SOC = Security Operations Center
ok, but what does that mean?
British Defence Doctrine defines security as the following:
Security is the provision and maintenance of an operating environment that affords the necessary freedom of action, when and where required, to achieve objectives. 1
The US Army Field Manual defines security like this:
Security – Never permit the enemy to acquire unexpected advantage. Security enhances freedom of action by reducing vulnerability to hostile acts, influence, or surprise. Security results from the measures taken by a commander to protect his forces. Knowledge and understanding of enemy strategy, tactics, doctrine, and staff planning improve the detailed planning of adequate security measures. 1
These are two different things but the distinction is so subtle that I don’t know if I can put it into words. I will try anyway.
SecOps = Security Operations
OPSEC = Operations Security
OPSEC is more of a millitary term, regarding the security of a millitary operation. But it has been heavily borrowed bu infosec. The phrase “Loose lips sink ships” is commonly used to explain the concept
OPSEC is an analytical process used to deny an adversary information (generally unclassified) concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. -USCG
OPSEC is described as a five step process:
Analyze Vulnerabilities: Determining vulnerabilities involves conducting a detailed analysis of how an operation is normally conducted. The operation must be viewed from the adversarial perspective. An OPSEC vulnerability exists when the adversary is capable of collecting critical information or indicators, analyzing it, and then acting quickly enough to impact friendly objectives. -USCG
A soc isnt a bunch of computers and screens on the wall with dashboards and maps. A SOC is not a SEIM or an EDR. A SOC is not tools. A SOC is people. I think the “Center” part confuses people. We centralize SecOps people because it can be more efficient sometimes2. When you centralize SecOps, it lets the people communicate more easily because they are closer together. But again, a SOC is not a room. The SecOps people might even work remote, but they must have established comms. Internally and externally. Customers also benefit because they can go to one place to report things to the SOC. But again, a SOC is not a room. Most likely the SOC is an email address as far as the customer is concerned.
tools are important BUT do not let tools drive your workflow. Some people say the first thing to consider when creating a SOC is tools. This is wrong. Tools should be selected to assist existing process. You need to first determine what capabilities you want the SOC to have, and then select tools to accomplish that.
What capabilities should a SOC have?