Accelerate your SOC’s ability to respond to threats


13 min read

Evaluate the core challenges SOCs face

Frameworks in strategy, governance, operations and technology need updating.

As adversaries evolve to strike targets more creatively, your Security Operation Center (SOC) needs to be structured differently than in the past. Today’s SOC must be aligned to the business to specifically mitigate and reduce cyber risk. Also, your SOC team needs to become more agile and operationally efficient in detecting and responding to threats.

Powering the new ways of working with SOCs are the basic concepts of Fusion, Agile, DevOps, artificial intelligence, machine learning and automation. These advanced tools can empower your Cyber Rapid Reaction Teams to reach much better outcomes faster.

At the same time, if you haven’t captured valuable metrics and indicators of efficiency and effectiveness to measure these outcomes, your SOC successes and failures can’t be measured properly. Thus, you’re missing data to use to improve what was inefficient, ineffective or suboptimal.

Your SOC needs to be flexible, adaptable and optimized to detect new and emerging threat vectors. If not, the consequences can be costly. At the same time, your SOC can’t just react to threats. Consider this situation:

In 2020 at least four major security firms targeted by attackers had breaches.1 One of those hacks into the supply chain software for SolarWinds was particularly damaging. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.

In most of these breaches, the response took a long time. Hence, the risk exposure was sustained and caused more damage than if the analysis and response was faster and more agile.


Number of government and private networks infiltrated by the SolarWinds hack2

Given these circumstances, SOCs need to make a paradigm shift guided by a focus on efficiency, specifically speed and agility, and effectiveness, with a particular concentration on risk reduction.

Your SOC needs to be aligned with your business across the supply chain. To achieve this goal, your strategy and governance need to be risk-focused and aligned to your enterprise risk. Risk quantification should drive your planning and investments.

Discover more about risk quantification

Likewise, multidimensional risk and efficiency indicators should drive continuous improvement efforts and showcase risk reduction and operational performance.

SOCs also need more collaboration using the adaptive integrated operations strategy as basic concepts, such as Fusion and Agile. A Fusion enabled SOC has the following characteristics:

  • A fusion center should include dedicated specialists, rotational involvement and capacity management as part of its governance.
  • Core Fusion elements for effective cyberdetection, response and recovery involve your IT, network and DevOps specialists.
  • Fusion provides risk management within industry-specific operations that are susceptible to various threats.
  • Business risk functions such as consumer fraud and anti-money laundering are integrated within the fusion center.
  • Fused competencies within the SOC with fully integrated command chains ensure unified vision, mission and resource dedication to your risk reduction efforts.

An Agile SOC has the following characteristics:

  • Promotes adaptive planning, evolutionary development of operational run books, on-demand formation of analysis and response teams and a maniacal focus to rapidly removing obstacles to agility.
  • Leverages Agile principles and methodologies, speeding up analysis and response time, thereby substantially reducing duration of risk exposure, such as dwell time, compared to traditional “process-based” siloed methods which take much longer.

Evolve your SOC’s threat intelligence function from just collecting or disseminating feeds and threat bulletins. You want a cross-functional operation performing collection, enrichment, threat hunting and dissemination of threat and business risk intelligence activities across your enterprise’s IT, security and business risk functions.

Use omni source threat intelligence to infuse and inform detection, protection and recovery processes with full lifecycle intelligence capability encompassing cyber and business threat intelligence.

Omni source threat intelligence provides cybersecurity defenders with up-to-date and accurate threat intelligence. It’s more thorough than traditional threat intelligence, which doesn’t drive strategies for detection, protection or both.

Omni source threat intelligence is comprised of numerous sources including human, cyber, social, geographic, business, threat actors, threat vectors, deep web, dark web and Open Source Intelligence (OSINT).

SOC staff can only protect an environment against what they recognize. An omni source intelligence gathering strategy should be supplemented by appropriate technologies that can perform the following tasks:

  • Centralize the raw intelligence
  • Provide a work bench for intelligence analysts to enrich the intelligence, remove redundancies and add context
  • Disseminate enriched intelligence with the appropriate Threat Level Protocol (TLP) designators to the critical functions in the organization to inform protection, detection and response and recovery measures

Get technical research reports and view the threat landscape

Adaptive SOCs have agility, which means the ability to rapidly perform security activities as one of its cornerstones. Integrated SOCs fuse critical IT, business and risk teams and processes for maximum collaboration and sharing. An Adaptive Integrated SOC combines these principles to gain razor sharp focus on achieving quick results by proactively collaborating across critical constituencies without being slowed down by inefficient process-based approaches.

The new operating model redefines the following elements:

  • How your talent is assigned
  • How those team members converge and work a problem
  • What resources are available
  • What authority the team members have to act in an adverse event

This new model promotes empowered actions, organic skill development, motivation, cross training and Agile operational enhancements. These changes can result in improved outcomes, retention and surge capability leveraging cross-trained resources.

