Security Operations Center (SOC)
A security Operations Center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing a company’s security standing on an ongoing basis. The goal of the SOC team is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.
A combination of multiple components are required to ensure the highest level of cybersecurity maturity for the company. Simply put, the more of these components have been executed well, the more mature the cybersecurity of the company will be.
Facility: More than Just a Building
The facility is not a regular building with regular specifications. The SOC facility should serve the SOC functions intended to be provided in the best way. We need to take a lot considerations into mind, such as design, entrance, cooling, access control, video walls, special desks, nap room, shift and staff manager, surveillance, etc. TSC depends on prequalified partners in providing this service and by supervising all operations and ensuring 100% compliance with the SOC requirements for highest continuity.
People: Who, How, and When?
This is not an easy undertaking as numerous details comes into play. All details must be covered properly, and here is where TSC shines. The first thing we start with here is define how many employees the company needs and what skillsets and qualifications are required. Most SOC staffing does not exceed the following:
Forensic or Threat Investigator
Managers and Directors
In addition to the previous, another important matter here is staffing schedule. Ensuring the appropriate coverage is critical as some SOCs can operate 24/7 while others may be 8/5/NBD depending on the covered services and business nature. Based on that, we will define the scheduling for every single resource to ensure the coverage of operations within the suitable budgetary concerns. The ‘when, who, and how’ in regards to holiday coverage should also be addressed. What TSC can offer here for companies is either hiring a specialist team to work for the specific client, or undertaking the service ourselves, in which case employees at the SOC will be in TSC’s payroll.
An important aspect that should be covered well within the ‘People’ preparation is to implement (Shift logs). Shift logs must be maintained for auditing and to ensure continuity of operations at the SOC. SOC shift logs should be maintained daily and for every shift. Shift logs can also be maintained in a database or GRC system and used regularly to help identify past issues and the resolution for these issues. Shift logs should use a defined format that include at least the details of the event, impact of threats, description, and recommendation.
Moreover, Incident logs should also be kept and maintained in a ticketing system and daily log entries should be used to transfer incidents. This log should follow a defined format time stamp, staff initials, incident record number, and a brief description of the incident or event.
Processes: Determine SOC Processes
The number of processes and procedures for an SOC is determined by its scope, how many services are offered, the number of customers supported, and the number of different technologies in use. An established global SOC environment may have tens or even hundreds of procedures.
At a minimum, the basic procedures required for maintaining an SOC are:
In addition to building the processes of an SOC, we help develop the required templates. Even when using technical solutions, there are several reporting documents and data entry documents that need to be developed based on the solutions and based on the processes as well. For proper data input into ticketing systems, a GRC system will need to be developed to help ensure the appropriate technical information is gathered.
Optimize your SOC with well-structured and -designed processes and seal it up with the required templates to ensure the highest utilization and ROI.
Solutions: Selective SOC Solutions
The core component of any SOC is the “solutions” that will be used to present the SOC functionality very well. All other components are complementary components for the “solutions”, so it is very important to know what to select, and what is exactly suitable for the company, and not only for now, but even for potential future expansion.
Once the products are selected based on a very long compliance matrix, we move on to selecting the proper sizing and license schema for each and every product, keeping in mind the potential expansion of the company, the renewal of these license, the license type, etc.
The summarized dashboards could make the life of SOC operators much easier. Tuning and configuring the interfaces of these dashboards is an art, and TSC is an artist.
An SOC could have a high number of solutions. We select the SOC solutions depending on the company structure and responsibilities, the infrastructure environment and products, and other considerations. However, most SOCs should contain the following solutions:
Security Information and Event Management
User and Entity Behavior Analytics
Network Detection and Response
Security Orchestration, Automation, and Response
In order to have 360 SOC capabilities, the following solutions will complement the above ones:
Antimalware Monitroing and Logging
IPS Monitoring and Logging
DLP Monitoring and Logging
Email Gateway Monitoring and Logging
Web Gateway Monitoring and Logging
Firewall Monitoring and Management
Vulnerability Monitoring and Management
© All rights reserved to Teach Stations Company.