Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Building an effective security strategy in organizations today requires the right combination of experts, processes, tools and technologies. Luckily, there are many different ways in which you can organize them to fit your company’s needs.
The two types of teams most often mentioned today are Security Operations Centers (SOCs) and Computer Security Incident Response Teams (or CSIRTs). SOCs and CSIRTs have distinctive roles and responsibilities, so deciding which one is better for your organization’s security program isn’t always easy. This blog post will focus on explaining their main objectives and how they differ in structure, which may help you to decide which one is more suitable for your organization’s internal infrastructure and strategy, especially if you are looking to set one up in the near future as your business expands.
The term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that.
A SOC is the “brain” of a security organization, as it acts as the center of all roles and responsibilities, with the main goal of protecting information within the organization. Its main tasks are:
Furthermore, the SOC also monitors people, technology and tools, and processes involved in all aspects of cybersecurity. Often companies have a SOC before they decide to establish a separate CSIRT. The end objective of every SOC is to monitor and take care of every cyber activity that takes place and ultimately ensure the organization is protected against any type of attack.
The SOC is also responsible for incident response if there is no formal CSIRT established within the organization. If there is, the SOC helps the CSIRT in responding faster and more efficiently to a cyber threat.
The SOC is responsible for the following:
What makes a SOC unique and different from other units within the organization is its centralized role with a strong focus on combining techniques, skills, and technology, by utilizing tools to increase the protection of the company against threats. It’s also important to underline that even though incident prevention and management is not its specialty, a SOC may still cover these events as well, being a department that covers all things related to cyber security.
CSIRT is a centralized department within an organization whose main responsibilities include receiving, reviewing, and responding to security incidents. CSIRTs may work under SOCs, or function individually, depending on the organization’s needs and structure.
The main goal of a CSIRT is to minimize and control the consequences from an incident. It’s not just addressing the attack itself, their role involves communicating with boards, executives, and clients about the incident.
Some of its main responsibilities include:
The basis of every CSIRT is providing incident management. The CSIRT is the central point of contact in the event of a security incident. Depending on how fast a CSIRT team responds to an incident, it can limit the damage from the incident by providing rapid response and recovery solutions. This ensures the workflow is uninterrupted and lowers the overall costs.
Incident management presupposes three functions: reporting, analysis and response. With this being said, the CSIRT activities usually involve the following:
The CSIRT within an organization may be a formal unit or an ad-hoc team, depending on the company’s needs. If your organization is not facing a cyber threat on a regular basis, the need for a CSIRT might not be as big as for larger organizations, or companies in high-risk industries, such as healthcare, finance or government. In industries such as these, responding to threats happens daily and there’s a need for a formal, full-time CSIRT.
Whatever the needs of your organization, don’t forget that a CSIRT team will evolve with time. What might start as an ad-hoc team may develop into a fully functioning department as the business expands and progresses.
Regardless of the final choice, which will depend on a number of individual requirements and factors, (including but not limited to the size of the organization, the number of threats it faces, the industry and the company’s security program maturity), don’t forget that whatever team is established, it is always important to clearly define roles and responsibilities, have efficient processes in place that can be automated, and implement the right tools and technologies that will help your team do their job more effectively. Set up correctly, SOCs and CSIRTs will facilitate the organization to respond to all security alerts and react faster to the ever-evolving cyber security incidents.
John Moran / 6 Nov 2018
If you’re playing buzzword bingo in 2018, Orchestration and Automation (O&A) are two words you want to see on your card. Learn the difference between Orchestration and Automation and Security Orchestration, Automation and Response (SOAR).
Julie Tillyard / 9 Oct 2018
The terms security automation and security orchestration are often used almost interchangeably. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
Julie Tillyard / 18 Sep 2018
Planning and implementation is the difference between success and failure when it comes to security and incident response. Here are the top four reasons why organizations fail and what they can do to overcome these challenges.
See IncMan SOAR in Action.