The Fusion service catalog offers more open communication and collaboration for your team members as well, with such features as catalog management, service requests and service fulfillment. There are mission-enabling services available to Fusion Center constituents from every operations function, such as watchlist addition and custom and compliance reports. Its adaptive integrated model makes it possible to overcome gaps in contextual data sources faster than traditional techniques.

DevOps, the process that expedites application development efficiencies and software release management, and DevSecOps, the process of integrating security practices within the DevOps process, may already be used in your organization.

The principles of Continuous Integration and Continuous Development (CI/CD) in DevOps tool chains and the integration of security testing tools that are prevalent in DevSecOps models that provide quicker, more reliable and secure code to production environments have inspired SOCs to move cyber response integrations deeper into the IT tools chains. Technologies such as Security Orchestration, Automation and Response (SOAR) have been at the forefront of driving these efficiencies in cyber operations.

Learn more about DevOps tools and software

Operations teams often redundantly deploy and underutilize existing enterprise IT and corporate security technologies. As a result, core technology is straining to handle data ingestion and correlation. To address this situation, take the following steps:

  • Develop a security technology roadmap linked to maturity that aligns with enterprise strategy to leverage advanced technology
  • Leverage existing initiatives for enterprise data aggregation to serve cross-functional needs

The adaptive integration operations concept discussed previously require SOCs to consider evolving technologies based on open platforms. These technologies can connect across an ecosystem of security and IT technologies to provide single pane of glass visibility and use federated searches to discover and hunt for threats in a multicloud hybrid IT environment. Concurrently existing tools may need to be configured differently to allow the on-demand, collaborative approach required for adaptive integration to work.

By extending or reconfiguring existing ticketing tools, you have one parent security ticket with response sub-tasks for cross-functional fusion team members. This change removes the notion of working tickets by Service Level Agreements (SLAs) defined for various corporate functions.

Also, use emerging class of technologies and tools such as data security platforms to combine or analyze data, or both, from sources spread across technologies to perform the analysis. You avoid redundancies proliferating in a single repository that way.

These recommendations share a common goal of improving efficiency and effectiveness of your SOC in the evolving world of security.

2 Steven J. Vaughan-Nichols, SolarWinds: The more we learn, the worse it looks, ZDNet, 4 January 2021.


7 min read

Learn other emerging considerations for SOCs

Keep these elements in mind when modernizing your SOC to optimize performance.

These additional factors associated with strategy and governance, operations and technology complicate and limit what benefits earlier SOCs can provide for users.

As many organizations continue to expand these areas of growth, an increasing number of threats are appearing. Operational Technologies (OT) infrastructure includes systems that focus on physical devices related to Industrial Control Systems (ICS), which involve technologies working with equipment in manufacturing processes such as automobiles. Manufacturing and oil and gas firms, among others, deal heavily with OT environments for safety and reliability. OT systems include industrial components and critical infrastructure such as equipment at refineries and power plants.

OT is popular but faces a number of security challenges. While perceived by some as safe, many traditional security tools don’t work with the traditional OT environment. Visibility into OT networks can be limited. OT can run on antiquated protocols and software. These situations all encourage targeting attacks on OT environments to exploit their vulnerabilities.

SOC teams who account for these systems and add them to enterprise monitoring programs ensure better protection for these unique components. The same applies to Internet of Things (IoT) devices such as wireless inventory trackers, streetlights, civil sirens and biometric security scanners.

41 billion

Estimated number of IoT devices in operation by 20273

These systems and more create new opportunities for attackers to leapfrog from these components to more critical systems in the environment. Defenders who inventory, track, monitor and update these devices just as if they were standard corporate endpoints stay ahead of the attackers.

Infusion of artificial intelligence (AI) and machine learning (ML) can increase the efficiency and effectiveness initiatives for SOCs. The following activities are examples of this process:

  • Auto closing noise tickets
  • Auto escalating of alerts to relevant teams
  • Prioritizing analyst workload

Using statistical techniques, algorithms, AI and ML, teams can take advantage of security analytics to identify and remediate threats. Security analytics components are applied with real-time or historical data or both to detect anomalous behavior, discover novel insights and automate threat detection.

These capabilities, brought forth through analysis, optimize productivity while reducing costs. Analytics are mostly applied to high-velocity, veracity and volume data, or big data, where traditional correlation methods are inadequate. Adopting these processes allows L1 analysts to do more “knowledge work” instead.

The presence of data lakes virtually everywhere — both on premises and in the cloud — has led some leaders of SOCs to think Security Intelligence and Event Management (SIEM) solutions are unnecessary. They leverage data lakes and their own architecture for their security use as well. This approach can adversely affect their technical plumbing and ability to write use cases. Generally, it’s recommended to have an SIEM and a threat hunt capability looking at a data lake.

