Security Operations Centre

Four Pillars of Cyber Security;

Governance and Assurance
Security Architecture
Managed Security Services (current page)
Penetration Testing

Managed Detection and Response

Sopra Steria’s SOC services are a proactive and reactive defence mechanism, providing continuous monitoring, incident response, threat intelligence analysis and support for compliance and regulatory requirements. Its critical role is to protect organisations’ digital assets and data to minimise the impact of cyber threats and incidents.

Many organisations rely heavily on cloud security tools to protect their cloud infrastructure and data. However, these tools often fall short when it comes to providing comprehensive threat detection. This limitation leaves organisations vulnerable to sophisticated attacks that can go undetected. Without integrating a SOC, the visibility and context needed to effectively identify and respond to these complex threats across both traditional and cloud environments are lacking. This poses a significant problem as organisations face an increased risk of potential breaches and data loss.

Data breaches carry some of the most costly fines for organisations. Reports have demonstrated that security analytics is a core component to significantly reduce the cost of a data breach, taking the savings into the millions. Implementation of a SOC underpinned with a streamlined and defined security incident response process is reported to reduce the cost of a breach.

By adopting our SOC services, we can swiftly detect potential high-impact attacks across an organisation's entire landscape, providing reassurance during audits or assessments conducted by prospective clients or stakeholders.

Benefits

Comprehensive security assurance: Gain end-to-end business security confidence and meet essential security audit requirements by continuously monitoring and assessing security controls. This ensures adherence to industry standards and regulations, mitigating the risk of penalties and legal consequences.
Monitor and analyse security events: enabling prompt incident response and minimising the impact of potential incidents.
Increased Operational Efficiency: By centralising and automating security monitoring and response activities we improve incident coordination and enhance our ability to detect, respond to and mitigate security threats efficiently.
Substantiated Threats: Alongside alerts, we provide evidence of threats. This information supports incident investigations, ensuring accurate analysis and facilitating informed decision-making.
Cost savings: Reduce the expense of security monitoring by consuming Managed Detection and Response services whilst expanding security coverage.

Our Approach

Our Cyber Security Operations Centre (SOC) comprises various interconnected elements such as monitoring tools, threat intelligence, incident response protocols, and skilled personnel working collaboratively to detect, analyse, and mitigate cyber threats in real time.

Through the collection of security-related data from various sources, such as Cloud Services, firewalls, servers and endpoints we provide Threat Detection as a core offering. The objective of threat detection is to detect anomalies to identify potential threat actors and respond to incidents before they cause significant harm to client businesses across blended environments from on-premises to public/private cloud environments.

We continuously assess an organisation’s security landscape and implement improvements to enhance protection against future threats by alignment against industry best practice such as the MITRE ATT&CK framework (Adversarial Tactics, Techniques, and Common Knowledge) and NIST (National Institute of Standards and Technology) Cyber Security Framework.

We can integrate clients’ Hybrid Cloud-based solution into our SOC's Threat Detection and Incident Response capability. Our SOC seamlessly integrates with clients’ incident processes, playing a key role in the detection, response, containment and recovery of cyber incidents.

SOC Core Services; Cloud Monitoring, Content Development, Threat Intelligence, Incident Response, Use Case and Playbook Development, Monthly Reporting, Threat Detection, Security Advice and Guidance.

Service Elements

Threat Detection is provided as part of our core offering, our SIEM Solution provides continuous Threat Detection. Cyber attackers are becoming increasingly sophisticated and are constantly developing new tactics, techniques and procedures to compromise systems and networks. To allow us to monitor the service scope, we work with clients to design their Threat Detection solution, to identify and integrate security-relevant log sources into the SIEM and to develop custom use cases that may be required to support client requirements. By integrating these into our SIEM tooling, we are able to monitor for and detect client specific security events and identify potential threats.

The advantage of Threat Detection being in place for our clients is we can stay ahead of the latest threats, ensuring that systems and data are monitored at all times, as well as aligning log sources and alarms to defined standards.

Monitoring and detection is provided through the implementation of our SIEM Solution, a market leading cloud-based Software-as-a-Service (SaaS) offering that provides SIEM and Security Orchestration, Automation and Response (SOAR) capabilities.

Alternatively, the SOC is also able to offer an on-premises SIEM solution should a client require due to security classifications.

Both options are highly scalable and offer a range of features.

They have been selected due to their industry leading scalability and key security features, including real-time threat detection.
Integrated SOAR capability, improved systems integration with a wider source of data feeds, integrated playbook automation for faster detection and containment response.
Improved analyst interface, boosting productivity and efficiencies and ease of integration with a variety of other supplemental security tools and technologies which ultimately result in improved operational efficiency, faster incident response times, and better security outcomes for clients.

An important component of our Core SOC offering is the ability to integrate Cloud Services. With the increasing adoption of cloud services, applications and data being placed in the cloud, the threat landscape scope and complexity increases the potential risk of compromise, many monitoring tools are provided by various cloud vendors but not integrated to provide a holistic oversight of potential threats.

