What is a SOC?

SOC = Security Operations Center

ok, but what does that mean?

  1. What is Security?
  2. What is Operations?
  3. …..

Security

British Defence Doctrine defines security as the following:

Security is the provision and maintenance of an operating environment that affords the necessary freedom of action, when and where required, to achieve objectives. 1

The US Army Field Manual defines security like this:

Security – Never permit the enemy to acquire unexpected advantage. Security enhances freedom of action by reducing vulnerability to hostile acts, influence, or surprise. Security results from the measures taken by a commander to protect his forces. Knowledge and understanding of enemy strategy, tactics, doctrine, and staff planning improve the detailed planning of adequate security measures. 1

What is Security Operations?

A SOC is not a room.

A soc isnt a bunch of computers and screens on the wall with dashboards and maps. A SOC is people.

Tools

tools are important BUT do not let tools drive your workflow. Some people say the first thing to consider when creating a SOC is tools. This is wrong. Tools should be selected to assist existing process. You need to first determine what capabilities you want the SOC to have, and then select tools to accomplish that.

What capabilities should a SOC have?

  1. detection
  2. analysis
  3. response

Inventory

If you don’d know it exists, you can’t defend it.

Most of what a SOC does is maintain an inventory.

Notes

If you’re going to fast to take notes, you’re going too fast.