In order to prevent the myriad of modern attacks, comply with government and industry regulations, monitor deployed technology solutions, and verify the endless human interactions with technology, organizations turn to industry-leading security technology.
They may go to IBM Internet Security Systems for their network intrusion prevention systems (IPS), Cisco for their firewall solutions, and Mcafee for host-based protection.
This heterogeneous approach to selecting security solutions provides organizations the best-of-breed technologies and offers inherent security by not relying on any single vendor or security platform.
Security Operation Center is a generic term describing part or all of a platform whose purpose is to provide detection and reaction services to security incidents.
The combination of technologies does, however, present a large challenge - there is no inherent way to normalize, aggregate, and correlate the security events across technologies
Further, one team may support the firewalls, another may support the network IPS devices, and yet another may support the host-based security tools.
This leads to security monitoring that is performed using different tools and by different teams.
Piecing together the details of an attack in real-time becomes incredibly difficult and even forensic analysis after an attack is slowed by the need to combine event streams.
In reality, building and maintaining a strong security posture necessitates a centralized effort to monitor, analyze, and respond to security events across technologies as quickly as possible.
To meet this need, many organizations turn to Managed Security Services Providers (MSSPs) to outsource the bulk of security monitoring and testing.
MSSPs offer a number of benefits because they can:
Monitor security events aroundthe-clock and provide in-depth information security expertise.
Spot patterns across a number of customers to provide advanced warning on new threats.
Provide services to customers that do not have dedicated information security staff.
However, MSSPs also present a number of disadvantages. Namely, MSSPs do not:
Have an in-depth knowledge of the customers policies, procedures, or overall IT environment.
Offer dedicated staff for every customer. Only large organizations that spend the most with the MSSP generally receive dedicated support
Offer customized services, processes, or procedures for the customer needs.
Read More MSSPs strive to standardize services in order to gain economies of scale in providing security services to many customers premise.
There are unique business requirements that require a dedicated SOC, or there may be cost drivers that dictate the need for an in-house SOC.
There are unique business requirements that require a dedicated SOC, or there may be cost drivers that dictate the need for an in-house SOC.
Building an in-house SOC does, however, present its own set of challenges and many groups struggle on how to best start. The SOC team is organized around the following main functions:
Customer Support is the vital focus of the staff located on the SOC floor. Calls and ticket queues are constantly monitored to ensure effective and timely resolution of all issues. All escalations are handled with the utmost care to ensure that the appropriate resources are being assigned to address each issue in need of attention.
Platform Management is the ongoing management of the security platforms including platform and policy configuration, routine maintenance and platform availability.
Threat Analysis is the monitoring of security events that are generated by managed platforms. The SOC team investigates those events to determine any potential threats to the customers environment. In the event that a threat is found, they promptly escalate that threat to proper channels for resolution.
Roles on SOC
Security Threat Analyst
A Security Analysts is the MSS first response to a perceived threat to a customers managed security. SOC Analysts analyze and respond to security threats from Firewall (FW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Antivirus (AV), Network Access Control (NAC) and other security threat data sources. They also configure, manage and upgrade these same security threat data sources along with Encryption and other security products/appliances
Security Engineer
A Security Engineer is MSS second line of defense against a perceived threat to a customers managed security. SOC Engineer and SOC Analyst duties are similar. However, a Security Engineers additional responsibilities differentiate the two positions slightly. For example, a SOC Security Engineer has access to back systems that the Analyst cannot access. They also handle escalations. Dependent upon experience, a Security Engineer may be given the designation of being a "Tier 2" or "Tier 3" Engineer