A Security Operations Center (SOC) is an important facility for any organization that wants to address security threats, vulnerability, assessment and management. There are baselines in existence that addresses few of the security aspects, but a complete framework combining people, process and technology currently is not up to the high standards (Jacobs, Arnab & Irwin 2013). A well-functioning SOC can provide efficient and effective detection and management of threat (Ernst & Young 2013). Therefore, this paper addresses the best practices for building a SOC by outlining its mission and combining people, processes and technology involved. II. Introduction
With the rise in information security breaches and sophistication of attacks on ever changing information systems, there's an increasing need for comprehensive analysis and monitoring tools, processes and management of information security; all of these can be achieved from a Security Operations Center (SOC). A SOC is a center where enterprise information systems are monitored, assessed, protected and managed. It combines people, processes and technologies to provide situational alertness through the detection, containment, and remediation of IT threats (HP 2013).A SOC manages all incidents in an enterprise, i.e. including identifying and analyzing possible cyber-attacks or intrusion and carry out appropriate communications, actions and reporting to reduce negative impacts on business (Ernst & Young 2013).Security threats are becoming increasingly complex, harder to detect and can cause damage to an organization which can stretch across all business process and aspects including clients. Thus, an organization just having a firewall, anti-virus and intrusion detection system (IDS) is not enough (DEFCON n.d.) and therefore they need to implement a SOC. A SOC not only looks over preventing threats, but provides continuous prevention, protection, and detection, fast response capabilities against threats, vulnerabilities and real-time incidents (Rotkhe 2012).Moreover, most of our modern organization have different policies under their Information Security Strategy. These policies include security, intrusion prevention, monitoring, incidence response, configuration management and disaster recovery. In order to handle each of them, there are several technologies available to make informed decisions, such as Firewall and Router Logs, Application Level Logs, Application Security Testing Automation, Access Control Management etc. These solutions remain a key control for battling today’s known attacks.Nevertheless, they become less effective over time as attackers find new and complex ways to bypass controls (Ernst & Young 2013); thus, failing to provide a single holistic approach towards overall security (Robert L Behm 2003). Eventually, advanced persistent attacks go undetected for as long as months or years before a breach gets noticed. The main problem is the existence of distributed silo, lack of skilled professionals, the tools to provide them with accurate information and processes to enable them to fulfill their responsibilities effectively (Network Computing 2012).Combating these complex threats and issues requires to enable ease of collaboration among security personnel, streamline the incident-handling process and manage overall security tools/ technologies. Such a comprehensive system with different tools, process and people is carried by a SOC making it a backbone of any organization’s Information Security Strategy (Network Computing 2012).To achieve an effectively operating a SOC, the associated processes, people and technologies must not only exist but also be mature (HP 2013). A well-operating SOC is the backbone of the most efficient and effective detection and prevention of threats and vulnerabilities. It can allow information security processes to respond much faster, carry out more collaborative work and share knowledge more effectively (Ernst & Young 2013).
Co-authored by Abhishek Joshi and Randeep Singh ChhabraBest Practices for Security Operations Center
- link to the pdf of the paper.