Security Operation Centre
security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology
A Security Operations Center (SOC) helps improve security and compliance by consolidating key security personnel and event data in a centralized location. Incident detection and response can be greatly accelerated and enhanced as a result.
Building a SOC requires substantial upfront and ongoing investment in three factors such as people, process and technology.
Building up an effective SOC requires many roles to be filled such as the SOC head, Subject Matter Experts, Analyst at various levels, Forensic Specialists, Incident repose team etc. With technology and skills growth, organizations may choose various options of building a SOC in-house with all experts or outsourcing to Managed Security providers fully or partly.
A high level organization structure of a SOC team can be as below.
The process of designing the SOC starts with identifying the threat modeling where the stake holders identify the key issues in terms of threats and monitoring aspects, prioritize them and define the action for remediation.
Incident response is an important part of any SOC design where you have to define the process of responding to various alerts and incidents. Most of the SOC defined a multi-tier architecture. The alerts are generated thru variety of sources including SIEM and similar solutions. The alerts are addressed by the various stake holders at each tier.
The technology platform is an integral part of the SOC architecture. The security intelligent solution must be able to index all the data from various sources in real-time. The platform should be capable of collecting data from external sources such as active directory, email servers, databases, firewalls, third party tools etc. The tool helps you to correlate various data in real-time in turn helps you to take actions to protect your data and assets.
The indexed and correlated output from the technology tool helps organizations to address the key soc needs including but not limited to real-time investigations, alerting, advanced threat analysis, business intelligence etc. The tool also helps you to look at various business challenges using the collected data and correlation and to make custom reports and dashboards based on the defined use cases.