We can integrate a customer’s cloud-based solution into our Managed SOC's Threat Detection managed Service and incident response capability. The goal of integrating Cloud-based solutions into our SOC is to correlate security incidents across a number of applications and cloud-based services to enable faster and more effective incident response and to ultimately provide end to end visibility of security threats across an organisation. By integrating Cloud-based services into our Managed SOC we are able to collect security related data from a variety of Cloud-based sources, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS).

Bespoke integration for cloud applications linked via account events to SOC's SIEM platform. Standard Integration for AWS, Azure and O365 Accounts linked via account events to SOC's SIEM Platform.

Ongoing SIEM management requires continual development of rule configuration and tuning to enable visibility of suspicious or potentially malicious actions or events. Rules and tuning form the basis for effectively identifying, detecting, and responding to security incidents. The SOC achieves this by aligning our rule development capability against the industry recognised MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques and procedures based on real-world observations. The development of our security rules, in line with MITRE ATT&CK, involves mapping the techniques used by attackers to the controls and assets that are critical to our clients. This mapping process allows us to develop detection rules that specifically focus where strong mitigations cannot be applied or where critical assets/data are held and enables the identification of any key sources of event data and informs steps to be taken to address any potential monitoring gaps. Aligning to MITRE ATT&CK is a continuous process, maintaining our awareness and constantly adapting our security playbooks to accommodate the ever-changing Threat Landscape.

Our SOC utilises a variety of open-source threat information collateral, vendor notifications, Indications of Compromise (IOC) and community Threat Intelligence platforms, white papers and news articles. This is used to enhance anomaly detection during the triage process, identify, document and implement new use cases, improve our detection coverage within a client’s environment, and respond rapidly to security events.

SOC services play a key role in the security Incident Management process. The SOC core service encompasses the detection, triage, analysis & verification, including escalation through integration with our clients’ Incident Management process. We offer two service tiers to align with the specific needs of our clients for “Response” component of the Core Service.

Our SOC team's expertise and experience in handling Security Incidents is critical to minimising the impact of the incident and ensuring a quick and effective response.

Detection; Ingestion of data across a client’s estate into our Monitoring Solution will be actively correlated against a comprehensive database of rules developed in line with the client’s risk posture and compliant with industry best practice. As alerts are triggered, our monitoring solution will prioritise the severity based upon pre-configured, contextualised rules, which are subject to continual improvement and tuning.
Reaction; Our analysts will analyse and triage alerts, to determine their validity and respond accordingly. This may include the collection and analysis of available client data and any other supporting threat intelligence. Our SOC analysts will assess the severity and impact of the alert.
Response; Depending on the incident severity and the playbook instructions, the SOC will determine how best to escalate to our clients, sharing relevant information and evidence with them, including the findings of the SOC’s analysis and support them to contain a security incident once identified quickly and effectively. Response time is calculated from the time an Alert is triggered through to an ITSM ticket being raised/scalation as per defined processes.
Lessons Learnt; Post security incident we will work with clients to understand root cause and identify improvements and recommendations in security posture or process to mitigate potential future risk and improve response process feeding any findings back into the content development process for enhanced visibility.

A critical component of the service we provide is to offer insights into the state of our cpents’ security posture and the effectiveness of our security operations. Our monthly reporting provides information on security incidents that have occurred, including details on the type of incident, how it was detected and resolved.

Our monthly reporting also includes key security metrics, such as the number of incidents detected, the volume of security alerts to demonstrate the effectiveness and quapty of the service through the measurement of key performance indicators and service level agreements.

Reports cover details on pro-active tuning activities, false positive reductions in monitoring, details on trending, alerts, triaged security events and where necessary any lessons learnt as well as detailed assessment recommendations which will be provided to allow cpents to make data driven decisions.

We develop playbooks which are an essential component within the service. A key component of incident response, playbooks provide analysts with clear instructions on incident response procedures in a way that aligns with clients’ own incident management processes. Playbooks ensure security events are triaged efficiently and effectively. We work closely with clients to ensure that playbooks reflect their individual incident management processes.

A security use-case is a documented description of a specific security scenario that a SOC is expected to address. Use-cases include the threat sources, attack vectors, detection and response strategies, the tools and technologies needed to effectively detect and respond to incidents. Our SOC’s security uses cases are aligned to MITRE ATT&CK and we develop supporting incident management playbooks to ensure we respond to threats effectively and integrate into our clients’ processes.

Threat Intelligence and ATT&CK Tactics, Techniques and Procedures are filtered into Use Cases and Playbooks; threats, use case scenario, tactics, techniques, log sources, detection rules and playbooks

We apply a standardised set of security use cases and playbooks for each client. If there are bespoke monitoring requirements, we also develop client-specific use cases and playbooks, to meet their needs.

We provide critical advice and guidance to our clients once an incident has been identified to help them quickly and effectively respond to the incident. Throughout the incident, our SOC team will provide regular updates and status reports to key stakeholders as agreed to keep them informed of the situation and provide guidance on next steps.

We will work with our client to develop a threat model, working through assets to be on boarding and identifying business critical components which will allow us to tailor our service accordingly. Through monthly reporting, we continuously work with clients to help them interpret the data and make continued recommendations and improvements.

Certifications and Skills

ISO27001
NIST CSF
Cyber Essentials Plus
Incident Response handling
CompTIA Security+
Blue Team Level 1
Blue Team Level 2
CISM