• Kyser Clark

Security Operations & Control Center Talking Points & Discussion


Role of the Security Operations Center

A Security Operations Center (SOC) is a security team that continuously monitors and analyzes an organization's network. In addition, a SOC is responsible for incident detection, containment, eradication, and recovery. According to Juliana De Groot from Digital Guardian, roles within a SOC include:

  • Manager

  • Analyst

  • Investigator

  • Responder

  • Auditor

Incident Detection & Containment

Incident Detection is all about being proactive. Continuous monitoring consists of proactive vulnerability detection and log/configuration tracking. Periodic Pentests should also be implemented to check the perimeter security (Silent Breach, n.d.). Finally, containment refers to the strategies used to stop the spread of a cyberattack. Misnomer from Infosec Nirvana lays out some of these strategies.

  • Stop outbound communication from infected machines

  • Block inbound traffic

  • IDS/IPS Filters

  • Web Application Firewall policies

  • Null route DNS

  • Switch based VLAN isolation

  • Port blocking

  • IP or MAC Address blocking

  • ACLs

Eradication & Recovery

Eradication means removing threats and restoring affected systems to their previous state. At the same time, recovery is "Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised (Lord, 2021). Zbigniew Banach from Netsparker lists seven crucial components of cyber incident recovery.

  • Define specific recovery goals

  • Determine Vital Assets

  • Have an effective backup policy

  • Determine Personnel

  • Define Communication Channels

Summary

It is important to understand the best practices for each phase of incident response. Incident Detection, Containment, Eradication, & Recovery. Understanding what a SOC is and its roles before, during, and after a cyber incident are essential for success.

References

Banach, Z. (2019, September 17). 7 crucial components of cyber incident recovery. Netsparker. https://www.netsparker.com/blog/web-security/incident-recovery/


Groot, J. (2020, November 25). What is a security operations center (SOC)? Digital Guardian. https://digitalguardian.com/blog/what-security-operations-center-soc


Lord, N. (2021, August 6). What is incident response? Digital Guardian. https://digitalguardian.com/blog/what-incident-response


Misnomer. (2015, March 10). Part 4 – Incident containment. InfoSec Nirvana. https://infosecnirvana.com/part-4-incident-containment/


Silent Breach. (n.d.). continuous monitoring and incident response. https://silentbreach.com/incident-detection-and-response.php


Image Source: Trustwave

8 views