Security Operations Centre guide for an organization | Akash Jain
Nowadays, Organisations have started the building of a Security Operations Centre with limited resources (time, staff, and budget), setting up an operations centre supported by multiple monitoring technologies and real-time threat updates. You may doubt that you’ll have enough full-time and skilled team members to implement and manage these different tools on an ongoing basis. That’s why it’s essential to look for ways to simplify and unify security monitoring to optimise your SOC processes and team.
SOC is a centralised unit in an organisation that deals with security issues, on an organisational and technical level. A Security Operations Center within a building or facility is a central location from where staff supervises the site, using data processing technology. An information security operations centre (or “SOC”) is a location where enterprise information systems are centrally monitored.
General Requirement for the effective working of SOC
- Defined and documented Security Operations Center (SOC) guideline which includes all the necessary roles and responsibilities to be undertaken by the SOC.
- Clearly define escalation paths to investigate, analyse, elevate alerts and events for appropriate incident response teams.
- Tools to detect/ monitor computer security alerts (e.g., alerts, thresholds, aggregation)
- Incident management plan
- Incident analysis and handling hardware and software are in place.
- Incident handling communication facilities are in place.
- Regularly reviewed lists
- Asset list (New and Decommissioned)
- IP Details
- Network diagram
- Cryptographic Hashes
- Roles and responsibilities of the SOC team are defined based on the capabilities.
- Regular training sessions for SOC team for continuous skill enhancement and keeping up to date with threats and attacks
- Enterprise-wide data collection, aggregation, detection, analytic and management solutions required by the SOC are defined.
- Risk assessment to identify a high-risk area for prioritisation.
- Key vulnerabilities should be identified regularly.
- Identify Special Interest groups for reporting incidents
Monitoring
- Monitoring of various sources to facilitate enforcement of CIS top 20 critical security controls
- Information Technology systems, such as applications, servers, routers, switches, workstations, etc. shall be monitored by the SOC
- Information Security systems, such as firewalls, antivirus, intrusion detection, identity management, etc. shall be monitored by the SOC
Functional Components
Monitor
- Regularly monitor all the security incidents
- Analyse the alerts
- Regularly monitor the network strength
- Quickly analyse and conduct triage on events
Respond
- Remediate cyber incidents to minimise business impact
- Identify and communicates whether a security event is an Incident or Crisis
- Develop improved controls to mitigate future breaches
- Conduct forensics to maintain evidence and chain of custody
- Determine root causes for prior breaches and close vulnerabilities
Assess
- Regularly assess the network
- Conduct periodic vulnerability assessments to identify risks
- Report issues to stress Company’s defence
- Regularly provide the security health report
Report
- Continuously improve security ops and maintain processes
- Measure performance and analyse trends
Log Collection
- Logs are collected for:
- Information Technology devices like Network, network devices and systems, servers etc.
- Information Security sources like IDS, DLP, Email Filtering etc.
- Logs for at least three months shall be kept on the system and further thet logs are archived for one year.
Roles and Responsibility of SOC Team
Tier 1 Monitoring Analyst
- Continuously monitors the alert queue
- Triages security alerts
- Monitors health of security sensors and endpoints
- Raise the ticket in SOC Tool
- Collects data and context necessary to initiate Tier 2 work
- Track alerts as per change management
Tier 2 Analyst
- Performs deep-dive incident analysis by correlating data from various sources
- Determines if a critical system or data set has been impacted
- Contain and Remediate event to recover.
- Escalate to Tier 3 Incident Response per criticality.
- Track event per change management.
Tier 3 Incident Responder
- Analyse incident and conduct Triage
- Contain and remediate incident to recover
- Conduct Incident Investigation
- Identify root cause of the incident and advises on remediation of the incident
SOC/Infosec Manager
- Develop a workflow model and implement standardised operating procedures (SOPs) for effective incident management
- Manage resource to include personnel, budget, shift scheduling and technology strategy to meet SLA
- Communicate the identified weakness to management
- Report incidents to special interest group
SOC Architecture
Application & Middleware Architecture
- Security Information and Event Management (SIEM) tools are implemented
- Deploy additional tools for automation
Data Architecture
- Security control matrix
- Critical security controls
- Inventory of authorised and unauthorised devices
- Inventory of authorised and unauthorised software
- Secure configurations for hardware and software
- Backup of configurations
- Continuous vulnerability assessment and remediation
- Controlled use of Administrative Privileges
- Active employees list from HR department