What’s a Pop-Up SOC, and Who Needs One?

High-profile events across the globe are prime targets for hackers, which puts a huge security burden on an event’s host. Even if the host has secured the infrastructure for day-to-day operations, a large-scale attack needs to be locked down immediately, which requires a wide range of resources. It’s often the case, though,  that event hosts do not have the additional physical and cybersecurity resources needed to adequately respond to and protect against disruption.

Enter the security operations center (SOC). Industry leaders understand that visibility is compromised without a SOC; however, not every organization has the ability or need for a full-time SOC. On top of the reality of restrained resources, SOCs aren’t exactly easy to build.

Digital Guardian recently asked 18 industry experts how to build a security operations center. Jose Hernandez, SVP technology and engineer at Zenedge Inc., responded: “There are many moving parts to building a Security Operations Center, but thinking of them in sections and tackling each through a threat model exercise makes the challenge achievable.”

It’s the moving parts that make building a SOC so challenging. “Much benchmarking, planning, and negotiating with stakeholders and vendors go into the whole SOC undertaking. There is definitely not a one size fits all approach when it comes to establishing, equipping, and staffing a SOC,” said Greg Schneider, owner of Battle Tested Solutions LLC, in the article.

Given the challenges of building a SOC combined with the need for security operations in myriad situations, the mobile SOC is growing more trendy, with good reason. In addition to IBM’s recent introduction of the IBM’s X-Force command cyber-tactical operations center (C-TOC), a first-of-its-kind mobile security operations center, ProtectWise has been working closely with organizations to build pop-up SOCs.

What’s a Pop-Up SOC?

Intended to help traditional defenders during times of abnormal traffic and network distress at large events. Security Boulevard has reported on the cyber risks that loomed over both the  Super Bowl and World Cup in 2018. Pop-up SOCs can be used at different sporting events, election polls, top secret federal events, even at a Beyoncé concert.

“A pop-up SOC is essentially a temporary time- or event-based security operations center. Circumstances that may justify a need for one have traditionally been mobile/offsite networks which require robust security operations and execution,” Tom Hegel, director of threat research and analysis at ProtectWise.  

Why Would an Organization Need a Pop-Up SOC?

Most of these high-profile events happen only annual or biannually, which gives them a small window in which to generate revenue. If a business’s point-of-sale (POS) machine or two gets infected or a web server goes down during a game, your bottom line is impacted and so is your ability to conduct the event again. As the host of this event, the urgent question you face is: How do you create a physical and cybersecurity environment with the ability to detect and respond quickly?

The pop-up SOC is what Hegel said is the answer to that question. Because of the many unknowns in cybersecurity, particularly at any sort of event that may require unexpected and fast response or events where SOC staff are temporarily relocated to a new location, having the ability to detect and respond to security incidents is critical to minimizing disruption and damage.

Mobile SOCs are also useful for training cybersecurity teams, which is one of the goals of the IBM C-TOC. “Experiencing a major cyberattack is one of the worst crisis a company can face, and the leadership, skills and coordination required is not something you want to test out for the first time when you’re facing a real attack,” said Caleb Barlow, vice president of threat intelligence at IBM Security, in a press release. “Having a mobile facility that allows us to bring realistic cyberattack preparation and rehearsal to a larger, global audience will be a game changer in our mission to improve incident response efforts for organizations around the world.”

Are Pop-Up SOCs Effective?

The mobile SOC should be accomplishing the same objectives as a traditional SOC, said Hegel, but, “the pop-up SOC is simply focused on a particular event through thorough monitoring capability, with planned response actions. A pop-up SOC would likely be used with a prebuilt network with many pieces of added tech and operation coordination.”

Attackers will continue to target organizations that could provide such services to events of interest, as has been observed over the past several years. Yet, organizations continue to struggle with the right combination of people, processes and technologies needed to effectively run a SOC. Still, larger temporary events will continue to be targeted by malicious actors.

As more third parties recognize the value that pop-up SOCs can provide, they will likely include these services in their offering, which means that pop-up SOCs are likely to grow in sophistication as time continues.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus