The guidelines for the design of a Security Operation Center

The approach to be followed in the design of a thoughtful SOC as a hub of  technological governance

A Security Operations Center (SOC) is the heart of security management and is conceived and designed with the aim for collecting data and information useful for the protection of the business, as well as for company management, to guide choices and decisions. 

The increase in perimeters does not always involve the necessary increase in resources for management, the technology must be oriented towards the future and to possible changes in the scenario. 

Alessio Cino, security project & design account within the Business Development Secursat team, shares the approach to be followed in the design of a SOC conceived as a technological governance hub.

The structure, the shell, the protection systems, the integration and management platform (s), resources and workstations, are broadly the choices that companies face when designing a Security Operation Center (SOC), or as defined by the UNI CEI EN 50518: 2020 standard, Alarm Receiving Center (ARC). In particular, the reference legislation regulates and guides companies in the choice of infrastructural and technical characteristics, alarm systems and power supply, as well as in the operating methods through which alarms and signals must be managed, to create a suitable place, and certifiable, for the management and monitoring of safety and security systems. According to Secursat, the need to comply with these guidelines must be led by an integrated approach with the objectives not only for security but for management in general, to follow the path of digitalization and innovation in the process management already widespread in organizations. 

The response to the pandemic has, in fact, made ever more evident the need to accelerate the adoption of streamlined and effective process management methods, of systems capable to collect data and timely information to overcome uncertainty and stabilize the business through a  "smarter" company and, in our case, also through "smarter" security. 

Intelligent security according to Secursat, in this phase, implies more than the adoption of new technologies, the revamping of systems in the field or the search for new products, a radical change of direction in the management of security processes by rethinking the Security Operation Center as key place in systems management. The SOC must therefore be designed to be agile, resilient and capable of changing continually. Not a rigid structure based on control but a place for dynamic management of security and safety events, together with technical and operational reports. 

The aim is therefore to design an "ARC" that can be certified in compliance with the legislation, where necessary, leaving the traditional concept of a generic alarm management carried out by special security guards, to instead, designing a strategic SOC where, through technical, security and analysis it is possible to monitor and manage, on  one hand, technological and operational reports and activities related to the IT infrastructure (network, systems and applications) and on the other hand events and security and safety information to guarantee the protection of sites, assets and people of the company or customers. 

Concerning this approach, the SOC becomes not only the place to monitor events and situations in real-time, but also a data and information collection center useful to prevent risk evolution scenarios, studying systems automation models, providing answers to optimize the resources and implement the effectiveness of activities. Adopting a different model of security management through SOC can help small and large organizations to mitigate risks, automate routine activities through human + machine models but also to reduce costs traditionally associated with extra activities, reviewing the role of security in 'business organization. 

To implement this model, used both in the design of our certified Security Operation Centers and in projects to support the design of SOC or the choice of platforms by our customers, it is first necessary to start from the analysis of the capacity. 

Our team’s work is based on the analysis of data related to the reports of the systems present in the field, classifying them and studying their behavior, as well as analyzing and understanding the type of sites to be connected to remove the misunderstanding that a greater number of sites and links must necessarily lead to increased investment in resources. 

Thanks to a mix of analysis skills, traditional systems techniques and IT, the Secursat team enables you to make the best technological choices and defines the road-map to remodel the characteristics of the integration platforms. 

The goal is to allow advanced monitoring of systems and reports with a direct impact on the reduction of costs associated with extra activities, as well as standardizing the event management model, classifying the type, that data is provided to management to monitor KPIs and processes. Another, no less important aspect concerns the SOC's ability to guarantee business continuity in the management of activities as well as backup and disaster recovery, all activities that proved to be strategic especially during the pandemic where the SOC, in our case, has become the place to ensure the operational continuity for our customers remotely. 

Our team, in parallel with the infrastructural and platform choices, contributes to rethinking the network infrastructure and connection models, based on cloud-based solutions and looking at international security standards, as well as including evaluations relating to protection of servers and hardware devices necessary to ensure the proper functioning of the SOC and also the security of the information processed. 

Finally, when thinking about the creation of a SOC, it is necessary to analyze the resources and skills needed as well as define procedures and rules of behavior for people as well as systems, to guarantee on one hand compliance with company procedures and on the other hand to reduce operators. 

Following the path traced in the design of a SOC, according to Secursat, thinking about resources in an innovative way means abandoning the traditional top-down decision-making processes, and forming teams with a mix of technological skills. Having the most widespread security and safety systems present on the market to monitor events but also in managing operational reports, and with security and analysis skills for the use of platforms useful for monitoring international scenarios such as company travelers or customers. 

The SOC should therefore be populated by empowered teams with clear targets and rules in the management of systems, guided and supported by data and technology, according to end-to-end logic, for greater and better speed of response and management. In this sense, the Secursat team therefore helps to define the methods of implementation of the systems management, travel security, localization platforms, etc. and the methods of use by the operators. The goal is to ensure that event management in turn guarantees rapid responses, providing for the training of resources, to identify new talents and skills capable of responding to the needs of event management, as well as supporting them in the start-up and start-up of the project. 

In conclusion, the guide-lines briefly represented a model where investments in technology and in the methods of its application guarantee a real reduction in fixed costs and extra activities, favoring the quality of human resources over quantity. According to this approach, the SOC becomes a place to monitor risks related to business continuity, manage sudden changes in needs, make real-time decisions by predicting and mitigating security risks, provide useful data and information to the entire organization, thanks to a set of technologies and skills that guarantee a good reaction to crises today and that will also be useful in the near future for a real resilience capacity on the part of security.

A design that follows the needs and regulations currently in place, while at the same time trying to foresee a definitive breaking point in which the dividing line between physical and virtual security will be completely intangible, laying the foundations to allow the future evolution of our " traditional "monitoring centers in Network Operation Center (NOC) or Global Security Control Room (GSCR) capable of overcoming territorial boundaries, synchronizing physical-security needs with IT ones and adopting machine-learning logics.