What Is A Security Operations Center (SOC) ?
What Is A Security Operations Center (SOC) ?
What Is A Security Operations Center (SOC) ?
You might think of a security operations center like a stereotypical movie war
room: a dark room filled with complex maps, fancy monitors, and analysts on
headsets. However, most SOCs aren't really a physical presence or room; more
accurately, they're a formally organized team that's dedicated to a specific set of
security roles and responsibilities for detecting and validating threats within your
environment.
A typical security operations center tracks any number of security alerts that an
organization might encounter, including potential threat notifications via
technologies and tools, as well as employees, partners, and external sources.
From that point, the SOC then investigates and validates the reported threat to
make sure it's not a false positive (i.e. a reported threat that's actually harmless).
If the security incident is deemed to be valid and requires a response, the SOC
hands it over to the appropriate persons or teams for response and recovery.
Next is having an incident response plan. Typically, one of the main goals of
introducing a SOC into an IDR program is increasing the effectiveness of
detecting threats in the organization’s environment. If the incident response
processes that follow a breach’s discovery are not in place and tested regularly,
you are only addressing some components of an effective IDR program.
Finally, it’s important to have a disaster recovery plan in place. A breach is simply
one specific example of a disaster that organizations need to recover from. Once
the detected breach has been fully scoped and the affected assets, applications,
and users have been contained, there needs to be a plan in place to restore
normal business operating processes. This is disaster recovery.
Getting started
Given a security operation center’s inherent complexity, there are a lot of things
to consider when setting one up. Regardless of whether it’s being created in-
house or outsourced, preparing for the following three elements is essential to
the SOC’s success:
The points above still apply when working with an outsourced SOC provider. A
SOC will be a trusted organizational partner, and as such it’s essential they’re
proactive and regular in their communications, transparency, feedback, and
collaboration with you to make sure your SOC is as successful and effective as
possible.