A Security Operations Center (SOC) is an organized and highly skilled team of people and infrastructure whose mission is to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security incidents with the aid of both technology and well-defined processes and procedures.
The establishment of a SOC requires careful planning; its physical security must be taken into consideration; also the layout of the operations center has to be carefully designed to be both comfortable and functional – lighting and acoustics issues must not be overlooked. A SOC is expected to contain several areas, including an operational room, a “war room” and the supervisors’ offices. Comfort, visibility, the efficiency and control are key terms in this scenario and every single area must be designed accordingly.
The Technology in a SOC
Once the mission and the scope of the SOC have been defined, its underpinning infrastructure must be designed; many components are necessary to build a complete technological environment: firewalls, IPSs/IDSs, breach detection solutions, probes and obviously a SIEM, just to name a few. Effective and efficient data collection is fundamental for a successful SOC. Data flows, telemetry, packet captures, syslog and several types of events must be collected, correlated and analyzed from a security perspective. Data enrichment and information about vulnerabilities affecting the entire ecosystem to be monitored are of great importance as well.
Security information and event management (SIEM) in a SOC
In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications. The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary. SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system.
Intrusion detection system (IDS) in s SOC
An Intrusion Detection System (IDS) is a network security technology for detecting vulnerability exploits against a target application or computers. Intrusion Prevention Systems (IPS) extends IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies. An IDS needs only to detect threats and as such is placed out-of-band on the network infrastructure, meaning that it is not in the true real-time communication path between the sender and receiver of information. Rather, IDS solutions will often take advantage of a TAP or SPAN port to analyze a copy of the inline traffic stream (and thus ensuring that IDS does not impact inline network performance).
IDS was originally developed this way because at the time the depth of analysis required for intrusion detection could not be performed at a speed that could keep pace with components on the direct communications path of the network infrastructure. As explained, the IDS is also a listen-only device. The IDS monitors traffic and reports its results to an administrator, but cannot automatically take action to prevent a detected exploit from taking over the system. Attackers are capable of exploiting vulnerabilities very quickly once they enter the network, rendering the IDS an inadequate deployment for prevention device.