FireEye Stories

Security Operations Center vs. Security Team

Prepare for the Inevitable

Phishing, ransomware, and nation state attacks are among the many cyber threats that impact us daily, and they are not likely to stop in the near future. Although organizations appear to be discovering threats faster internally, the frequency and impact of the attacks are keeping security teams busy. As a result, security teams need to ensure they remain organized by advancing people and tools into an operational model. This will help guarantee they are prepared for the inevitable breach, and can limit the impact when it happens.

Security Operations 101

Once tools and staff (the security team) are in play, the next step is to advance into a security operations mode with key tasks to detect, investigate and respond to threats. If security personnel are assigned to a permanent location, then a Security Operations Center (SOC) is born. To execute these tasks, specific functions inside the SOC need to be formed. These functions typically include:

  • Alert generation via detection and analysis: One item security teams definitely have enough of is alerts. Too often, teams are overwhelmed with these alerts to the point that they suffer alert fatigue, and possibly ignore higher priority alerts. Ensuring that security teams are receiving quality alerts is a key foundational step, and the starting point for the SOC workflow.
  • Threat intelligence: Knowing the adversary, their tactics and their ongoing campaigns will provide security teams with insights into who or what is behind an alert. Analysts need to apply threat intelligence to make effective early decisions, and search through past evidence and threat activity for more information.
  • Investigative workflow: Alerts often provide a single dimension of an ongoing attack. For example, an email alert may indicate that a user has clicked on a suspicious URL, and an endpoint alert may flag a file thought to be malicious. The impact to the user’s environment and the steps the adversary has taken are often not captured in a single alert. This is where investigation workflow comes into play – combining various alerts, context and threat intelligence into a case, and elevating multiple small pockets of evidence to scope an incident and guide the decision-making towards a full remediation.
  • Response: Once the decision around a case has been reached, communication on the containment and eradication can start. This transitioning from investigation to response is where collaboration and coordination between team members comes into play. A complete picture of the facts (artifacts, context and threat intelligence) and speed in sharing all security intelligence will drive the effectiveness of the response, and help eradicate threats and adversaries.
  • Tuning: Not every alert will be useful. In a study, 40 percent of organizations reported that 11 percent or more of discovered threats turned out to be false positives. Tuning discovery and detection and helping the tools learn the right behavior patterns may alleviate the false positive alert issue for security teams. Additionally, if certain incidents repeat often, or if alerts are missing, then tuning the controls may help reduce workload and optimize security posture.

These five functions represent the core foundation of a Security Operations Center. And these functions can evolve over time, moving from fairly basic to more advanced depending on SOC maturity and strategy. To learn more about SOC functions, see MITRE’s Ten Strategies of a World-Class Cybersecurity Operations Center.

Enablers and Accelerators

When setting up the aforementioned functions, security teams will likely be unable to start from scratch. Existing tools, controls, resource availability and a unique enterprise environment will dictate some starting points. To establish and grow the efficiency of the SOC within enterprise constraints, additional capabilities need to be overlaid. These capabilities include:

  • Integration: This means integrating existing detection mechanisms with the SOC workflow to, for instance, preload alerts and other clues for consumption by the security team.
  • Automation: Whatever the situation, a Security Operations team will be overloaded with data generated by different tools or manual tasks. Automation – such as moving alerts into cases and validating missing evidence – can reduce time spent on manual tasks and help the team focus on better decision-making.
  • Orchestration of response tasks: This is used to help analysts autonomously contain and eradicate discovered threats. Orchestration enables security tools such as endpoint detection and response to run independently, and to execute a triage or preset containment for a host set.
  • Training and response simulation: These types of exercises will ensure the team is aware of real-life threats, and that they are prepared for when they have to take action.

A security operations platform such as FireEye Helix can help organizations introduce these capabilities in an integrated solution. FireEye Helix empowers security teams to efficiently conduct primary functions, including alert management, search, analysis, investigations, and reporting. The platform integrates disparate security solutions, applies advanced expertise – for instance, via threat intelligence – and automates critical investigative tasks such as endpoint triage.


Increased efficiency (cost versus results) and optimized controls (getting more out of existing tools) are the most noticeable benefits when tracking the progress of a Security Operations Center. Yet, perhaps the biggest business benefits of a SOC include adaptation and resiliency to existing or new threats. Regardless of the detection or protection technologies that are in place, the adversary’s goal is to get through – so if one attack method fails, they will simply leverage another.

The Security Operations Center can help IT organizations consolidate technologies, tools and processes to improve security posture and adapt defense and response. As an end result of properly functioning SOC operations, organizations can become resilient and agile to detect and stop security incidents before damage is done.

Visit our website to learn more about FireEye Helix and how it can help advance your security teams into security operations.