having access to network topology maps that describes how the different devices are connected. [1]

When building a security operations center, the organization should already have a mature security policy that they are executing. A SOC could only complement the security program but not replace it. If the overall security is insufficient, a SOC may not be able to improve it significantly. SOC units depend on the existing technologies to block the routine threats and provide the data for further analysis. The organization should have both network and host security systems. Simultaneously, the network defense may consist of firewalls and NIPS/NIDS devices deployed on all network segments. The end-points should be protected with AV and HIDS/HIPS software. The logs should be collected from all devices and

forwarded to the SIEM. In addition, the host operating system's security and audit logs should be collected and analyzed as they contain important data. However, this is only the bare minimum that a SOC unit needs to perform its operation.

2.  Asset and Vulnerability Management

To act proactively, a SOC should be aware of the organization's assets. In addition to maintaining an understanding of the assets, a SOC should be aware of other assets like software versions used on a web server. Having information about the assets helps to identify threats as new vulnerabilities are found proactively. A great part of information security is keeping devices and software up to date. Updates are extremely important in security as adversaries may try to exploit known vulnerabilities to gain their goal, whether it is access to sensitive information or access to the target organization's internal systems.

However, installing an update on a business-critical service can be a complicated process, and sometimes the new updates can be incompatible with other components. When SOC analysts know the vulnerabilities, they can look for certain IoCs linked to the vulnerabilities. [7]

Assets have multiple parameters in information security. An asset has technical properties like, for example, a software version and an IP and a MAC address. However, an asset also has a certain value for the organization. This value can consist of a financial benefit created by the asset. On the other hand, the asset's value might not be financially significant, but it is necessary for the organization's day-to-day operations. Both properties should be assessed in asset and vulnerability management. Severe vulnerabilities that are easy to exploit in critical assets must be fixed immediately. On the other hand, minor vulnerabilities in internal systems may not need as fast attention. [8]

3.  Utilizing Technologies and Tools

The amount of available data is forcing SOC units to make use of computer-based analysis tools. User and Entity Behavior Analytics (UEBA) systems use machine learning algorithms and statistical analysis to find abnormalities in actions performed by humans. UEBA systems can detect, for example, insider threats and user accounts controlled by attackers. [9] If compared to a SIEM system that looks for anomalies in the network, a UEBA system analyzes human behavior to detect abnormalities. However, products that combine these two exist. Rapid7's InsightIDR is a SIEM that is capable of analyzing user and entity behavior. Combining SIEM and UEBA systems can be helpful because it centralizes the management. [10]

As the number of data increases, the SIEM systems must be able to ingest and process large amounts of data. The vast amount of data is usually called big data. Many big data analytics implementations use distributed computing frameworks, like Apache Hadoop. Hadoop distributes the computing tasks to multiple machines simultaneously, making the mathematical calculations notably faster than single machine computing. While the amount of data is increasing, searching the security events must still be fast. [8]

4.  Processes

SOC processes should be agile and constantly evolve with the current threats. Processes should be streamlined so that the SOC can handle incidents within a short amount of time. AlienVault suggests

dividing the processes into four stages – event classification & triage, prioritization & analysis, remediation & recovery, and assessment & audit.

Self-assessment is not enough on its own. To truly test a SOC unit's capabilities, the organization should consider hiring a red team. A red team is a group of people authorized to simulate a full-fledged cyberattack. A red team assessment is like a penetration test but more extensive and covers all the attack vectors. Thorough testing helps to mature a SOC unit. For example, defending an organization from an APT can be extremely difficult if the organization hasn't been targeted by an APT before.

A SOC should consider building a playbook, as it guides the SOC analysts to perform the right actions from the beginning of detection. A playbook consists of solutions and steps to solving certain kinds of alerts. Building a playbook can reduce the SOC unit's response time, as SOC analysts use it as a guide.

A SOC unit should have clear processes for escalation as well as disaster-like situations, where for example, a zero-day malware spreads widely inside an organization's network.

