The Security Operations Center or SOC is a place for 24-hour security monitoring and control of the entry and exit of information in the territory of the information exchange space with the attitude of identifying security threats. The SecOps team is the lifeblood of a security operations center.
Due to the increasing number and complexity of cyber-attacks as well as the consequences of information leakage, it is necessary for organizations to take preventive measures and develop intelligent and integrated monitoring systems in the form of incident response programs. The development of the SOC center is a response to this need.
One of SecOps’s duties is to collect reports of systems and security services of communication networks, operating systems, various software as well as various network security equipment by relying on a set of hardware and software equipment, and by harmonizing and combining various reports and using software Advanced hardware and specialists analyze them.
The Security Operations Center has mechanisms for automatic monitoring of network equipment, hardware and software to identify and report incidents and is able to prevent the intrusion of hackers, malware and security threats through internal and external sources.
SOC Structure
SOC people or SecOps teams
SOC centers need technical teams with the ability and expertise in the field of cyber security.
Forensic Specialist
An expert who conducts a deep and thorough analysis of the attacks on the organization in order to determine the main cause of cybercrimes and collect the evidence needed to present to the court.
Threat Intelligence Researcher
An expert who is in charge of searching and identifying and collecting Threat Feeds and then transfers the identified items to the SIEM Engineer expert for application in the SIEM product.
Incident Handler
An expert who is responsible for resolving security incidents either on-site or remotely.
SIEM Engineer
An expert who is responsible for installing, configuring, updating, maintaining and improving the SIEM system.
Threat Hunter
A senior expert who is in charge of identifying undetected and unpublished suspicious behaviors.
Red Team Specialist
Experts who proactively try to identify holes and penetration points in the network, systems and configurations.
Senior Security Analyst
Senior security incident analysis specialist who investigates and analyzes security incidents in depth.
Security Analyst
The expert who is at the forefront of the SecOps team and constantly monitors alerts in the SIEM system and performs basic analysis of security events.
Security Architecture
Specialists who are responsible for reviewing the network security plan and infrastructure.
SecOps Leader
A senior expert who interacts with all team members and is responsible for designing, implementing, optimizing and documenting Security Operations Center processes.
Process
To ensure that the SecOps has optimal behavior and detects cyber threats in real time, it needs to use a series of processes. These processes include:
- Healthy Check
- Technical Check
- Security Training
- Trouble ticketing
- Incident Handling
- Update of Threat Feeds
- Update of Threat Detection
- Threat Hunting and Investigation
Threat Detection
SecOps experts, using various tools and techniques available in SIEM, by receiving production events from the previous department, continuously perform activities to identify cyber threats against the organization. The output of this set is Alerts.
Technology
The SecOps team uses a variety of advanced tools such as those mentioned in the Threat Detection and Investigation section. Considering that this system is responsible for storing all the events generated in the network environment of the organization, it provides the possibility for SecOps experts to identify and analyze any threat against the organization.
Types of Security Operations Center models
Dedicated SOC
A dedicated SOC is a centralized SecOps with a dedicated infrastructure, team and processes that is completely focused on security. The size of a dedicated SOC depends on the organization’s size, risks, and security needs
Co-managed SOC
In a co-managed SOC, on-site monitoring solutions are enhanced by SecOps, while some responsibilities may be outsourced.
Virtual SOC
A virtual SOC or VSOC is not located in a dedicated location, nor does it have a dedicated infrastructure. This model of SOC is a web-based portal built on decentralized security technologies that allows off-site teams to monitor events and respond to threats.
Multipurpose SOC/NOC
This model combines a SOC with a network operations center, or NOC, with a dedicated team, center, and infrastructure. A multifunctional SOC/NOC goes beyond security functions to include IT operations, resilience and risk management.
Licensed solutions for SecOps
VMware vRealize Suite
VMware vRealize Suite is an enterprise-grade, licensed cloud management platform that provides the industry’s most complete solution for managing heterogeneous hybrid clouds.
Cisco Secure Network Analytics
By analyzing existing network data, Cisco Secure Network Analytics helps identify threats that have found ways to bypass existing controls before they cause significant damage.