Security Operations Center

Security Operations Center

A security operations center, or SOC, is a team of IT security professionals that protects the organization by monitoring, detecting, analyzing, and investigating cyber threats.

The processes that make up operations security come down to these five steps:

Identify critical information. The first step is to determine what data would be particularly harmful to the organization if an adversary obtained it. ...

Analyze threats. ... Analyze vulnerabilities. ...Assess risks. ...Apply appropriate countermeasures.

  • Develop your security operations center strategy.
  • Design your SOC solution.
  • Create processes, procedures, and training.
  • Prepare your environment.
  • Implement your solution.
  • Deploy end-to-end use cases.
  • Maintain and evolve your solution.

As you explore the process of how to build a SOC, you'll learn to:

A security operations center (SOC) is responsible for protecting an organization against cyber threats. SOC analysts perform round-the-clock monitoring of an organization’s network and investigate any potential security incidents. If a cyberattack is detected, the SOC analysts are responsible for taking any steps necessary to remediate it. It comprises the three building blocks for managing and enhancing an organization's security posture: people, processes, and technology. Thereby, governance and compliance provide a framework, tying together these building blocks.[1] A SOC within a building or facility is a central location from which staff supervises the site using data processing technology.[2] Typically, a SOC is equipped for access monitoring and control of lighting, alarms, and vehicle barriers.

A security operation center has three main components:

People, Process and Technology

Building a SOC is not a one-day project or even one month project, it is really one of the hardest projects that a company may start working on it. This is due to the nature of the project that requires investing money, investing time, and dedicated people.

SOCs are built on three main components as I have already said and each one of them is very important and cannot be separated from the other. Even more, having a problem in just of the three-component will make the soc unsuccessful.

Component 1: People

I guess one of the most difficult parts of the SOC is finding the right people and make them work in harmony. I mean you can get the best world-class security solutions to operate the security operation center, but if those solutions are not tuned or used by experimented or skilled people, then they will become useless. Moreover, creating a sophisticated and high-quality process to manage your SOC will never replace a well-experienced SOC manager or leader.

Therefore, the first component that I will talk about here is people.

Kind of people do you need in a SOC?

To run your Security operation center you will need different people for different roles, therefore I will give you here a list of some profiles that are essential for the SOC:

SOC manager

Of course, a leader is always needed, I think the title of the role is already explaining himself. It the person that will lead and manage the whole security operation center.

Analyst

Basically, this is the heart of the SOC, he is the one responsible for performing all the analysis, investigation, and reporting. In addition, this role could be divided into two or more categories depending on the structure and the budget of the SOC.

For example, you can create a SOC with two levels. When an incident occurs, the first-level analysts (which is in general junior analysts with very small experience in SOCs) perform the first basic analysis and investigation. However, when a rare or new incident happens and requires deeper analysis and investigations a level two analyst is needed (in general he can be a senior Analyst or even just someone with deep knowledge of the supervised network).

SOC engineer

A SOC engineer is responsible for installing the tools used in the SOC. He is always working on new projects to enhance the capability of the SOC in terms of new technologies and tools.

SOC operator

SOC operator is a complementary job to the engineer. The SOC operator focuses on maintaining the SOC tools installed by the SOC engineer and nothing else. The difference between this role and the SOC engineer is that the last one works on new tools and tries to enhance the capabilities which is not the case of the operator.

To reduce the cost of the SOC project and the number of employees, most of the time, SOC engineers and operators are employed by the vendors.

Some of those roles, especially the ones that need a lot of experience are difficult to find. Therefore, a training plan needs to be put in place to grow your team’s capabilities and knowledge. Unfortunately, experience is not the only challenge you may find while building your team. Your team members may have experience working in other companies but never together. Therefore, creating harmony between the members of your team will take time and effort.

What skills are needed for SOC analyst?

To find the right people to work with you, you need to first know what are the skills that you are looking for. In this part of the post, I am going to discuss the skills that a SOC analyst needs to have to be able to do the right job.

Not to talk about the SOC engineer or the SOC operator as those are mainly network security engineers that need to have a deep understanding of the tools they are installing and maintaining and in general that’s all. In addition, those profiles are more product-focused, so depending on the tools you are going to install for your SOC you will need people experts on those tools.

A SOC Analyst needs to have a good base of knowledge in the following 3 skills:

Ethical hacking

Incident response

Computer forensics

A more experienced and skilled analyst may have also good knowledge of the Reverse engineering concept and tools. To be honest this skill is very rare and not many people master it. However, in most cases, a junior SOC analyst will not need this skill anyway to do a good job.

Component 2: Processes

When talking about processes and what should be done in which situation and how in the SOC environment, there is a lot of things that need to have a written process. Some of the most common ones that you need to have in your SOC.

Incident triage process

Incident triage is the first step in the incident response plan. In this process, the responsible can be a simple network admin or anyone with the right privileges to see the incidents of the network, try to categories the incident, and set a risk level to it. After deciding if he needs to perform further investigation or not, the responsible assigns this incident to the right person (analyst level 1 or 2) depending on the criticality for further analysis.

Incident reporting process

Closing a computer security incident refers to the eradication phase in which the vulnerabilities that caused the event have been closed and all traces of the incident have been cleaned up.

Incident analysis process

The incident analysis process is the main work of the SOC team. This process defines the way to detect the root cause of the incident and how to contain it at the earliest stages.

Incident closure process

The incident closure process is started when the vulnerability that was the reason behind the incident was fixed. In addition, this process includes testing and verifying that the vulnerability has been successfully fixed.

Post incident activities process

This process concerns the whole SOC team, it is a sort of lessons learned process where you try to gather as much information as to teach the rest of the team about this new case.

Vulnerability discovery process

This process defines the way vulnerabilities are discovered in the IT network and how to evaluate their impact. In addition, this process may also describe the way to consume external vulnerabilities data sources, and how to verify them with the internally used solutions.

Vulnerability remediation and tracking

This process describes the way to communicate vulnerabilities to system owners and how to remediate and track them.

Component 3: Technology

SOCs include a variety of security tools such as firewalls, SIEMs, vulnerability scanners, endpoint protection solutions, intrusion prevention and detection (IPS/IDS) systems, mobile device management (MDM) systems, and cloud security tools. All these make it possible to monitor, control, and secure the IT environment.

To give you just an idea about the main tools and technologies you will need in your SOC:

SIEM

EDR/XDR

IPS/IDS

Cyber threat intelligence feeds and databases

Vulnerability scanners

Hope this is helpful.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了