Security Operations Centre – part 3
A SOC needs to be able to see what is going on the in the information system it is intending to protect. What else you envision your SOC to do will depend on what you would like it to do. For this article, we will present a SOC with a very wide scope of operational functions.
1. Monitoring & analysis
The origin of SOC processes lies in the constant monitoring of the environment through the collecting and analysis of data – user activity, firewall behaviour, system events, etc. Enriched with the latest threat intelligence, the SOC team is continuously looking for patterns and anomalies in traffic patterns that require closer attention. Each such event is scrutinised and reviewed to see if it correlates with known patterns of attack or vulnerability. If an event scores high enough on the criticality scale it is then passed on for further investigation. A golden rule is to document all activity occurring at every step of the investigation process as it provides evidence for future reference including for audit purposes.
2. Incident response, containment & recovery
The faster you detect and respond to an incident the less damage you are likely to suffer and the bigger the likelihood of preventing a similar attack in the future.
The SOC team will focus on the threats that have already broken through primary security defenses. In case of a mass attack, the security team will have to focus on protecting the most critical of the business’ assets.
The type, scope, and severity of the incident will determine the way of handling it. This can reach from isolating affected systems and applications through fixing immediate problems – such as re-imaging, patching, or updating systems, reconfiguring system and/or network access, running vulnerability scans – through to malware analysis and forensics.
3. After the incident – Assessment & Audit
Establish and understand the baseline of your system and network behaviour. What is the ‘picture’ of the system in its natural state of operation? If you have a ‘picture’ of your system’s behaviour in its normal state you are able to better identify exceptions to that state such as unexpected reboots, unusual spikes in the outbound network activity, errors, etc. which can be early indicators of malicious activity in the enterprise’s environment.
4. Staff training and cybersecurity awareness-raising
Cybersecurity of an enterprise cannot these days be solely the domain of a few people dedicated to monitoring internet traffic and recognising cyber threats. According to recent statistics, 95% of IT security breaches were directly related to human error – accidental or intended. The human factor is the weakest link in the arena of cybersecurity. Hence it is crucial not only to raise awareness on cyber threats among the personnel but to bring about a paradigm shift where cybersecurity becomes part of everyday IT and OT culture. So, it is not only down to the SOC staff to be responsible for the cybersecurity of the organisation but every single of its employees.
Next week we will continue with the Security Operation Centres’ people roles.
Do you require help with Managed Security for your solution on Amazon Web Services?
SEQRED offers AWS level 1 Managed Security Services.
To discuss your requirements, contact SEQRED at [email protected]
About this guide
The idea for this article was inspired by an in-house presentation by Józef Sulwiński which you can watch here.