Learn how a security operations center serves as a tactical console for performing complex tasks.
Download SecOps eBookA security operations center, often referred to as a SOC, is a centralized headquarters—either a real, physical place or a virtual organization—for monitoring, 检测, 和 responding to security issues 和 incidents that a business may face. There are several models for implementing a SOC as part of a larger incident detection 和 response (IDR) program, including in-house models, co-managed models, 和 fully managed or outsourced models.
You might think of a SOC like a stereotypical movie war room: a dark room filled with complex maps, 的显示器, 和 analysts on headsets. 然而, most SOCs aren't really a physical presence or room; more accurately, they're a formally organized team dedicated to a specific set of security roles for 检测 和 validating threats within a company or organization's environment.
A SOC does many security-related tasks, including continuously monitoring security operations 和 incidents 和 responding to issues that may arise. The various responsibilities within a cybersecurity team can be extremely complex, 和 a SOC not only serves as the tactical console to empower team members to perform their day-to-day tasks, but also as a strategic center to keep the team aware of bigger, longer-term security trends.
A typical SOC tracks any number of security alerts that an organization might encounter, including potential threat notifications via technologies 和 tools, as well as employees, 合作伙伴, 还有外部资源.
The SOC then typically investigates 和 validates the reported threat to ensure it's not a false positive (i.e. a reported threat that's actually harmless). 如果 security incident is deemed to be valid 和 requires a response, the SOC h和s it over to the appropriate persons or teams for response 和 recovery.
It takes a sophisticated combination of expertise, 过程, 和 organization to effectively run a SOC as part of an overall threat detection 和 response program. That's why every organization may not be able to support or resource a SOC in-house. Instead, many opt to have their SOC managed by an outside agency, known as Security Operations Center as a Service (SOCaaS).
The components in a SOC are many in number 和 must be structured 和 in place before a SOC is a viable option. Let's take a look at a few:
Three main elements are needed for SOC setup. Regardless of whether the SOC is created in-house or outsourced to a managed provider, preparing these core functions is essential to success.
Underst和ing SOC analysts’ roles 和 responsibilities is an important precursor to selecting the technology that will run your SOC. The teams you create 和 the tasks you give them will be dependent on your organization’s existing structure. 例如, if you’re building a SOC to augment existing threat detection 和 response capabilities, you’ll want to consider which specific tasks the SOC team members are responsible for 和 which fall on the non-SOC IDR teams.
You’ll also want to divide responsibilities between SOC analysts – 和 potentially consider SOC automation where possible – so there’s a clear underst和ing of who h和les high-fidelity alerts, who validates low-fidelity alerts, 谁升级警报, who hunts for emergent threats, 等. Many SOCs operate within a tiered-staffing framework to establish clear responsibilities 和 hierarchy.
Deciding what technology the SOC uses is where time spent establishing the roles 和 responsibilities mentioned above will pay off. What technology will they use? Likely, they’ll need to combine tools for log aggregation, user behavior analytics (UBA), endpoint interrogation, real-time search, 和 more. It’ll be important to look at how SOC analysts are using your technology 和 determine whether the existing technology is helping or hindering 过程es – 和 whether new tech will need to replace it. It’s also important to have communication tools in place to enable collaboration among analysts. 其他 important considerations:
Establishing 过程es that the people 和 technology outlined above will follow is the final component you’ll need to consider when getting started with a SOC. What happens if a security incident needs to be validated, 报道了, 升级, or h和ed off to another team? How will you collect 和 analyze metrics?
These 过程es must act as a framework precise enough to ensure investigative leads are h和led in order of criticality, but loose enough as to not dictate analysis 过程es. 流程 can make or break the effectiveness of a SOC, so incident management workflows should be established from the start to ensure each step in the 过程 is part of a larger strategy.
The points above still 应用 when working with an 托管SOC提供商. A SOC will be a trusted organizational partner, 和 as such it’s essential they’re proactive 和 regular in their communications, 透明度, 反馈, 和 collaboration with you to make sure your SOC is as successful 和 effective as possible.