Learn more about data lakes

A variety of strategies exists among established SOCs as their teams try to scale with these environments. There’s a lack of investment in technologies to secure these strategies even as more organizations implement multicloud, hybrid cloud and container usage.

Learn more about multicloud

Learn more about hybrid cloud

Regulatory requirements are increasing through new rules and modifications to existing regulations worldwide. Two major privacy regulations are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data in the European Union. The CCPA requires a company that does business in the state of California and collects personal information about a consumer to disclose the consumer’s right to delete personal information.

The GDPR and CCPA have major impacts on data security and privacy, two areas that SOCs have requirements to monitor. SOC teams who understand how to comply with the terms of the GDPR and CCPA can help their enterprises avoid costly fines for violating these regulations.

By addressing all these elements, users can tie together for a more strategic elevation of the SOC mission, including:

  • Visibility
  • Connection with all parts of the business
  • Expected outcomes


3 min read

Know essential elements of a next-generation SOC

Several upgrades should occur for a SOC to adapt to the evolving security landscape.

To optimize the capabilities of your SOC and handle emerging security concerns, you need to have the following features in place.

Risk aligned
Risk aligned
By shifting the focus of your SOC from threats to risks, you provide your stakeholders with visibility into the effectiveness and efficiency of operations. The benefit is an approach that is more strategic rather than tactical and provides visibility to management in terms they can understand — specifically risk — and support.
Fusion integration
Fusion integration
Fused competencies within the SOC with fully integrated command chains ensure unified vision, mission and resource dedication. The benefit is faster risk reduction due to improved collaboration.
Intelligence driven
Intelligence driven
Proactively collect, enrich and disseminate intelligence from cyber, technology and business domains to reduce risk and drive risk response tactics. The benefit is alignment of cyberefforts to risk and threat landscape.
External facing services
External facing services
Improve cross functional partnerships, provide services to the extended enterprise and consume services from the enterprise to build capabilities. The benefit is improved cross-functional adoption of enterprise and security technologies and services.
Advanced enabling technologies
Advanced enabling technologies
Leveraging advanced technologies such as Security Orchestration, Automation and Response (SOAR) can improve the efficiency and effectiveness of your SOC. The benefit is proactive, improved maturity and faster risk reduction.
Intelligence driven
Intelligence driven
Prevent blind spots in visibility by aggregating data from across the enterprise through technologies such as data lakes and use data science to derive insights that reduce risk. The benefit is enhanced insights.
KPI program
KPI program
Improve risk visibility through multidimensional Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) that drive improved governance. The KRIs tell how many vulnerabilities exist on your high-risk servers and qualifies their potential risk impact on your enterprise. These metrics can resonate with your executive board members. The benefit is continuous improvements to cyber risk reduction efforts.

Combining these approaches with a Cyber Rapid Reaction Team can amplify the performance of your SOC drastically.


7 min read

Form a Cyber Rapid Reaction Team for adverse events

Setting up SOCs for quick collaboration to handle risk intelligence is a key differentiator.

A Cyber Rapid Reaction Team is an interdisciplinary force of key fusion members from core enterprise operations teams that is constituted on demand to converge on high-impact cyberevents. Led by your cyber responder, your Cyber Rapid Reaction Team members should include individuals from business, corporate, IT and security areas with the knowledge base and authority or empowerment in their respective areas to jump-start investigations and speed up response, including:

  • Legal
  • Human resources
  • Marketing
  • Executive suite

This cross-functional approach has defenders across an enterprise gather in short notice and work in tandem to respond, recover or both from an attack. By Cyber Rapid Reaction Team members agreeing on whom and how to triage, they can address incidents faster than the average solo cybersecurity professional. The process can reduce and contain risks faster and produce better tracking of incidents as well.

The concept emerged through the use of DevOps and Agile. Instead of passing issues from Level 1 analysts down to Level 2 and Level 3 analysts, all three levels come together for a rapid and more effective response to more serious issues.

Bringing the Cyber Rapid Reaction Team members together in critical situations promotes cohesiveness among your enterprise workers. The participants have the satisfaction of knowing they efficiently and effectively addressed a risk and their collaboration increased your enterprise’s security.

