SOC: (Security operation Center)

A security operations center (SOC) is an organization that delivers IT

security services. It attempts to prevent unauthorized access and
manage security related incidents using processes and procedures.
The mission is risk management through centralized analysis using the
combined resources consisting of personnel, dedicated hardware and
specialized software. Typically, these systems operate constantly.
These resources offer continuous risk analysis and guarantee
protection against intrusion. Internet security is a resource intensive
task in time and personnel

The SOC consists of monitoring and analyzing firewall activity,

Intrusion Detection System (IDS) activity, antivirus activity, individual
vulnerabilities, etc. These technologies and processes are transient
and require that personnel stay abreast of the latest developments

• Possible SOC services

• Proactive analysis & system management
• Security device management
• Reporting
• Security alert
• DDOS mitigation
• Security assessment
• Technical assistance
• Proactive analysis and system management

Security Operation Center purpose is to provide detection and reaction

services to security incidents. We can distinguish five operations to be
performed by a SOC: security event generation, collection, Storage,
analysis and reaction.

- E Boxes: Events generators

- C Boxes: Event collection & Formatting
- D Boxes: Events databases
- A Boxes: Events analysis
- K Boxes: Knowledge base
- R Boxes: Events reaction
E Box: event generators: sensors & pollers
C Box: Collection boxes
D Box: formatted message database
A Box: incident analysis +
K Box: Knowledge base
R Box: Reaction and reporting

E Boxes are responsible for event generation. We can distinguish two

main families of such Boxes:
• event based data generators (ie. sensors), which generate
events according to a specific operation performed on the OS,
applications or over the network,
• and status based data generators (ie.Pollers), which generate an
event according to the reaction to an external stimulus such as
ping, data integrity checking or daemon status check.

The primary function of the NOC is to establish and maintain the health
and wellness of an organization’s infrastructure. A NOC concentrates
on keeping the network running while a SOC manages security events
to
protect the network.

detected by intrusion, detection systems, antivirus systems, firewalls,

system logs and access logs
One of the most powerful functions of the SOC is that it offers
awareness across multiple security related systems.

In addition to providing a live, situational picture of the network, the

near real-time reporting of a SOC can be used to generate Just-in-Time
(JIT) documents on an as needed basis that show the exact
configuration and health state of a network at any given moment. This
is a powerful feature for regulatory compliance in cases where
regulations, such
as SOX and HIPAA, require proof that data has not been compromised
and is protected by effective business

The SOC must support the organization by intelligently and proactively

alerting the right people at the right time about critical security events.
If this risk can be mitigated before the security event begins attacking
business critical systems, then the IT staff will not be forced to
shutdown
critical business systems. When building a SOC, implement tools that
will assist your organization to actively report security incidents in real-
time using various methods.

The SOC must be able to validate and correlate alerts and information,
put these events in context with the organizations’ network
environment and provide this critical intelligence to key staff in real-
time or near real-time via various alerting mechanisms such as emails,
pagers, or trouble ticketing.

A SOC that is integrated within corporate workflow chain and the

change management systems is critical. The Security Information
Management system should have the ability, based on the criticality of
the threat and
user’s role, to administer the system from within the security console
(for example, restart a system or shut the system down), implement a
remediation (for example, push a patch to the asset via a software
delivery system), or open a trouble ticket to deploy a technician to
address the issue.

24 x 7 Uptime: If the network is running 24 x 7, the SOC must as well.

The SOC must be running and reporting around the clock. Security
information management tools must provide high availability support
to meet this requirement.

A well run SOC is an incredible business tool, but it shouldn’t work as

an island. SOCs often live within, or beside, the NOC and together
these tools provide the organization-wide network and security view
that a
business needs for maximum efficiency. Security events can be sent to
the NOC from the SOC to provide additional intelligence for real-time
security event management to improve enterprise management.
Additionally, security events can be sent from the SOC to the NOC to
communicate the nature of incidents. And finally, the NOC must have
the insight and capability to administer security processes and
services. This bidirectional communication is necessary for
organizations to efficiently respond to events and enable
communication between both the network and the security teams.

A key responsibility of the SOC team is to translate the organization’s

own security incidents as well as threat information being generated
by CERT, SANS and other authoritative sources into actionable
recommendations specific to the organization.

Security analysts are on the “front lines” of security operations. They

have responsibility for ensuring that security tools are appropriately
deployed and are running optimally. They constantly monitor the
environment for signs of trouble and are often the first point of contact
when a high-risk alert is issued or a suspected attack begins to affect
business operations. Analysts also typically conduct the initial stages of
a forensics investigation.

