Streamlining defenses: The new SOC
Streamlining defenses: The new SOC

Countless organizations have built their own situation rooms to protect data and respond to threats. Angela Moscaritolo reports.

From personnel files and student grades to accounts receivable data and cutting-edge research, Virginia Tech University maintains enormous amounts of sensitive information. So it is no wonder that its networks are probed hundreds of thousands of times every day.

Adequately protecting such a complex campus network infrastructure, made up of more 30,000 computing and communication systems across 125 buildings, requires a host of layered defenses, says Randy Marchany, the university's information security officer, who leads a team of four full-time security analysts in addition to several graduate students.

Marchany and his group have been collecting security-related information from various sources – such as operating system logs, intrusion detection and prevention systems, firewalls and vulnerability scanners – for a number of years. But with such vast amounts of security data being regularly generated and stored on separate, distributed servers, it became difficult to see the big picture, he says.

So, about two years ago, the team embarked on a project to build a cybersecurity operations center (SOC) to collect, correlate and analyze the data and leverage it to more quickly respond to threats.

Countless organizations have built SOCs for similar reasons. These centers serve to pull together threat and log data from sources, and centralize security monitoring, analysis and response functions within a single unit. In addition, these centers usually provide around-the-clock monitoring and risk management to detect and protect against attacks.

These days, the most state-of-the-art SOCs look like something right out of the movies, says Chris Triolo, vice president of enterprise solutions at HP ArcSight, which offers SOC consulting services.

Picture a hardened facility, he says, where an overhead grid of large, flat-screen displays depict real-time attack traffic. Rows of security analysts, each sitting behind multiple computer monitors, watch for trends and anomalies. Other, less elaborate SOCs, meanwhile, may be housed inside a small 10-by-10 room and staff just two employees.

While each SOC is unique, its main functions often include security event generation, collection, storage, analysis and reaction, according to “Security Operation Center Concepts and Implementation,” a paper written by French computer and network security expert Renaud Bidou, which the Virginia Tech team used as a blueprint.

Virginia Tech's IT security department  did not have a large budget with which to work – about $10,000. Any commercial solution for an environment of their size would have cost roughly 10 times that amount, says Marchany.