Security operation center is a dedicated security team which responsible to monitor, detect, prevent and analysis of cyber threats and also fulfil the regulatory compliances. Team member’s work together to provide an effective security to the organisation’s system, information, network, DB etc using process and technology.
SOC Team always works with CIA Triad. CIA model is used to design the information security policies in organisation which has three component. C stands for Confidentiality, I for Integrity, A for availability. Anyone of these three missed and security will be compromised.
SOC team works across 24/7/365, members are always keep upgrading skills from market like latest threats, Vulnerabilities, and make a prevention plan according.
Main key functions of Security Operation Center –
- Continues Monitoring of network security devices, Security and Audit Logs (24*7*365)
- Incident Response
- Threat Detection and Response
- Deploy Data Protection solutions and monitoring.
- Correlation the logs
- Patch Management
- Adhere to CIA (Confidentiality, Integrity and Availability)
- Anomaly Detection.
- Vulnerability assessment and management.
- Monitor the privilege of accounts (Privilege Management)
- Finding Risk and implement a mitigation plan
- Root Cause Analysis
- Make a service improvement plan for security.
- Security checks before application launch and protect post-production deployment.
- Implement compliance and adhere to it Like GDPS, HIPAA, ISO, PCI Compliance
- Protecting the IoT devices.
Why do we need SOC and Benefits of SOC
- Centralised Approach
- Correlate the activity
- Maintain trust among clients and customers
- Protecting from Latest Threats and cyber attack
- Maximum Awareness
- Always ready with Recovery and Remediation Plan
- Keep securing data and infrastructure
- Proactively threat hunting
- Reduce cost from preventing security breaches
How SOC Works-
SOC Team is a combination of people, process and Technology. Lets understand each component-
People’s – Hiring a perfect team will run a soc smoothly. Always considering the member with the perfect skillset and train them with the process. Before creating a Team, we should know the Scope of SOC with each one’s role and responsibilities. People will play an important role in SOC as they will correlate the activity and look on the alerts smartly. A SOC Team consist of three important designations (CISO, SOC Manager, and Security Analyst), count can vary as per the requirement
Deep analysis of the logs will support SOC and can provide better security. Picking up the right tool will save from threats. SOC is mainly functions to correlate the activity and for device correlation, we should consider the SIEM (Security Incident and event management). Implement defense in depth
Each members should know the assets of the organisation.
Application security- WAF (Web Application Firewall), DDOS Protection, IPS (Intrusion Prevention Systems)
Network and Perimeter Security- Firewall, Intrusion detection system (IDS), DDOS Protection, VPN, DLP, URL filtering, Content filtering, APT (advanced persistent threat) etc
Endpoint Security- EDR (End point detection and response) Endpoint protection tools from Malware, DLP, Content Security, and tool to monitor unwanted services like sysmon, process explorer etc.
Governance, Risk and Compliance (GRC) Systems.
Log management and correlation – SIEM (Security Information and Event Management)
Physical Security- CCTV, Access Card, Fences etc.
Cyber Threat Intelligence feeds
Process- Process is a best practice to run Security operation center effectively. Process means making a plan and workflow to run a business like Mitigation Plan, Run book, implement an Incident response plan that includes 6 steps- Preparation, Identification, Containment, Eradication, Recovery, and lesson learned. Process can also include a team hierarchy like if a security analyst wants to communicate with developer and Devops team want to work with soc team due to deep knowledge etc
Types of Security Operation Center
- Internal SOC
- External SOC
How to building an effective Security Operation Center
If you are making an effective SOC then keep eyes on People, Process and Technology. Hire perfect skill set analyst and concentrate to provide training on tool, process. Keep updating the process and run book (We will discuss in other post). Select the best tools as per the infrastructure and data protection like Firewall, IPS, Proxy, Endpoint security etc.
Here I am giving some more idea to build an effective SOC –
- Automation- Consider the automation and implement automation process help of AI & ML.
- Effective technology- Select best tool and technology to keep monitoring and detecting threats. You can select your tools as I have mentioned before.
- Responsibilities- Each member should be clear with their roles and responsibilities also should be aware whom to escalate
- Team members should know assets (Software and hardware) in environment and classification of assets can help to protect from breach.
- Priorities the alerts and logs
- Each team member must know the service flow and network flow.
- Data recovery process plan will help to retrieve data within minimum time.
- Change management policy and process should be in place to monitor the changes.
- Audit- Keep auditing the systems and make sure to adhere to compliance.
- Update with current threats- Make sure team members are aware of latest running market threats and also with the mitigation plan.
- Escalation Matrix- Set an escalation matrix and team should aware to whom to escalate and whom to respond.