Oct 31

Building a SOC

Whether you’re protecting a bank, highway users, or the local grocery store, certain common sense security rules apply. At the very least, you need locks on entrances and exits, cash registers and vaults as well as cameras pointed at these places and others throughout the facility or on the roads. The same goes for your network. Controlling access with tools like passwords, ACLs, firewall rules and others aren’t quite good enough. You still have to constantly monitor that these security controls continue to work across all of your devices so that you can spot strange activity that may indicate a possible exposure. With this blog post, we’ll go into detail on Security Operation Center (SOC) overview.

The tools you use to do security monitoring and analysis may be a bit more varied than just a CCTV monitor, but the concept is the same.

Unfortunately, unlike with CCTV cameras, you can’t just look into a monitor and immediately see an active threat unfold, or use a video recording to prosecute a criminal after catching them in the act on tape. The “bread crumbs” of cyber security incidents and exposures are far more varied, distributed, and hidden than what can be captured in a single camera feed, and that’s why it takes more than just a single tool to effectively monitor your environment like a highway with cameras: Cameras, IA, sensors, call center, highway patrol, etc.

Example with Vinci Highway in France:


The parallel between a motorway network like Vinci and a SOC is interesting (to understand the security event management of a highway management company versus a SOC).

Building a SOC:

SOC teams are responsible for monitoring, detecting, containing, and remediating IT threats across applications, devices, systems, networks, and locations.

Using a variety of technologies and processes, SOC teams rely on the latest threat intelligence (examples: indicators, artifacts, persistence, latest cartel method, and other evidence) to determine whether an active threat is occurring, the scope of the impact, as well as the appropriate remediation.

Security operations center roles & responsibilities have continued to evolve as the frequency and severity of incidents continue to increase.

Building a SOC with limited resources in a race against time:

For many organizations (unless you work for a large bank), building a SOC may seem like an impossible task. With limited resources (time, staff, and budget), setting up an operations center supported by multiple monitoring technologies and real-time threat updates doesn’t seem all that DIY. In fact, you may doubt that you’ll have enough full-time and skilled team members to implement and manage these different tools on an ongoing basis. That’s why it’s essential to look for ways to simplify and unify security monitoring to optimize your SOC processes and team.

You may not feel as if you’re in a position to build a SOC and manage it on your own like most companies. Based on your company’s line of business and the size and skill set of the IT department, you may decide outsourcing to an MSSP (managed security service provider) is a viable option. Many global and regional MSSPs are set up to provide 24x7x365 SOC support, which includes vulnerability assessment, compliance reporting, alert response services, and more. And many of them rely on many technologies (SIEM, XDR, SOAR, EDR, UEBA, etc.) as the foundational elements in building their SOCs.

Traditional SOC has morphed into a modern SOC concept where there is a lot more focus on building capabilities for early threat detection (both known and unknown), minimizing dwell time, and using automation to improve efficiency. Also, it’s difficult to understand the offers of cybersecurity technology companies and their associated perimeter. I’m talking about marketing. For example, each editor uses the word “XDR” but not everyone really offers one… Basically, you will discover in a specific blog post, the difference between Traditional SOC, Managed EDR, SOC NextGen, etc.

List of vendors and software affected by the OpenSSL vulnerability: Here
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post.

Please follow and like us:
fb-share-icon
Tweet

Christopher GLEMOT

CTO | Technical specialist around Data Management, Security, Cyber Security, Cyber Resilience, Backup, Disaster Recovery, Multi-Cloud, and Storage | Veeam Vanguard | Varonis Elite | Owner of original-network.com

Advertisement
error

Enjoy this blog? Please spread the word :)