Security Operations Center (SOC)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> In this lesson, we're going to talk
00:00
about security operations center,
00:00
referred to as the SOC.
00:00
In this lesson, we want to explain
00:00
the role of
00:00
a security operation center in Cloud Security.
00:00
Describe how security operation center
00:00
strengthens both monitoring and incident response.
00:00
Then we want to get into some of the common pitfalls of
00:00
having an effective security operation center.
00:00
What is the SOC?
00:00
Well, as you may have guessed,
00:00
the security operation center is really the heart of
00:00
security operations monitoring and
00:00
activity within a Cloud environment.
00:00
Now, where the SOC is located,
00:00
it really depends on the Cloud environment.
00:00
Some organizations outsource their SOC operations
00:00
to a managed service provider.
00:00
One of the advantages of that is in terms of costs,
00:00
because the managed service provider
00:00
provides people all they do all day,
00:00
day in, day out, is look at logs,
00:00
monitoring network traffic and
00:00
investigate suspicious activity.
00:00
Some organizations have their own SOC
00:00
within their organization where they
00:00
have security professionals on staff who
00:00
focus on just doing that work.
00:00
Overall, the SOC is responsible for looking at and
00:00
monitoring network security and
00:00
performance of Cloud environments.
00:00
Now, in terms of the activity that they're monitoring,
00:00
they are looking at all those operating system logs,
00:00
potentially hardware logs,
00:00
and all the network traffic that's
00:00
going through your Cloud environment.
00:00
To have an effective SOC operations center,
00:00
people need extensive training
00:00
to uninterrupted technology,
00:00
as well as indicators
00:00
that something malicious or unusual is happening.
00:00
In order to, for those analysts
00:00
and within the SOC to function properly,
00:00
you need broad and effective monitoring configured
00:00
on all of your Cloud infrastructure to ensure
00:00
that it's going back to the SOC so they
00:00
can really see what's going on and
00:00
catch anything early on as an incident unfolds.
00:00
One of the very important things is,
00:00
wherever your SOC is located,
00:00
physical access should be locked down.
00:00
Only people who need to be in there
00:00
or should have access to the room itself.
00:00
It's very common for SOCs to have
00:00
a badge readers to
00:00
let the information security team in and out.
00:00
Another very important thing when it comes to
00:00
monitoring and log analysis is that,
00:00
we talked about a number of
00:00
different security solutions in the past.
00:00
Now the SOC, maybe one of
00:00
those places where those things come into play,
00:00
whether it's data loss prevention members of
00:00
the SOC team will be monitoring those tools
00:00
for any alerts or flags
00:00
related to data in egress that shouldn't be.
00:00
The system information and events
00:00
management tool of the sim that is off,
00:00
that is usually located in the SOC operations center.
00:00
The different analysts may be on
00:00
that investigating anomalous logins
00:00
from unusual locations or
00:00
strange deviations from the network baseline.
00:00
Firewall logs may also be examined
00:00
in the SOC to look at
00:00
whether or not there's any unusual activity,
00:00
whether in terms of location or volume,
00:00
maybe there's a denial of
00:00
service attack and log volumes,
00:00
are the access denies from
00:00
the firewall are increasing substantially.
00:00
Then also the IDS and IPS,
00:00
the intrusion detection system,
00:00
the intrusion prevention system are
00:00
also managed through the security operations center.
00:00
Overall, this really is the nexus of anything security
00:00
>> related within your Cloud environment.
00:00
>> To ensure that the SOC is really functioning well,
00:00
requires continuous monitoring and
00:00
continual confirmation that the controls are effective
00:00
if the logs aren't coming
00:00
in properly or their misconfigurations
00:00
or there may be blind spots from
00:00
the organization from a monitoring perspective,
00:00
that drastically undermines the security team
00:00
of catching incidence and beginning
00:00
incident response process to
00:00
investigate unusual behavior in the Cloud environment.
00:00
Now, it really is
00:00
important to continually test and make sure
00:00
that the alerting mechanisms
00:00
are functioning properly and re-evaluate
00:00
the system baseline within the Cloud on
00:00
a regular basis to ensure that
00:00
anything that really deviates from
00:00
the norm is caught and addressed quickly.
00:00
But it can be difficult
00:00
to implement continuous improvement.
00:00
However, it really is a central for
00:00
the SOC to operate effectively and efficiently.
00:00
All right, quiz question. Which of the following is
00:00
a best practice for
00:00
an effective security operation center?
00:00
Number 1, continual monitoring
00:00
and testing of control effectiveness,
00:00
2, manage our review of
00:00
logical access checks to ensure thoroughness,
00:00
3, simulated incident response sessions.
00:00
All of these things are good ideas,
00:00
but the main principle that I want
00:00
to stress is that continual monitoring and
00:00
testing of control effectiveness
00:00
is essential to ensure that
00:00
SOC operations are carried
00:00
out effectively within an organization.
00:00
Oftentimes, we can get
00:00
complacent and just assume things are working.
00:00
Organizations need to proactively
00:00
make sure to continually test and
00:00
confirm that their SOC is working correctly.
00:00
In this lesson, we talked about
00:00
the importance of a security operations center,
00:00
we talked about the benefits.
00:00
They really are the eyes and
00:00
ears of the organization to
00:00
ensure that nothing is going on,
00:00
that shouldn't be from a security perspective.
00:00
Then we talked about the challenges of
00:00
implementing and maintaining an effective SOC.
00:00
We've talked about all the different components
00:00
from the high end infrastructure to
00:00
virtual operations
00:00
and different Cloud applications and how
00:00
monitoring and baseline it needs to be
00:00
done at all levels of your Cloud infrastructure.
00:00
Many of those logs need to flow
00:00
back to the technology that's being
00:00
leveraged by your security operation center
00:00
to do effective monitoring.
00:00
If that baseline is not done properly,
00:00
then the security operations center
00:00
really won't necessarily
00:00
catch any of those incidents or
00:00
threats that we're going to talk
00:00
about later in this module.
00:00
All right, I'll see you in the next lesson.
Up Next