A typical day in the life of a Cyber Rapid Reaction Team

9:00 AM
An incident breaks

The SOC triages and investigates alerts that indicate a potential incursion that may have evaded primary detection and protection toolsets. The threat appears to be a bespoke attack with unique aspects that don’t match standard signatures or Indicators of Compromise (IOCs). However, there are some similarities and seems to have some correlation with an insider threat case. Some media and online sources report the incursion, and there may be some data available on the dark net. Further analysis is required to identify the extent of the IT exposure and the business impact and recommend the technical and business response.
9:45 AM
The Cyber Rapid Reaction Team forms

The SOC gives the case to the fusion lead. The fusion lead activates the Cyber Rapid Reaction Team protocol and assembles a team composed of a network team member, insider threat analyst, incident response (IR) retainer, business data owner and HR representative. Initiating a Cyber Rapid Reaction Team case, the team gets a virtual workspace to collaborate and share case information.
10:00 AM
Team does rapid investigation and analysis

The fusion lead oversees an evaluation of the initial information compiled by the SOC analyst. Additionally, the fusion lead discusses next steps to advance the impact analysis of the event and develop actions for individual team members to create response strategies.
11:15 AM
Technical response actions initiated and tracked over the next 72 hours

As team members proceeds with analysis and investigation, the Cyber Rapid Reaction Team receives insights and recommendations. Response tickets or requests are opened or channeled to the appropriate functional teams and escalated to completion by the owning Cyber Rapid Reaction Team members. These activities can involve quarantining a server, putting in a firewall block, running an IOC sweep and so on. If forensic analysis and evidence collection is required, the IR retainer can set up contracted third parties to perform that function.

The fusion lead provides dedicated updates to senior leadership during the entire process.
1:00 PM
Business and corporate response initiated and tracked over the next 72 hours

The HR representative spearheads activity if corporate response from HR is needed. If there’s a brand or reputational impact assessed during the process, additional members from HR or marketing can join the Cyber Rapid Reaction Team to provide perspective and take ownership of resulting response actions. Corporate security and legal team members from the fusion center join the Cyber Rapid Reaction Team where law enforcement liaison is needed.
4 days later
Team holds debrief and after-action reporting

The fusion leader ensures that the case is appropriately documented with a clear chain of activities and archived artifacts. A formal debrief on the incident and the Cyber Rapid Reaction Team’s performance occurs. The fusion center governance team receives any identified improvements for tracking and actioning before the Cyber Rapid Reaction Team is disbanded.


1 min read

Expect these outcomes with innovation

Implementing threat intelligence and risk management approaches can really elevate an enterprise.

Investing in these suggested changes for your SOC is worth the effort because of these advantages:

  • Faster response times and time to recover
  • More engaged SOC personnel: As Level 1 and Level 2 analysts are much closer to other teams, they see the impact of the efforts clearly, and one of the jobs with the highest burnout rates now becomes a stepping stone for rich career growth in security operations
  • Increased ability to detect more sophisticated advanced persistent threats (APTs) and low and slow attacks
  • Your SOC is upward and outward focused, which leads to better visibility, garnering more investment and better tooling
  • Your organization can move to the cloud with confidence about security concerns
  • Cyber risk is demonstrably reduced

When implementation ends, the overall transformation in your security posture should be notable to you and others leading security efforts in your enterprise.


3 min read

Discover how to best upgrade your SOC and take the next step

Follow these steps to have a more efficient and effective security posture.

Achieving a next-generation SOC relies chiefly on the right combination of people, processes and technology.

Skilled human resources who analyze threats and monitor a heterogeneous infrastructure around the clock while using high-end, up-to-date tools
Efficient operational processes to help enterprises more rapidly respond to threats and remediate risks while facilitating compliance management
Advanced SIEM and ticket management technologies that provide security intelligence to better target response and manage security devices

IBM Security Intelligence Operations and Consulting (SIOC) Services offers project-based engagements to help you determine the people, processes and technology you need for a next-generation SOC.

You can use targeted capabilities or bundled offerings, or any combination, to help achieve your maturity vision. IBM customizes what you want rather than use a one-size-fits-all approach.

The emphasis is to collaborative co-create with you the right SOC additions that align with your needs. This ongoing partnership includes the follow opportunities:

SOC workshop
SOC workshop
A one-day management workshop to establish goals and objectives for developing the SOC, including identifying stakeholders, the types of threats you monitor and the management model
SOC assessment
SOC assessment
Consulting assessment for customers that have an existing SOC but are looking for IBM experts to review their capabilities and maturity and make recommendations for improvements
Consulting strategy engagement
Consulting strategy engagement
For customers who want to develop an internal SOC and are seeking a strategy and roadmap for development
SOC design and build projects
SOC design and build projects
Professional services for customers who already have a SOC strategy and want assistance to design and build one or multiple SOCs
SIEM assessments
SIEM assessments
For customers that want to assess their existing SIEM deployments and need guidance to upgrade their capabilities
QRadar® security intelligence platform
QRadar® security intelligence platform
Security intelligence products that help integrate SIEM, log management, anomaly detection, and configuration and vulnerability management to deliver improved threat detection

Through the use of such tools as SIEM and infrastructure-independent operating environments that integrate with your security solutions, IBM SIOC can help make the vision of a next-generation SOC and increased security a reality for your enterprise.