HOME

TheInfoList



Click Here for Items Related To - Information Security Operations Center
OR:
Information Security Operations Center on:   [Wikipedia]   [Google]   [Amazon]

An information security operations center (ISOC or SOC) is a facility where
enterprise information systems An Enterprise Information System (EIS) is any kind of information system which improves the functions of enterprise business processes by integration. This means typically offering high quality of service, dealing with large volumes of data and c ...
(
web sites A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wikipe ...
,
applications Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a c ...
,
databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
,
data centers A data center (American English) or data centre (British English)See spelling differences. is a building, a dedicated space within a building, or a group of buildings used to house computer systems and associated components, such as telecommun ...
and servers,
networks Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...
, desktops and other endpoints) are monitored, assessed, and defended.


Objective

A SOC is related to the people, processes and technologies that provide situational awareness through the detection, containment, and remediation of IT threats in order to manage and enhance an organization's security posture. A SOC will handle, on behalf of an institution or company, any threatening IT incident, and will ensure that it is properly identified, analyzed, communicated, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event), and determines if it is a genuine malicious threat (incident), and if it could affect business.


Regulatory requirements

Establishing and operating a SOC is expensive and difficult; organisations should need a good reason to do it. This may include: * Protecting sensitive data * Complying with industry rules such as
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its us ...
. * Complying with government rules, such as CESG GPG53.


Alternative names

A security operations center (SOC) can also be called a security defense center (SDC), security analytics center (SAC), network security operations center (NSOC), security intelligence center, cyber security center, threat defense center, security intelligence and operations center (SIOC). In the Canadian Federal Government the term, infrastructure protection center (IPC), is used to describe a SOC.


Technology

SOCs typically are based around a
security information and event management Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time a ...
(SIEM) system which aggregates and correlates data from security feeds such as network discovery and
vulnerability assessment A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, informati ...
systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners;
penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. ...
ing tools;
intrusion detection systems An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(IDS);
intrusion prevention system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(IPS); log management systems; network behavior analysis and
Cyber threat intelligence Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful eve ...
; wireless intrusion prevention system; firewalls, enterprise
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
and unified threat management (UTM). The SIEM technology creates a "single pane of glass" for the security analysts to monitor the enterprise.


People

SOC staff includes analysts, security engineers, and SOC managers who should be seasoned IT and networking professionals. They are usually trained in
computer engineering Computer engineering (CoE or CpE) is a branch of electrical engineering and computer science that integrates several fields of computer science and electronic engineering required to develop computer hardware and software. Computer enginee ...
,
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
, network engineering, or
computer science Computer science is the study of computation, automation, and information. Computer science spans theoretical disciplines (such as algorithms, theory of computation, information theory, and automation) to practical disciplines (includin ...
and may have credentials such as
CISSP CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)². As of January, 2022 there ...
or GIAC. SOC staffing plans range from eight hours a day, five days a week (8x5) to twenty four hours a day, seven days a week (24x7). Shifts should include at least two analysts and the responsibilities should be clearly defined.


Organization

Large organizations and governments may operate more than one SOC to manage different groups of
information and communication technology Information and communications technology (ICT) is an extensional term for information technology (IT) that stresses the role of unified communications and the integration of telecommunications (telephone lines and wireless signals) and computers ...
or to provide redundancy in the event one site is unavailable. SOC work can be outsourced, for instance, by using a
managed security service In computing, managed security services (MSS) are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider (MSSP) The roots of MSSPs are in the Internet S ...
. The term SOC was traditionally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers. The SOC and the
network operations center A network operations center (NOC, pronounced like the word ''knock''), also known as a "network management center", is one or more locations from which network monitoring and control, or network management, is exercised over a computer, tele ...
(NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure, and its primary function is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies. Likewise, the SOC and the physical security operations center coordinate and work together. The physical SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc. Not every SOC has the same role. There are three different focus areas in which a SOC may be active, and which can be combined in any combination: *Control - focusing on the state of the security with compliancy testing, penetration testing, vulnerability testing, etc. *Monitoring - focusing on events and the response with log monitoring, SIEM administration, and incident response *Operational - focusing on the operational security administration such as identity & access management, key management, firewall administration, etc. In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally combined, especially if the focus is on ''operational'' tasks. If the SOC originates from a CERT organisation, then the focus is usually more on ''monitoring'' and ''control'', in which case the SOC operates independently from the NOC to maintain
separation of duties Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of informati ...
. Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The SOC then collaborates closely with network operations and physical security operations.


Facilities

SOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall, which displays significant status, events and alarms; ongoing incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the SOC staff aware of current events which may affect information systems. A security engineer or security analyst may have several computer monitors on their desk.


Process and procedures

Processes and procedures within a SOC will clearly spell out roles and responsibilities as well as monitoring procedures. These processes include business, technology, operational and analytical processes. They lay out what steps are to be taken in the event of an alert or breach including escalation procedures, reporting procedures, and breach response procedures.


CloudSOC

A cloud security operations center (CloudSOC) may be set up to monitor cloud service use within an enterprise (and keep the
Shadow IT In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the perceived or actual shortcomings of the central information systems. Shadow IT often intro ...
problem under control), or parse and audit
IT infrastructure Information technology infrastructure is defined broadly as a set of information technology (IT) components that are the foundation of an IT service; typically physical components ( computer and networking hardware and facilities), but also vari ...
and application logs via
SIEM Siem is a surname. Notable people with the surname include: *Charlie Siem (born 1986), British violinist * Kjetil Siem (born 1960), Norwegian businessperson, journalist, author and sports official * Kristian Siem (born 1949), Norwegian businessman ...
technologies and machine data platforms to provide alerts and details of suspicious activity.


Smart SOC

A Smart SOC (Security Operations Center) is a comprehensive, technology agnostic
cybersecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, th ...
solution that utilizes leading-edge technology and tools, highly skilled and experienced human talent (composed of cyber intelligence gatherers, analysts, and security experts), and proactive
cyberwarfare Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic war ...
principles to prevent and neutralize threats against an organization’s digital infrastructure, assets, and data.


Other types and references

In addition, there are many other commonly referenced terms related to the original "ISOC" title including the following: * SNOC, Security Network Operations Center * ASOC, Advanced Security Operations Center * GSOC, Global Security Operations Center * vSOC, Virtual Security Operations Center


See also

* Data center *
Managed security service In computing, managed security services (MSS) are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider (MSSP) The roots of MSSPs are in the Internet S ...


References

{{reflist Network management Surveillance Computer security