Learn how a security operations center serves as a tactical console for performing complex tasks.
下载SecOps电子书安全操作中心, 通常称为SOC, 中央总部是真的吗, 物理位置或虚拟组织—用于监视, 检测, and responding to security issues and incidents that a business may face. There are several models for implementing a SOC as part of a larger 事件检测和响应(IDR) program, including in-house models, co-managed models, and fully managed or outsourced models.
You might think of a SOC like a stereotypical movie war room: a dark room filled with complex maps, 的显示器, 还有戴着耳机的分析师. 然而, most SOCs aren't really a physical presence or room; more accurately, they're a formally organized team dedicated to a specific set of security roles for 检测 and validating threats within a company or organization's environment.
SOC执行许多与安全相关的任务, including continuously monitoring security operations and incidents and responding to issues that may arise. The various responsibilities within a cybersecurity team can be extremely complex, and a SOC not only serves as the tactical console to empower team members to perform their day-to-day tasks, 但也作为一个战略中心,让团队意识到更大, 长期安全趋势.
A typical SOC tracks any number of security alerts that an organization might encounter, including potential threat notifications via technologies and tools, 还有员工, 合作伙伴, 还有外部资源.
The SOC then typically investigates and validates the reported threat to ensure it's not a false positive (i.e. 一个实际上无害的威胁报道). 如果 security incident is deemed to be valid and requires a response, the SOC hands it over to the appropriate persons or teams for response and recovery.
这需要复杂的专业知识组合, 过程, 和组织有效地运行SOC作为整体的一部分 威胁检测和响应程序. That's why every organization may not be able to support or resource a SOC in-house. Instead, many opt to have their SOC managed by an outside agency, known as 安全运营中心即服务(SOCaaS).
The components in a SOC are many in number and must be structured and in place before a SOC is a viable option. 让我们来看看其中几个:
SOC设置需要三个主要元素. Regardless of whether the SOC is created in-house or outsourced to a managed provider, 准备好这些核心功能对成功至关重要.
Understanding SOC analysts’ roles and responsibilities is an important precursor to selecting the technology that will run your SOC. The teams you create and the tasks you give them will be dependent on your organization’s existing structure. 例如, if you’re building a SOC to augment existing threat detection and response capabilities, you’ll want to consider which specific tasks the SOC team members are responsible for and which fall on the non-SOC IDR teams.
You’ll also want to divide responsibilities between SOC analysts – and potentially consider SOC自动化 where possible – so there’s a clear understanding of who handles high-fidelity alerts, 谁验证低保真警报, 谁升级警报, 谁去寻找突发威胁, 等. Many SOCs operate within a tiered-staffing framework to establish clear responsibilities and hierarchy.
Deciding what technology the SOC uses is where time spent establishing the roles and responsibilities mentioned above will pay off. 他们会使用什么技术? 他们可能需要组合日志聚合工具, 用户行为分析、端点查询、实时搜索等等. It’ll be important to look at how SOC analysts are using your technology and determine whether the existing technology is helping or hindering 过程es – and whether new tech will need to replace it. It’s also important to have communication tools in place to enable collaboration among analysts. 其他重要考虑因素:
Establishing 过程es that the people and technology outlined above will follow is the final component you’ll need to consider when getting started with a SOC. 如果需要验证安全事件会发生什么, 报道了, 升级, 或者交给另一个团队? 你将如何收集和分析指标?
These 过程es must act as a framework precise enough to ensure investigative leads are handled in order of criticality, 但是足够松散,不能支配分析过程. 流程可以建立或破坏SOC的有效性, so incident management workflows should be established from the start to ensure each step in the 过程 is part of a larger strategy.
以上几点在使用an时仍然适用 外包SOC提供商. SOC将是一个值得信赖的组织伙伴, and as such it’s essential they’re proactive and regular in their communications, 透明度, 反馈, and collaboration with you to make sure your SOC is as successful and effective as possible.