Security Operations Center

Monitoring and responidng to threats

Security Operations Center (SOC) is a comprehensive service that responds to the event of an attack on IT resources. The service consists of highly specialized IT tools, professional knowledge and experience in the field of ICT security and response procedures to detected threats. Constant monitoring of networks, systems, and ICT security systems enables the identification of cyber threats and attacks. The experience and efficiency of the team operating based on defined response procedures prevent the takeover of the client’s infrastructure. Continuous inference and continuous risk analysis improve security. 

SOC’s priority is to protect the organization’s data and counteract threats from the network. The service is designed to meet the customer’s needs in such a way that the reaction to an incident is as quick as possible and provides effective defense against an attack.

The service consists of a group of processes that are implemented by selected support lines of engineers and BLUEsec specialists. Security Operations Center provides both basic security monitoring and appropriate response, as well as more advanced processes, such as vulnerability management, risk analysis, configuration and maintenance of security tools, forensic analysis and training.

Three pillars of effective SOC

Threats to security are constantly changing and techniques of attacks on ICT systems are evolving. The SOC service is provided by engineers and specialists who form a multidisciplinary team. The basic service is realized based on four reaction levels, which are connected through the process of response incident.
  • Level 1 - Alert Analyst - a role responsible for monitoring security incident queue alerts; responsible for the status of sensors and endpoints - collects and sends relevant data up to level 2; preliminary detection of intrusions through appropriate alert analysis.
  • Level 2 - Incident Responder - a role responsible for threat hunting. Correlation of data from different sources and determining the criticality of the system/set of data that have been exposed. It ensures the development of remediation actions and new analytical methods in the detection of threats.
  • Level 3 - Subject Matter Expert/Hunter - a role with knowledge of the network, terminal equipment, threats, forensics, and malware, but also of the operation of individual applications. She is closely involved in the development, configuration, and implementation of threat detection tools.
  • Level 4 - SOC Manager - a role responsible for resource management (people, technology) and process improvement; it acts as an organizational point for critical incidents. It ensures continuous improvement of the security strategy.
Security Operations Center in the military nomenclature is compared to a rapid reaction force. To ensure that data security risks can be addressed quickly, SOC operators need to know what actions are needed to take and in what order they should be carried out. In the case of an attack on an IT system, each sentence is performed according to a pre-determined incident management procedure and a response plan. The incident management procedure is agreed with the Customer at the service implementation stage and ensures that security requirements such as GDPR or The Directive on security of network and information systems (NIS Directive) are met. The procedure assumes compliance with the most important area standards, including in particular ISO/IEC 27001, NIST, PCI or HIPAA. The quality of the Security Operations Center processes is based on efficient information flow. Processes require extreme standardization to ensure that nothing is omitted or fabricated. Continuous testing of incident management procedures ensures that Security Operations Center operators act effectively as a cohesive unit during incident escalation.
Security Operations Center technology enables identification of an attack on an IT system almost in real-time. The composition of the essential technological tools used in SOC includes specialized software for identification and classification of ICT systems, analysis and correlation of system logs, network monitoring, the performance of security audits, analysis of threats in the network or threat hunting. Additionally, SOC provided by BLUE energy operates based on dedicated tools to manage knowledge and the course of the incident handling process. It is important that the technologies used can be included in other processes already functioning in the organization, such as risk analysis or vulnerability management.

Processes functioning in SOC

SOC > IT environment analysis

IT environment analysis

SOC > Log archiving

Log archiving

SOC > Constant monitoring

Constant monitoring

SOC > Malware analysis and IT forensics

Malware analysis and IT forensics

SOC > Building knowledge and awareness

Building knowledge and awareness

SOC > Penetration testing and vulnerability management

Penetration testing and vulnerability management

What does a scalable SOC provide?

  • Use of a Customer maintained SIEM or delivery of a SIEM system
  • Identification of potential attacks and sources of data about attacks
  • Precise, previously agreed in advance response to the incident (e.g. contact with CSO, firewall reconfiguration)
  • Supplement only those security areas that require it, we don’t fix things that work
  • Up-to-date information on the level of data security, you will always be informed about threats
  • Individual approach and ongoing support in the area of ICT security