Security operations (SecOps) functions
The main objective of a cloud security operations (SecOps) function is to detect, respond to, and recover from active attacks on enterprise assets.
As SecOps matures, security operations should:
- Reactively respond to attacks detected by tools
- Proactively hunt for attacks that slipped past reactive detections
Modernization
Detecting and responding to threats is currently undergoing significant modernization at all levels.
- Elevation to business risk management: SOC is growing into a key component of managing business risk for the organization
- Metrics and goals: Tracking SOC effectiveness is evolving from "time to detect" to these key indicators:
- Responsiveness via mean time to acknowledge (MTTA).
- Remediation speed via mean time to remediate (MTTR).
- Technology evolution: SOC technology is evolving from exclusive use of static analysis of logs in a SIEM to add the use of specialized tooling and sophisticated analysis techniques. This provides deep insights into assets that provide high quality alerts and investigation experience that complement the breadth view of the SIEM. Both types of tooling are increasingly using AI and machine learning, behavior analytics, and integrated threat intelligence to help spot and prioritize anomalous actions that could be a malicious attacker.
- Threat hunting: SOCs are adding hypothesis driven threat hunting to proactively identify advanced attackers and shift noisy alerts out of frontline analyst queues.
- Incident management: Discipline is becoming formalized to coordinate nontechnical elements of incidents with legal, communications, and other teams. Integration of internal context: To help prioritize SOC activities such as the relative risk scores of user accounts and devices, sensitivity of data and applications, and key security isolation boundaries to closely defend.
For more information, see:
- Security operations discipline
- Security operations best practices videos and slides
- CISO workshop module 4b: threat protection strategy
- Cyber Defense Operations Center (CDOC) blog series part 1, part 2a, part 2b, part 3a, part 3b, part 3c, part 3d
- NIST computer security incident handling guide
- NIST guide for cybersecurity event recovery
Team composition and key relationships
The cloud security operations center is commonly made up of the following types of roles.
- IT operations (close regular contact)
- Threat intelligence
- Security architecture
- Insider risk program
- Legal and human resources
- Communications teams
- Risk organization (if present)
- Industry specific associations, communities, and vendors (before incident occurs)
Next steps
Review the function of security architecture.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for