Information security operations center
An information security operations center (or "SOC") is a location where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.
An SOC is related with the people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of IT threats. An SOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business impact.
Establishing and operating a SOC is expensive and difficult; organisations should need a good reason to do it. This may include:
- Protecting sensitive data
- Complying with industry rules such as PCI DSS.
- Complying with government rules, such as CESG GPG53.
A security operations center (SOC) can also be called security defense center (SDC), security intelligence center, cyber security center, threat defense center, security intelligence and operations center (SIOC). In the Canadian Federal Government the term infrastructure protection centre (IPC) is used to describe a SOC.
SOCs typically are based around a security information and event management (SIEM) system which aggregates and correlates data from security feeds such as network discovery and vulnerability assessment systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration testing tools; intrusion detection systems (IDS); intrusion prevention system (IPS); log management systems; network behavior analysis and denial of service monitoring; wireless intrusion prevention system; firewalls, enterprise antivirus and unified threat management (UTM). The SIEM technology creates a "single pane of glass" for the security analysts to monitor the enterprise.
SOC staff includes analysts, security engineers, and SOC managers who should be seasoned IT and networking professionals. They are usually trained in computer engineering, cryptography, network engineering, or computer science and may have credentials such as CISSP or GIAC.
SOC staffing plans range from eight hours a day, five days a week (8x5) to twenty four hours a day, seven days a week (24x7). Shifts should include at least two analysts and the responsibilities should be clearly defined.
Large organizations and governments may operate more than one SOC to manage different groups of information and communication technology or to provide redundancy in the event one site is unavailable. SOC work can be outsourced, for instance by using a managed security service. The term SOC was traditionally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers.
The SOC and the network operations center (NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies. Likewise, the SOC and the physical security operations center coordinate and work together. The physical SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc.
Not every SOC has the same role. There are three different focus areas in which a SOC may be active, which can be combined in any combination:
- Control - focusing on the state of the security with compliancy testing, penetration testing, vulnerability testing, etc.
- Monitoring - focusing on events and the response with log monitoring, SIEM administration, and incident response
- Operational - focusing on the operational security administration such as identity & access management, key management, firewall administration, etc.
In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally combined, especially if the focus is on operational tasks. If the SOC originates from a CERT organisation, however, the focus is often much more on monitoring and control, in which case the SOC operates independent from the NOC to maintain separation of duties. Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The SOC then collaborates closely with network operations and physical security operations.
SOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall, which displays significant status, events and alarms; ongoing incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the SOC staff aware of current events which may have an impact on information systems. The back wall of the SOC is often transparent, with a room attached to this wall which is used by team members to meet while able to watch events unfolding in the SOC. Individual desks are generally assigned to a specific group of systems, technology or geographic area. A security engineer or security analyst may have several computer monitors on their desk, with the extra monitors used for monitoring the systems covered from that desk.
Process and procedures
Processes and procedures within a SOC should clearly spell out roles and responsibilities as well as monitoring procedures. These processes include business, technology, operational and analytical processes. They lay out what steps are to be taken in the event of an alert or breach including escalation procedures, reporting procedures, and breach response procedures.
- "PCI DSS 3.0: The Impact on Your Security Operations". Security Week. 31 December 2013. Retrieved 22 June 2014.
- "Transaction Monitoring for HMG Online Service Providers". CESG. Retrieved 22 June 2014.