Nowadays, Organisations have started the building of a Security Operations Centre with limited resources (time, staff, and

budget), setting up an operations centre supported by multiple monitoring technologies and real-time threat updates. You
may doubt that you’ll have enough full-time and skilled team members to implement and manage these different tools on
an ongoing basis. That’s why it’s essential to look for ways to simplify and unify security monitoring to optimise your SOC
processes and team.

SOC is a centralised unit in an organisation that deals with security issues, on an organisational and technical level. A
Security Operations Center within a building or facility is a central location from where staff supervises the site, using da ta
processing technology. An information security operations centre (or “SOC”) is a location where enterprise information
systems are centrally monitored.

General Requirement for the effective working of SOC

 Defined and documented Security Operations Center (SOC) guideline which includes all the necessary roles and
responsibilities to be undertaken by the SOC.

 Clearly define escalation paths to investigate, analyse, elevate alerts and events for appropriate incident response
teams.

 Tools to detect/ monitor computer security alerts (e.g., alerts, thresholds, aggregation)

 Incident management plan

 Incident analysis and handling hardware and software are in place.

 Incident handling communication facilities are in place.

 Regularly reviewed lists

 Asset list (New and Decommissioned)

 IP Details

 Network diagram

 Cryptographic Hashes

 Roles and responsibilities of the SOC team are defined based on the capabilities.

 Regular training sessions for SOC team for continuous skill enhancement and keeping up to date with threats and
attacks

 Enterprise-wide data collection, aggregation, detection, analytic and management solutions required by the SOC are
defined.

 Risk assessment to identify a high-risk area for prioritisation.

 Key vulnerabilities should be identified regularly.

 Identify Special Interest groups for reporting incidents

Monitoring

 Monitoring of various sources to facilitate enforcement of CIS top 20 critical security controls

 Information Technology systems, such as applications, servers, routers, switches, workstations, etc. shall be monitored
by the SOC

 Information Security systems, such as firewalls, antivirus, intrusion detection, identity management, etc. shall be
monitored by the SOC

Functional Components
Monitor

 Regularly monitor all the security incidents

 Analyse the alerts

 Regularly monitor the network strength

 Quickly analyse and conduct triage on events

Respond

 Remediate cyber incidents to minimise business impact

 Identify and communicates whether a security event is an Incident or Crisis

 Develop improved controls to mitigate future breaches

 Conduct forensics to maintain evidence and chain of custody

 Determine root causes for prior breaches and close vulnerabilities

Assess

 Regularly assess the network

 Conduct periodic vulnerability assessments to identify risks

 Report issues to stress Company’s defence

 Regularly provide the security health report

Report

 Continuously improve security ops and maintain processes

 Measure performance and analyse trends

Log Collection

 Logs are collected for:

 Information Technology devices like Network, network devices and systems, servers etc.

 Information Security sources like IDS, DLP, Email Filtering etc.

 Logs for at least three months shall be kept on the system and further thet logs are archived for one year.

Roles and Responsibility of SOC Team

Tier 1 Monitoring Analyst

 Continuously monitors the alert queue

 Triages security alerts

 Monitors health of security sensors and endpoints

 Raise the ticket in SOC Tool

 Collects data and context necessary to initiate Tier 2 work

 Track alerts as per change management

Tier 2 Analyst

 Performs deep-dive incident analysis by correlating data from various sources

 Determines if a critical system or data set has been impacted

 Contain and Remediate event to recover.

 Escalate to Tier 3 Incident Response per criticality.

 Track event per change management.

Tier 3 Incident Responder

 Analyse incident and conduct Triage

 Contain and remediate incident to recover

 Conduct Incident Investigation

 Identify root cause of the incident and advises on remediation of the incident

SOC/Infosec Manager

 Develop a workflow model and implement standardised operating procedures (SOPs) for effective incident
management

 Manage resource to include personnel, budget, shift scheduling and technology strategy to meet SLA
 Communicate the identified weakness to management

 Report incidents to special interest group

SOC Architecture

Application & Middleware Architecture

 Security Information and Event Management (SIEM) tools are implemented

 Deploy additional tools for automation

Data Architecture

 Security control matrix

 Critical security controls

 Inventory of authorised and unauthorised devices

 Inventory of authorised and unauthorised software

 Secure configurations for hardware and software

 Backup of configurations

 Continuous vulnerability assessment and remediation

 Controlled use of Administrative Privileges

 Active employees list from HR department