Security Operation Centre (SOC)
Security Operation Centre (SOC) also known as Cyber Security Operation Centre (CSOC) plays very crucial part in terms of preventing, detecting, monitoring, containing, and remediating Information Security threats and vulnerabilities from critical applications, device and systems in an organization.
It centralizes by integrating people, process and technology. SOC implementation has been started since 2015/ 2016 at various Banking sectors, enterprise sectors.
It acts like a central command and control centre connected to all the Organization’s IT Infrastructure, network devices, applications, servers etc. Depending upon variety of technology, SOC team can depend on latest threat intelligence to identify whether the threat is active or not.
Many people have a simple misconception that I have a SIEM (Security Information and Event Management; one post is there in this blog on SIEM) so I am operating a SOC. But this is not practically how SOC works. It is not an easy task in setting up a Security Operations Centre supported by multiple security monitoring technologies and real-time threat updates. But yes, SIEM is one prime critical device used at SOC. The SIEM is also combined with other components such as Logger, Connector and UBA (User Behaviour Analysis). Connector connects the devices. A Logger is used for collecting the logs by deploying loggers at end point network. Then these logs are being correlated and analyzed by UBA. So the key indicators of compromise can be found, may be it user activity or any system events.
An illustrative components of SOC, provided below
So to establish SOC, you need to identify the key processes. These include event classification, event prioritization, event analysis, Event remediation, Monitoring and reporting.
What makes a SOC unique is the ability to monitor all systems on an ongoing basis, as employees work in shifts, rotating and logging activity around the clock. In addition to monitoring activity, a SOC should do Vulnerability Assessment and Penetration Testing with all the network devices and applications integrated with it. In turn it will help a lot to finding the gaps and close those gaps in a preventive approach. The logs need to be analyzed such as;
- The logs on which a SOC works;
- Log from Firewall Device
- Log from End point Devices
- Log from proxy servers
- Service Logs
- Malwares
Earlier in my post I have provided the list of Security Incidents. Those security incidents can arise at any organization during the operation. Such as;
- Targeted Scanning/Reconnaissance of network and IT infrastructure.
- Large scale defacement and sematic attacks on websites.
- Large scale spoofing
- Malicious code attacks (virus/worm/Trojans/Botnets)
- Large scale spam attacks
- Ransomware attacks.
- Identity theft and Phishing attacks
- Social Engineering
- Denial of Service attack (DoS) and Distributed Denial of Service attack (DDoS)
- Application level attack
- Infrastructure attack
- Router level attack
- Attacks on trusted infrastructure
- Cyber Espionage and Advanced Persistent Threat
When building a SOC there are similar requirement of IT and Non-IT devices we use in Data Centre projects. We also need a large video wall system for centralized monitoring. There are multiple designing factors to be considered for effective design of the SOC.
So here the key IT components that will be required as mentioned below, however this list is just an indicative, it depends on the organization depending upon its network size and requirement.
- Web Application Firewall
- Anti-Phishing Appliance
- Anti-APT Appliance
- SIEM
- DDoS appliance
- Log Management Appliance
- Network Flow Analyzer
- Network Switches/ Access Switches
- Router
- KVM devices
- Storage Devices
Besides the above devices, orchestration can be done using SOAR application (Security Orchestration, Automation and Response) is the technology just introduced recently that allows an organization to define incident analysis and response procedures in automatic or digital way.
As well there are probability of many false positive events that could be arise or logged through the incident management system automatically. That should be minimized while planning for the risk mitigation or report.
False positive events are generally those are system information events and those have neither any impact on the system or network. Means it incorrectly indicates any vulnerability or malicious activity but not a legitimate security threat.
Therefore there are more depth in to its operation and resource requirements. Different cyber skilled people are required with segregated duty and defined roles and responsibility. The resources such as Security Analyst 1 (L1), L2 Analyst, SOC engineer, L3 Analyst, Threat Intelligent Expert, Forensic Analyst and SOC Manager etc. Everyone have their crucial role in operation of a Security Operation Centre.
So this is just a basic information about SOC and its operation concept.
-DR
No comments:
Post a Comment