Building a Security Operations Center (SOC): Sharing Experiences from the Front Lines Link
The link above will take you to a very informative blog article on the process of building a Security Operation Center (SOC) and things you must consider, information you should gather while working on this project. The blog is from a website that has since disappeared, but luckily we can read it from the Wayback Machine. Anyway, here are my notes from following this informative peace:
SOC's normally have teams for:
- Incident Response
- Vulnerability Management
- Engineering
- Threat Intelligence
- Threat Hunting
The start-up process
- Find what's plugged into your network (asset management)
- Reduce Noise (find out the "Normal Behavior", which will prevent false positives). Thus anything outside Policy is now an incident
- Develop "right" policies, make all employees aware
SOC Infrastructure
The SOC has it's own applications and infrastructure.
- Security Information and Event Management (SIEM) platform. Needs to meet your needs, good integration with your IT Service Management platform, liked and experienced by your Incident Response team, be scalable, costs inside your budget.
- Incident Management platform. Needs to have good integration with your SIEM, EDR.
- Sysmon or Endpoint Detection and Response (EDR)
- Vulnerability scanner
Communication with other departments
Start with IT Services teams such as System/Service admins, Network team, IAM/Active Directory team, Antivirus team if there is one. Then as the SOC matures, Legal and Privacy departments will need communication and collaboration policies with the SOC.
Collaboration within the SOC
"Threat Intelligence (TI) feeds information to Vulnerability Management (VM), Threat Hunting (TH) and Incident Response (IR). VM takes this information to find out how many systems are vulnerable to the potential threat. IR adds the shared Indicators of Compromise (IOCs) to its detections rules. Threat Hunting (TH) proactively searches in the network for Techniques, Tactics and Procedures (TTPs) based on those IOCs. If Threat Hunting finds activity following those TTPs, if the SIEM triggers an alert based on a IOC hit, or if there is evidence supporting that a vulnerability has been exploited, an incident is raised for the IR team to handle"
Read more details in this fantastic blog post:
Building a Security Operations Center (SOC): Sharing Experiences from the Front LinesReference Books for this topic:
- The Tao of Network Security Monitoring
- Incident Response & Computer Forensics
