What is SOC?
The Security Operations Center is a dedicated cyber security center that monitors, identifies, and responds to cyber incidents.
The SOC is the first to experience a cyber event in the organization and it’s goal is to identify and monitor the events in real-time, to carry out a deeper preliminary investigation while performing a quick response and at the end, isolating the event until it is contained.
Building a quality SOC requires cooperation on the communication level between multiple functions, security products and changing processes.
The SOC center is a facility where organizational information systems are monitored, tested, and protected. These organizational information systems can be
- Internet sites
- Data centers and servers
- Monitored Endpoints
A SOC acts as a command and control center, taking information from all of the organization’s IT infrastructure, including networks, devices, and other means. The process of collecting the connection from different sources helps defend digital assets in the era of multiple advanced threats.
Every event that occurs in the organization is recorded and monitored in the SOC. In each of these events, the SOC must decide how to manage and act upon.
Roles of the SOC team
Each organization can decide the size of the SOC team depending on the organization and industry, but most have the same roles and responsibilities. The overarching goal driving the SOC team is continuous monitoring and improvement of the organization’s cyber security system while preventing, identifying, analyzing, and responding to incidents by integrating people and technologies.
Inventory – The SOC team is responsible for defending two types of resources-
- Devices, processors and applications it is entrusted to protect
- Defense systems
The SOC can not protect devices and information it does not know about, so its first goal is to gain a broad view of the threat map, which includes not only the vulnerabilities on the endpoints, servers and software, but also third-party interfaces.
Prevention – Prevention is considered more effective than response in the cyber security world. Instead of reacting to threats as they happen, SOC works to monitor the digital components around the clock. By doing this, the SOC team can detect malicious activities and stop them before they can cause any damage. If the SOC analyst detects suspicious activity, the team gathers as much information as possible for further investigation.
Preventive actions can be divided into 2 types:
- Preparation – Team members need to stay up-to-date on advanced security innovations, and the latest trends in cybercrime. This research can help create a road map that will provide direction for a company’s cybersecurity efforts, and a disaster recovery plan that will serve as a preparation guide in the worst-case scenario.
- Preventive maintenance – this phase includes all actions taken to make attacks more difficult, including regular maintenance and updating of existing systems –
- Update firewall policy
- Patching vulnerabilities
- White and black list of permissions
- Application security
Monitoring– Tools used by SOC scan the organizational network 24/7 to flag anomalies or suspicious activities. Around-the-clock network monitoring allows the SOC to be notified immediately of emerging threats, giving the team the best chance of preventing or mitigating damage.
Monitoring tools can include SIEM, EDR, SOAR, or XDR, the most advanced of which can use behavioral analytics to “teach” systems the difference between normal day-to-day operations and actual threat behavior, minimizing the amount of triage and analysis that must be done by humans.
Investigation– During the investigation phase, the suspicious activity is analyzed to determine the nature of the threat and the extent to which it penetrated the infrastructure. The team investigates the suspected operator, and tries to predict the future actions of the malicious software using updated intelligence on the most relevant threats in the current market.
Response- Following a perliminary investigation, the SOC team coordinates a response to repair the vulnerabilities that led to an attack and mitigate the damage. Once an incident is confirmed, the SOC acts as a first responder, performing actions such as isolating endpoints, stopping malicious processes, preventing performance, deleting files, and more.
Recovery – After incidents, the SOC works to restore lost or damaged systems and information. This may include deleting and restarting endpoints and systems. In case of ransomware attacks, it is necessary to deploy backups in order to bypass the ransomware.
Technologies of the SOC
Log management is one of the ongoing functions of the SOC, which is responsible for the collection, maintenance and regular review of logs in all network and communication activity.
This data helps establish a baseline for “normal” network activity, can reveal the existence of threats, and can be used for post-incident remediation and forensics.
The SIEM essentially provides organizations with:
- An internal view of the organization’s network – through the deployment of Agents adapted to each operating system
- External intelligence on the organization’s assets – domains, IP addresses, S3 buckets, email addresses and more
- Managed service – the possibility of a managed service in a SaaS or OnPrem configuration
- Support and service coverage
- Phishing Prevention and Detection – The system uses correlations and behavioral analysis to determine that a user has clicked on a phishing link, distributed by email or other means.
- Internal investigations – the system collects data on every activity at the end stations, so that if suspicious activity related to employee conduct emerges, you can enter the system and get help.
- Mapping unused points – according to a study by Intermedia, the vast majority of employees (89%) who leave their jobs retain access to some organizational systems and use credentials to log into them. The SIEM can map the organization and identify unused credentials.