A Security Operations Center (SOC) is a centralized unit that deals with security issues on an organizational and technical level.
The SOC consolidates under one organization functions of: incident monitoring, detection, response, coordination and computer network defense tools engineering, operation, and maintenance. A fully functional SOC is the heart of a good Security Incident Management process. A SOC is the keystone of an organization’s security management program.
The main mission of a SOC is to monitor, recognize and escalate significant information security events to protect the Confidentiality, Integrity and Availability (CIA) of the organizations. Now a day, SOC has become heart of the CISO in most of the organization. SOC helps in building your framework for your cyber security journey.
Why SOC?
Challenges remain despite rolling out majority of the security solutions in your organization. Some of the challenges are:
- Security data overload
- Lack of event correlation across multi-vendor devices– IDS, Firewalls, Anti-Virus, and Host
- Excessive false positives
- No timely and targeted reporting
- Minimizing risk against key assets
- Too many devices, too much data
- No Incident Response mechanism
- Involvement of various IT Team to monitor security solutions
- No collaboration among different IT Teams and working in silos
- No single pan of dashboard to map your security posture
Basic SOC Functions
- Real-time monitoring/management
- Aggregate logs
- Aggregate data
- Coordinate response and remediation
- Reporting
- Executives
- Auditors
- Security staff
- Post-incident analysis
- Forensics
- Investigation
SOC Deployment Planning
- Define the scope of your deployment (which environments to monitor)
- Determine your priority data sources (which assets to collect logs from)
- Identify the high priority events and alarms that you want to focus on
- Note down your key success metrics and milestones
- Know your use case first which you want to monitor
- Map use cases with risks, threats and vulnerabilities
- Phase wise rolling of use cases
- Regulatory Compliance related alerts
- Plan execution: Check log source, its integration with SIEM, derive logic, assess automation, alert threshold, simultaneous escalation of incidents to multiple people
Best Practices for SOC
- Develop the Standard Operating Procedure (SOP) for all SOC operation
- Monitor the Events per Second (EPS) periodically
- Rules Review to be carried out periodically and to involve IT and business user in the process
- Periodically review the roles given to the user and administrator and remove any roles not required by the user
- Build custom feeds for threat analysis based on your organization
- Maximize the use of correlation rules
- Document the SOC Play Book/Run Book and periodically update
- Test the effectiveness of SOC by using Table Top Exercise/Red Teaming
- Integrate the applications with SOC phase wise and not a big bang approach
- Brainstorming of SOC Team with Network, Endpoint, IT Operations team periodically to cultivate cross domain expertise
- Provide valuable context to SIEM using Threat Intelligence
- Generate different dashlets, reports and send it periodically to top management
The author is ICT Security, Risk & Compliance Manager at CNH Industrial