The SOC Manager oversees day-to-day security operations, putting in

place the people, tools, processes, and measurement methods needed
to achieve SOC objectives for supporting the business. The SOC
Manager also serves as the interface between the SOC and the CISO.
In this role,
he or she translates the CISO’s goals and requirements into a set of
actions for the SOC team to execute and, conversely, makes the CISO
aware of issues requiring executive attention and/or investment.

As the primary interface between the security organization and the

business, the CISO is responsible for ensuring that SOC resources and
activities are aligned to support the overall business strategy and are
helping to create business value. The SOC translates business
requirements into security operations objectives, prioritizes where
budget is spent, and often serves as an evangelist, educating business
executives about how security can enable business innovation, and be
used to manage information risk.

More advanced security operations centers are turning to tools like

SIEM, as well as log management, to automate information gathering,
alerting and reporting.

The security analyst’s role can be a frustrating one. It is often highly

reactive, and if there is no defined structure in place to prioritize and
escalate issues, it can be easily become a firefighting job where staff
are constantly suppressing the most obvious symptoms of security
threats
Without resolving the underlying problems. Furthermore, if your
security analysts can’t access timely and accurate information about
what’s going on in your environment, it’s impossible for them to know
if you’re putting in place the right controls.

Over a month-long period, evaluate the activities on which your

analysts are spending their time, and prioritize the places where you
think additional staff or technology could have the biggest impact in
improving their effectiveness. Give people the right information to do
their jobs In all areas of the SOC, doing the job effectively depends on
being armed with the right information at the right time. Look at the
smart use of technology to put that information into people’s hands.

– Analysts – timely alerts, prioritized based on urgency. Log and asset

data to provide contextual information about security incidents.

– Research specialists – in-depth information on security incidents as

they happen to speed resolution. Data on emerging threats so they can
recommend protective measures.

– Security managers – up-to-date status on outstanding security issues.

Data on how staff resources are being utilized.

– CISOs – summary information on the most pressing security issues

and incidents. Overall risk and security posture of the business.

Distributed denial of service DDoS

Security Information Event Manager SIEM
Intrusion Detection System IDS

Responsibility:

1. This security system provides proactive analysis of the systems

and security devices of a system (intrusion detection
systems/IDS, intrusion prevention systems/IPS, firewalls, etc).

2. The SOC also performs policy management, including remote

policy management.

3. Configuration of devices and security policies must be constantly

updated as the system grows and evolves.

4. Security device management: The security device management

(SDM) service is composed of the following elements:
• Fault management - Configuration management :
 The main objective of fault management is to ensure the
continuous operation of the security infrastructure. The
activity includes:
- Monitoring of client security devices
- Fault Detection and Signaling
- Fault Reporting
- Corrective action determination
- Corrective action implementation
- System recovery (if necessary)
• Configuration management:

The main objective of configuration management is to

ensure the continuous enforcement of firewall rules
tailored to customer needs. It applies to all equipment
managed by the SOC and includes data packet discard /
acceptance rules between an external source and an
internal destination (or vice versa) based on:

- Source address.
- Destination address.
- Network protocol.
- Service protocol.
- Traffic log.
Configuration management may be performed remotely
(remote configuration management)

• Reporting

Logs generated by various system components are

consolidated and reformatted into an easily
understandable report for the customer. This reporting is
particularly important because, besides providing details of
any possible intrusion by unauthorized parties or accidents,
may also allow the customer to take preventative action.

• Security Alert

The security alert service is designed to notify customers in

timely fashion of the discovery of new vulnerabilities in
such a way that countermeasures can be effected in time
upon an attack to mitigate or negate the impact of the
attack.

• Distributed denial of service (DDOS) mitigation

The DDOS Mitigation attempts to mitigate the effects of a

denial of service attack directed at a critical function of a
 client’s web infrastructure. It receives notification of an
attack on a client service. Countermeasures are activated
and evaluated. Traffic is ‘cleaned’ and re-re-routed. An
‘end-of-attack notification’ is reported and logged.

• Security assessment
These functions comprise the Security Assessment:
- Vulnerability assessment
- Penetration test

o Vulnerability assessment:

The vulnerability assessment searches for known

vulnerabilities of systems and software installed. This
is carried out through specific technologies that are
configured and customized for each assessment
o Penetration test

The penetration test is performed to isolate and

exploit known or unknown vulnerabilities of systems,
services and installed web applications. It attempts
to quantify the threat level represented on each
system and the impact. This activity is carried out
either through a number of technologies that are
configured and customized per assessment, or
manually for each service, system, and application.

• Technical assistance

The SOC can provide general technical assistance for any

issue regarding system operation, system violations,
system update, security hardware and software update
and configuration. Technical assistance can be provided
remotely or on-site depending on the level of service.