Information security operations center
An information security operations center (or "SOC") is a location where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.
A SOC is the people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of IT threats. A SOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business impact.
A security operations center (SOC) can also be called Security defense center (SDC), security intelligence center, cyber security center, threat defense center, security intelligence and operations center (SIOC). In the Canadian Federal Government the term Infrastructure Protection Centre (IPC) is used to describe a SOC.
SOCs typically are based around a security information and event management (SIEM) system which aggregates and correlates data from security feeds such as network discovery and vulnerability assessment systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration testing tools; intrusion detection systems (IDS); intrusion prevention system (IPS); log management systems; network behavior analysis and denial of service monitoring; wireless intrusion prevention system; firewalls, enterprise antivirus and unified threat management (UTM). The SIEM technology creates a "single pane of glass" for the security analysts to monitor the enterprise.
SOC staff includes analysts, security engineers and SOC managers who are seasoned information and communication systems professionals. They are usually trained in computer engineering, cryptography, network engineering, or computer science and are credentialed (e.g. Certified Information Systems Security Professional (CISSP) from (ISC)², GIAC from SANS, or Certified Information Security Manager (CISM) from ISACA).
SOC staffing plans range from eight hours a day, five days a week (8x5) to twenty four hours a day, 7 days a week (24x7). Shifts should include at least 2 analysts and the responsibilities should be clearly defined.
Large organizations and governments may operate more than one SOC to manage different groups of information and communication technology or to provide redundancy in the event one site is unavailable. SOC work can be outsourced, for instance by using a Managed security service. The term SOC was traditionally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers.
The SOC and the network operations center (NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies. Likewise, the SOC and the physical security operations center coordinate and work together. The physical SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc.
In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally combined. Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The SOC then collaborates closely with network operations and physical security operations.
SOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall, which displays significant status, events and alarms; ongoing incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the SOC staff aware of current events which may have an impact on information systems. The back wall of the SOC is often transparent, with a room attached to this wall which is used by team members to meet while able to watch events unfolding in the SOC. Individual desks are generally assigned to a specific group of systems, technology or geographic area. A security engineer or security analyst may have several computer monitors on their desk, with the extra monitors used for monitoring the systems covered from that desk.
Process and Procedures
Processes and procedures within a SOC clearly spell out roles and responsibilities as well as monitoring procedures. These processes include business, technology, operational and analytical processes. They lay out what steps are to be taken in the event of an alert or breach including escalation procedures, reporting procedures, and breach response procedures.