Your guide to detecting and responding to threats fast
— Even if you don’t have a 24×7 SOC
Some organisations have formal 24×7 security operations centres (SOCs) which are tightly secured areas for teams of dedicated analysts to carefully monitor for threats around the clock. The cost of having well-trained analysts onsite at all times outweighs the benefit for almost every organisation. Instead, most organisations make do with an informal SOC comprised of a small number of analysts who have many other duties to perform. Others have no SOC at all.
For organisations caught between the prohibitive cost of a formal SOC and the wholly inadequate protection from an informal SOC, there is a solution: building a SOC that automates as much of the work as possible. Automation can help teams perform constant security event monitoring and analysis to detect possible intrusions and expedite incident response handling.
This white paper shows you how to successfully build a SOC. It explains the basics of SOCs, including what they mean in terms of people, processes, and technology, and the methodology and tactics of building and rolling out a SOC with limited resources.
People, page 5
No matter how well automated a SOC is, people are an absolute necessity. The two most fundamental roles in a SOC are the security analyst and the incident responder. Security analysts work primarily in the monitoring and detection phases of a SOC. Typical tasks include monitoring alarms from an all-in-one platform and performing triage to determine which alarms require intervention from the incident responders. Incident responder tasks may include:
• Conducting deeper analysis of suspicious security events using:
• Search analytics capabilities
• Threat intelligence sources
• Basic forensics techniques
• Malware analysis tools
• Performing response activities whenever an incident necessitates
• Keeping management apprised of the status of incident response efforts. Other possible SOC roles include forensic analysts and malware reverse engineers.