5.  People

While many tools help SOC units react quicker and achieve better visibility, the people are still considered the most important part of a SOC. Automating repetitive tasks does not reduce the importance of human analysts. AI and human analysts support and complement each other. However, finding talented employees to a SOC can be difficult. Lower-tier analysts' work tasks can be quite repetitive, which may lead to a high turnover rate amongst the lower-tier analysts if they feel that they cannot advance in their careers.

A skilled SOC analyst must have a broad theoretical and practical knowledge of general IT infrastructure, including networking and security devices and protocols, servers, and common operating systems like Microsoft's Windows and Linux. Besides, the analysts should have knowledge of SIEM and log management systems, but this can also be trained. It is an advance if a SOC analyst knows the adversaries' Tactics, Techniques and Processes (TTPs). These skills can be learned from penetration testing and red teaming.


Reactive cyber defense is not sufficient anymore because the threats have become more sophisticated and can escalate into large-scale breaches in a short amount of time. This has forced SOC units to become more agile and proactive. At the same time, the SOC units are struggling with overwhelming amounts of data and unmanageable workloads. The transition from reactive to proactive defense requires changes in a SOC unit's technologies and processes.

SOC units must utilize new technologies such as machine learning and artificial intelligence to minimize the number of recurring events that must be analyzed manually. Some reactive defenses can be automated, but the organization should be aware of the risks. To become more proactive, SOC units collect and analyze cyber threat intelligence to be aware of the current threat. The intelligence is analyzed using computer-aided analytics engines that distributes the analyzed information to different destinations. A Next-Gen SecOps is agile and can adapt quickly to changes.


[1] C. Zimmerman, "Ten Strategies of a World-Class Cybersecurity Operations Center," Mitre Corporation, 2014.

[2] M. Bromiley, "The Show Must Go On! The 2017 SANS Incident Response Survey: " SANS, 17 July 2018. [Online]. Available: https://www.sans.org/reading-room/whitepa-pers/incident/show-on- 2017-incident-response-survey-37815 Accessed 17.7.2018. [Accessed 24 June 2020].

[3] D. Bonilla, " Implementing ArcSight common Event Format," in Micro Focus Security ArcSight Common Event Format, Rome, 2017.

[4] Microfocus, "ArcSight Enterprise Security Manager," Microfocus, 18 April 2018. [Online]. Available: https://www.microfocus.com/media/flyer/arcsight_enterprise_security_man-ager_ds.pdf. [Accessed 21 June 2020].

[5] P. Pathak, "5 Reasons AI is the Pillar of the Next-Gen SOC.," 20 September 2018. [Online]. Available: https://securityintelligence.com/events/5-reasons-ai-is-the-pillar-of-the-next-gen-soc/. [Accessed 27 June 2020].

[6] IBM, "IBM Xforce," 1 November 2018. [Online]. Available: https://ex- change.xforce.ibmcloud.com/faq#what_is_xfe Accessed 1.11.2018. [Accessed 21 June 2020].

[7] C. Kim, "how-siem-correlation-rules-work Accessed," 20 February 2018. [Online]. Available: https://www.alienvault.com/blogs/security-essentials/how-siem-correlation-rules-work Accessed 24.7.2018 AlienVault. [Accessed 21 June 2020].

[8] R. LLC, " SOC Series: How to Make A Security Operations Center More Efficient," 25 July 2018. [Online]. Available: https://blog.rapid7.com/2016/12/06/how-to-make-your-security-operations- center-more-efficient/ Accessed. [Accessed 21 July 2020].

[9] T. Bussa, "Market Guide for User and Entity Behavior Analytics," 8 December 2016. [Online]. Available: https://www.gartner.com/doc/re-prints?id=1-3NLF0R6&ct=161209&st=sb. [Accessed 21 June 2020].

[10] R. LLC, "InsightIDR – Detect stealthy behavior behind breaches. Get up and running in no time.," 3 November 2018. [Online]. Available: URL: https://www.rapid7.com/products/insightidr/. [Accessed 21 June 2020].