In conversation with Daniël Jansen (Manager Managed Security Services) and Joost Geusebroek (Manager SOC). SOC stands for Security Operations Center, and it protects clients against both internal and external security threats. In this blog post, we will explore what kind of work the SOC actually does: how does the SOC help protect clients, and what are its ambitions for the future?
What exactly does the SOC do?
When I ask them what the SOC does, Daniël and Joost explain: “We monitor our clients’ IT landscapes for potential threats. Our SOC analysts then actively follow up on those threats. We are here to provide our clients with a 24/7 service, so that their systems are secure at all times.”
In my head, I start to picture a large group of analysts sitting in the office in the middle of the night, constantly on the alert just in case they spot something suspicious. “Well, we do monitor our clients’ systems 24/7, but at night, the job is quite different compared to during office hours,” explains Joost. “During the day we mainly work on structured or planned jobs and hold regular progress meetings with our clients, while at night we only intervene in incidents that require our immediate attention. Because after all, cybercriminals work around the clock.”
So basically, the SOC is ultimately there to ensure clients’ security. “That’s the essence of what we do, yes. We are constantly watching our clients’ backs,” says Daniël. “We can identify certain issues using the tooling that we have. Then we contact the client and recommend what steps should be taken, or we can intervene directly if necessary. We are always looking out for suspicious activities, and then we assess the situation and if it is a ‘true positive’, we take immediate action.” So what’s the added value of this service? “Well, in addition to the automated tooling, there are also real people making the decisions,” explains Daniel. “We automate as much as we can, and we let the tooling do as much for us as possible, but our strength lies mainly in the fact that our security specialists can look behind the scenes with you and advise you. We have years of knowledge and experience of analyzing and assessing cyber threats, so we are able to pinpoint exactly when there is a real threat to your organization.”
”Because of the COVID-19 pandemic, many people are working from home of course. “That’s a huge change. Previously, when everybody was using a single office network, it was easy to monitor. Now, you are relying much more on data from the cloud and from endpoints.Daniël JansenManager Managed Security Services
An example of suspicious activity
Back to those suspicious activities that we were talking about. Daniël gives an example that makes this much clearer. “Suspicious activities can include malware and phishing attacks, but also suspicious traffic that suddenly comes from the network. There are so many possibilities. For example, we might see a phishing email come in. That’s nothing unusual, because it happens from time to time in every organization. But if we then suddenly see that there is a lot of traffic to China from that particular workstation, even though the client has no links with China, then we know we need to raise the alarm straight away. Actually, we’re mainly looking out for unusual behavior. We’re looking for activity on the network that does not normally happen, such as someone logging into the administration system at 3 o’clock in the morning, or a colleague who is suddenly sending much higher volumes of data than usual. Then we’ll advise the client on what to do next and how to find out what is actually going on.”
What methods does the SOC use?
All reports are followed up systematically, of course. Joost describes the SOC’s step-by-step plan for new clients. “Of course, when we onboard a new client, we first look at what that client actually needs. We can’t monitor everything, so we start by eliminating a few things. And we define the parameters right at the start: what information do we need and what will we monitor? Once we have done that, we can end up with various scenarios – or use cases. Let’s take the example we talked about before, with the suspicious traffic to China. First, we would need to look into it more closely, because not every unusual activity is necessarily harmful. It could be that somebody is visiting a Chinese website. So first, you check things like that with the client. Then you need to decide whether the incident is a ‘false positive’ or a ‘true positive’. The latter means that malicious activity is actually happening. There are a number of different paths you can take to investigate the incident further. That will depend mainly on what type of incident it is. Then we follow up using standard operating procedures.”
”The job is quite different compared to during office hours. During the day we mainly work on structured or planned jobs, while at night we only intervene in incidents that require our immediate attention. Because after all, cybercriminals work around the clock.Joost GeusebroekManager SOC
Current trends: more remote working
There are a number of trends underway, which means that the SOC has needed to adjust its methods. “Because of the pandemic, many people are working from home of course,” says Daniël. “That’s a huge change. Previously, when everybody was using a single office network, it was easy to monitor. Now, you are relying much more on data from the cloud and from endpoints.”
“We used to install a physical device on the client’s premises,” Joost continues. “A sensor that is connected to the network. But now we are seeing this shift to decentralization, so we combine the data from that sensor with data from the cloud. Actually, clients can now choose whether they want a physical device for their office network. The trend now is towards ever more focus on the end user.”
“Another trend that we’re seeing is that encryption is being used more and more,” adds Daniël. “That means that you also have to monitor data in a different way. In the past, you could monitor anything using a standard network port. But that’s becoming less and less relevant. You need a lot more tools and data in order to provide a full service today.”
Hopes for the future
We would like to become an active part of our clients’ business operations. Not just monitoring and giving advice, but also automated intervention, where that is permitted. That will help us to give more comprehensive protection to our clients. The client can simply assign that responsibility to us, so that they can focus on their core activities.
When I ask what Daniël and Joost would like to see in the future, they give a united answer. “We want to see more automation in the way we respond to threats,” says Daniël. “Right now, things are still very reactive, rather than proactive: we respond after something has happened and then discuss how it can be prevented from happening again with the client. But we would like to detect incidents automatically, so that we can intervene even more quickly, and then tell the client: ‘This is what happened, and this is how we solved it.’ That could mean making changes to the firewall or isolating an endpoint. It would save a lot of time and you could reduce the potential threat to the customer immediately. We want to give our clients the most comprehensive service possible – not only in terms of SOC services but across our whole portfolio.”