adam's notes

Security Operations Center (SOC)

A security operations center (SOC) is a centralized facility for continuous monitoring of network performance and security controls.

  • physical access is limited to security personnel and administrators
  • security tools present logs and reports to the SOC for analysis and real-time response
    • data loss prevention (DLP)
    • SIEM
    • firewalls
    • IDS/IPS
    • etc.
  • don’t have to be physically located inside the datacenter or at the same location
    • may be remote
  • often contract third-part organizations for SOCs (MSSP)
    • have the knowledge and personnel to provide security as a core competency
  • in a cloud-managed services arrangement,
    • provider has a SOC overseeing the various cloud datacenters, underlying infrastructure, platforms, and applications
    • cloud customer may also employ security operation monitoring
      • monitor users, cloud accounts, etc.
    • there is a shared responsibility between the two
      • established in the contract

Continuous Monitoring

  • managing security operations involves monitoring security devices, systems, and tools
  • controls must be continually monitored to ensure effectiveness
  • Controls to monitor:
    • Firewalls and network security groups
      • log blocked connections and potential attacks
    • IDS/IPS
      • IDS/IPS logging is commonly used to identify attacks and alert if attack was successful
    • Honeypots
      • may be used to capture attack techniques and tools
    • Artificial Intelligence (AI)
      • common as built-in to security tools and as part of central security monitoring and log analysis
      • applying AI/ML detection techniques to traffic patterns to identify anomalies

Incident Management

  • When SOC detects anomalous activity, incident response action may be initiated
  • purpose:
    • minimize loss of value/assets
    • continuing service provision (availability)
    • halting increase of damage
  • intended outcome directs the course of action of responses
    • diff orgs have diff goals
  • IR policy and plan guide actions
  • In cloud,
    • both provider and customer have their own approaches, goals, and methods
    • should coordinate and share responsibilities in contract
  • In a managed service arrangement, consider:
    • specify which party can declare an incident unilaterally
    • are SLAs still applicable during incident
    • which party absorbs costs of incidents
      • e.g., downtime, personnel tasking, reporting actions

Graph View

Backlinks