With Big Data, SOC becomes essential in business, but what does this abbreviation mean? Here is the definition of SOC or Security Operation Center.
The practice of Big Data and data processing requires a high level of security. In this, a SOC is essential. This Security Operation Center, or oversees information systems within companies to protect against cyber-attacks.
The use of the IT computer (not to be confused with that of the plow and the political company) is carried out by a division of the company which will ensure the computer security in all the installed infrastructures. The area of expertise extends from the network layer to the software on the desktop. It can monitor activities from another SOC: The System on Chip. (On-chip systems are notably present in all NDLR smartphones).
The main activity of the SOC Managers is to collect information from security elements, analyze them and detect potential anomalies. Then you have to discover the possible security flaws. The division is also responsible for defining security actions when an incident or breach occurs in order to quickly alert or resolve the problem. For this, two or three teams of IT analysts take turns daily depending on the level of criticality of the sector in which it is established. This is particularly the case in airports whose operation is continuous.
The main role in event tracking and intrusion detection requires the implementation of prediction rules. It is placed above firewalls and VPNs. This supervision system has the reputation of being fast in the event of propagation of malicious software. It identifies threats faster and, in most cases, it can recover from a denial of service (DDoS) attack in a short time.
Within the SOC architecture, the SIM or Security Information Management are the tools that make it possible to carry out the event records and to analyze the data relating to them. These information management and security systems are complemented by an identity management system to monitor potential malicious activity on the IT pool allocated to employees. It should also contain tools for monitoring network flows, connections, employee behavior, and so on.
To help your analysts, additional tools are emerging. The goal of third-party publishers is to integrate their solutions with already installed SOCs.
If the operational security center is the most effective barrier against corporate intrusions, the installation of such a system is expensive and usually takes a little less than half of the year. Your SOC analysts must conduct an audit of the infrastructures in place, the level of security required and the measures already applied. After installation, they must ensure that the system can be regularly updated to contain the latest databases of attack scenarios.
Then you can install a SOC internally, so develop it or integrate an existing solution. Other solutions are said to be outsourced, that is to say, managed by a service provider company. Atos, Symantec, Wipro, Tata, McAfee, Verizon, Dell, Orange, and Verisign are just some of the companies that offer outsourced SOC solutions. In this case, the offers of the professionals can vary.
It is the regulation that generally imposes the use of a SOC. Most companies that need to protect sensitive data and/or comply with the Payment Card Industry Security Standard (PCI DSS). On the Web, the giants of E-Commerce are particularly concerned.
In contrast, SOC is no longer considered the most reliable solution to protect itself from attacks, because it requires a precise configuration and difficult to implement. This requires a constant organization that requires close collaboration between internal security specialists and external service providers.
In addition, the volume of data to protect explodes, while the hackers themselves use masses of data to “drop” the infrastructure of a company. The use of the Cloud also requires the provision of special security cells that are called CloudSOC. An evolution of this architecture is emerging in the age of machine learning and prediction.
Finally, the ANSSI, the National Agency for the security of information systems recalls that the Security Operation Center is not a substitute for precautionary measures to inculcate employees. The head of the security center is, therefore, putting a lot of pressure on his shoulders.
This is all the more so since the application on 25 May 2018 of the General Data Protection Regulation or GDPR will oblige SOC managers to adopt the way of analyzing and archiving information relating to security events. In particular, they will have to agree with the data controller in order to adapt the security levels according to the criticalities of the data. To see if the Security Operation Center will be more widely adopted when adapting the GDPR.
Faced with the increasing exposure to computer threats, and the arrival of new regulatory constraints such as the General Data Protection Regulation (GDPR), which reinforces the protection of personal data, any organization must improve the control of data protection. security of its information systems.
The Security Operation Center (SOC) is made up of a team of experts who play the role of “Control Tower” for monitoring the overall security of information systems, while the supervision teams take care of the monitoring the functioning of the IS.
The services provided by the SOC are organized around four families of activity:
· Collection and analysis of logs
· Correlate information to analyze security events as a whole and not individually
· Triggering and qualification of alert on suspicious elements
· Customer notification and communication
Note: According to the vital importance of the organization’s information system (OIV, SIIV), the ANSSI requires to go through a certified security incident detection provider.
· Reduced reaction time during all phases of an attack (preparation, in progress, and after)
· Immediate processing of documented alerts, and escalation of alerts to analysts for unknown cases
· Handling security incidents with supervisory teams
· Investigations following a security incident
· Security Watch in relation to the Computer Security incident response platform (CSIRT / CERT)
· Maintenance in Operational Condition (MCO) of the SOC tooling
· Keeping in Security Condition (MCS) of the SOC tooling
· Optimization of the detection rules, and taking into account the Indicators of Compromise (IoC) provided by the CSIRT / CERT
· Regular reporting of SOC activity
· Security dashboard through service indicators (Alerts, Incidents, Investigations, …), technical indicators (MCO / MCS), and evolution indicators (extension of the collection perimeter, new detection rules, …)
To be able to provide these services, the SOC relies on three fundamental components:
· Human resources specialized in IT security (operators, analysts, experts)
· Technical tools, including Security Incident & Event Management (SIEM) that allows collection, aggregation, correlation and log analysis
· Clearly documented and documented processes for each major step
The setting up of a SOC is a project of transverse scope to the organization of the Company which will have operational impacts. The explicit support of management is essential to protect the recurring expenses incurred by such an organization.
Taking into account the context specific to the Company (business area, regulatory requirements, size of the teams, maturity in IT security, solutions currently in place, the perimeter of surveillance, …), several issues must be addressed from the earliest stages. of the project:
· What is the technical and business perimeter selected for the implementation of monitoring?
· The internal, external, or mixed team?
· SOC hosting (internal / external)?
· The range of services and expected level of service (working hours, penalty payments, 24/7)?
· Estimated budget (construction & operation)
The project to set up the SOC must be a succession of Construction (BUILD) and then Exploitation (RUN) phases with a gradual widening of the perimeter, starting with a limited and controlled perimeter protection equipment.
The realization of a Proof of Concept (POC) on some simple use cases makes it possible to validate the technical (trace collection, event timestamp) and organizational (incident management process, communication, escalation) requirements, as well as SOC tooling (SIEM, collecting enclaves, transmission channels).
Finally, continuous improvement is a major feature of the SOC, with the permanent evolution of the detection rules to take into account new threats and/or experience feedback after the incident, the reduction of false positives, not to mention the documentation. (reflex cards, incident management process, …)