What is SOC?
❑ Security Operations Center (SOC). SOC can be simply defined as a centralized unit that deals with security on an organizational level. In these centers, the enterprise’s information and other sensitive areas like websites, databases, servers, networks, etc. are monitored, assessed and defended.
❑ Many organizations believe that they are not susceptible to cyber-attacks because they haven’t experienced one yet. The reality is that they don’t know whether they are compromised or not. SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cyber security incidents.
❑ To determine the nature of the attack, the SOC incident response team often must perform advanced forensic analysis on artifacts such as hard drive images or full-session packet capture (PCAP), or malware reverse engineering on malware samples collected in support of an incident. When the signs of an attack are understood well enough to encode a computer-readable IDS signature, the attack may be prevented in-line, as with a host intrusion prevention system (HIPS) or network intrusion prevention system (NIPS).
❑ SIEM tools collect, store, correlate, and display myriad security-relevant data feeds, supporting triage, analysis, escalation, and response activities. Almost all devices can be integrated into SIEM to fetch logs. Most of the well-known devices have been identified by the SIEM vendor and specialized connectors have been developed to fetch logs. SIEM also has the capability to integrate with applications that are developed in house by using a customized collector.
❑ The SOC does not just consume data from its constituency; it also folds in information from a variety of external sources that provides insight into threats, vulnerabilities, and adversary TTP. This information is called cyber intelligence (intel), and it includes cyber news feeds, signature updates, incident reports, threat briefs, and vulnerability alerts. As the defender, the SOC is in a constant arms race to maintain parity with the changing environment and threat landscape. Continually feeding cyber intel into SOC monitoring tools is key to keeping up with the threat.
How to design an effective SoC?
The following are the steps for building up an efficient Security Operations Center:
• Risk Assessment:
The first step is to perform an assessment. This helps to identify clear priorities related to one’s company. Risk assessment begins by compiling critical assets, information to protect, and other business processes. Next, we should identify the threats that may affect our system. Once the threats are identified, based on the severity and impact, they should be prioritized. The output of conducted risk assessment helps to design the SOC accordingly.
• Business Case:
After the completion of risk assessment, the SOC objectives must be defined. The priorities may vary for different organizations. Some of the objectives could be to detect attacks from the Internet, maintain a vulnerability review, monitor the network, etc.
• Staff Skill & Training Requirement:
Skilled technicians, correct methodology and the perfect technology are the keys to success for an efficient SOC. Among these skilled staff is an important role in protecting the organization from cyber-attacks. Without properly skilled personnel, any number of processor or technologies won’t help in building a proper structure.
• Technology Requirement:
The toolset should be selected according to the skills of the people working with it. The survey conducted in the previous step would help in selecting it. Some of the tools can be basic tools like antivirus, firewall and intrusion detection systems like Snort. Advanced tools like dlp, application security testing, database DAM or an automated vulnerability assessment tool could be used to ensure proper results.
• Incident Management:
It is very important to have an Incident Response (IR) team to manage a situation. The incident management could be planned according to the capability of the team members and the SOC configuration. First, we have to define the response procedures for certain situations. These response procedures are also known as standard operating procedures, which should be followed once an alert is triggered.
The following are the phases in incident management:
Identification → Response → Recovery → Post Incident Review: Regular exercises on such situations would help the team to speed up their process under pressured conditions and attain maximum efficiency.
There are various advantages of having a SOC. A managed SOC provides a complete solution to security issues related to one’s company by monitoring and governing its activities.
A proper SOC should have the
• Security Incident and Event Management (SIEM)
• Threat Intelligence
• 24/7 security monitoring
• Incident response
Crafting a SOC with the features mentioned above could bring complete protection for an organization. The performance could boost up like anything when you don’t have to worry about security. This kind of implementation provides immunity from advanced threats and risks.
These days we can see that the line between SOC and NOC is starting to blur out. Most of the companies are planning to combine these two centers. This would give much more efficiency. The professional should be trained in both fields before implementing in a live environment. Many security tools and network management tools can be combined together for a better result. Analysts say that both systems should not be combined entirely, but share some fields, especially where security policy implementation and auditing
Threat intelligence is a comprehensive, real-time, cloud-based threat intelligence service that enables customers to protect against cyber threats across all vectors— file, web, message, and network. Threat intelligence can protect organizations from emerging cyber threats by considering their propagation methods and source. It helps our security infrastructure with shared threat intelligence, making security products to act proactively. The use of threat intelligence is necessary for SOC to prevent the latest attacks. Certain threat intelligence providers have the capability to predict threats before they occur in the market by using data analytics. These services are in high demand as companies don’t want to risk their reputation. Certain threat feeds are automatically integrated to the SIEM system so the feed updates are done instantaneously