SOC = Security Operations Center
ok, but what does that mean?
British Defence Doctrine defines security as the following:
Security is the provision and maintenance of an operating environment that affords the necessary freedom of action, when and where required, to achieve objectives. 1
The US Army Field Manual defines security like this:
Security – Never permit the enemy to acquire unexpected advantage. Security enhances freedom of action by reducing vulnerability to hostile acts, influence, or surprise. Security results from the measures taken by a commander to protect his forces. Knowledge and understanding of enemy strategy, tactics, doctrine, and staff planning improve the detailed planning of adequate security measures. 1
A soc isnt a bunch of computers and screens on the wall with dashboards and maps. A SOC is people.
tools are important BUT do not let tools drive your workflow. Some people say the first thing to consider when creating a SOC is tools. This is wrong. Tools should be selected to assist existing process. You need to first determine what capabilities you want the SOC to have, and then select tools to accomplish that.
What capabilities should a SOC have?
If you don’d know it exists, you can’t defend it.
Most of what a SOC does is maintain an inventory.
If you’re going to fast to take notes, you’re going too fast.