Security Operations Center

from Wikipedia, the free encyclopedia
This article or the following section is not adequately provided with supporting documents ( e.g. individual evidence ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.

A Security Operations Center (SOC) is a center that provides IT security services: a procedure for preventing and dealing with unforeseen difficulties. The task of this infrastructure is to prevent the risk inherent in all IT security activities with the help of centralization and analysis of all human resources as well as the hardware and software for managing the security system. A structure of this type is protected 24 hours a day, 365 days a year by personnel who ensure the performance of the platforms and analyze and summarize the information. The operational administrative processes that control the SOC are in place to constantly analyze the residual risk and also offer protection against burglary through temporary security assessments. Because managing network security is a time and human resource intensive activity, organizations often prefer to outsource the service to other companies that specialize in information security. Entrusting such a partner to the administration of the security of your own company network results in a considerable reduction in costs and the possibility to concentrate your own efforts on the core business. The security partner must, however, provide the provision of the service by highly qualified security personnel. The service consists of the continuous monitoring of the activities of the firewall, IDS and antivirus programs, identifying critical vulnerabilities, etc. These are very specific work processes, so it is necessary that the employees are constantly up to date with the knowledge of technologies and to maintain and deepen the methods used.

Possible services offered by the SOC

  • Proactive analysis and management of IT security systems and techniques
  • Security device management
  • Reporting
  • Security alert
  • DoS damage control
  • Security assessment
  • technical help

Proactive analysis and management of IT security systems and techniques

The aim of this service is the proactive analysis of IT security systems and techniques 24 hours a day (IDS, IPS, firewall, etc.). The anti-intrusion systems enable the central administration of information security practices so that potential attacks from the computer and the Internet and intranet can be identified. The personnel commissioned for this is usually very specialized and qualified. B. Security analysts only know the functions of the monitoring tools instead of the extensive overall equipment of the security precaution. The scalability of the SOC's tools is another critical factor; For example, it is relatively easy to add a new IDS (Intrusion Detection System) to the existing ones. Often the SOC also manages a part related to policy management, e.g. B. the reconfiguration of the safety equipment is taken into account. The original configuration of the devices and the security policy must be constantly updated by following the development of the customer's network.

Security device management

Security Device Management (SDM) is developing in particular around the two most important processes:

  • Fault management
  • Configuration management.

Fault management

The main goal of fault management is to guarantee the optimal and continuous operation of the safety infrastructure. The activities include:

  • the constant monitoring of the customer's safety equipment by the SOC
  • Detection and alarm in the event of faults (activation trouble ticket)
  • Determine the appropriate action to remedy
  • Implementation of the appropriate remedial measures
  • the restoration of configurations in the event of their loss after a fault

Configuration management

The main goal of configuration management is to ensure that the firewall structures are constantly adapted to the needs of the customer. It covers all devices managed by the SOC. Configuration management encompasses the activities of configuration and adapts policy filters or authorizations to the flow of data traffic from an external to an internal source (or vice versa), based on:

  • Source address
  • Destination office address
  • Network protocol
  • Service log
  • Logging of traffic data.

Reporting

The logs from the consoles or the instruments deployed are usually carefully analyzed and reprocessed so that they can be easily understood by the customer. This reporting is particularly important because, in addition to details about possible intrusion attempts by unauthorized units or about unforeseen difficulties that became visible in the reporting period, the customer can take precautionary measures.

Security alert

The Security Alert service was developed to notify customers as quickly as possible of the discovery of new security gaps in order to promptly generate the necessary countermeasures to mitigate or neutralize the effects of the new vulnerabilities.

DDoS damage control

The aim of DDoS damage control is to reduce the consequences of an attack of the type "Distributed Denial of Service". The task of this service is to ensure the correct initiation of the necessary measures to close the security gap when a customer has received an alarm signal. The countermeasures to be applied are evaluated and a "cleaning" process and a possible redirection of the data traffic are initiated. A message is issued when the attack has ended.

Security assessment

Some elements that are normally part of security management activities are: the vulnerability assessment and the penetration test.

The vulnerability assessment was developed to identify identified weaknesses in the systems and the services installed on them. Such an activity takes place with the help of specific technologies; they are individually configured, improved and personalized for each assessment.

The penetration test is carried out to identify known or as yet unknown weak points in the system, the services and the web applications that run on it. The penetration testing process is able to very effectively highlight the level of a particular security threat and the corresponding assessment of its impact. Such an activity is carried out with the help of a large number of technologies that are configured, improved and personalized for each assessment, but also in a manual manner for each service, system and application.

technical help

In general, the SOC can also offer the customer special technical support for all functional problems, system violations, but also innovations and configurations for security hardware and software. The technical assistance for solving the problems mentioned can be implemented remotely or on site, depending on the problem and the terms of the contract between the contractual partners.

See also