What is a SOC?

SOC = Security Operations Center

ok, but what does that mean?

  1. What is Security?
  2. What is Operations?
  3. …..

Security

British Defence Doctrine defines security as the following:

Security is the provision and maintenance of an operating environment that affords the necessary freedom of action, when and where required, to achieve objectives. 1

The US Army Field Manual defines security like this:

Security – Never permit the enemy to acquire unexpected advantage. Security enhances freedom of action by reducing vulnerability to hostile acts, influence, or surprise. Security results from the measures taken by a commander to protect his forces. Knowledge and understanding of enemy strategy, tactics, doctrine, and staff planning improve the detailed planning of adequate security measures. 1

What is Security Operations?

SecOps vs OPSEC

These are two different things but the distinction is so subtle that I don’t know if I can put it into words. I will try anyway.

SecOps = Security Operations

OPSEC = Operations Security

OPSEC is more of a millitary term, regarding the security of a millitary operation. But it has been heavily borrowed bu infosec. The phrase “Loose lips sink ships” is commonly used to explain the concept

OPSEC is an analytical process used to deny an adversary information (generally unclassified) concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. -USCG

OPSEC is described as a five step process:

  1. Identify Critical Information
  2. Analyze the Threat
  3. Analyze Vulnerabilities
  4. Assess Risk
  5. Apply Countermeasures

Analyze Vulnerabilities: Determining vulnerabilities involves conducting a detailed analysis of how an operation is normally conducted. The operation must be viewed from the adversarial perspective. An OPSEC vulnerability exists when the adversary is capable of collecting critical information or indicators, analyzing it, and then acting quickly enough to impact friendly objectives. -USCG

A SOC is not a room.

A soc isnt a bunch of computers and screens on the wall with dashboards and maps. A SOC is not a SEIM or an EDR. A SOC is not tools. A SOC is people. I think the “Center” part confuses people. We centralize SecOps people because it can be more efficient sometimes2. When you centralize SecOps, it lets the people communicate more easily because they are closer together. But again, a SOC is not a room. The SecOps people might even work remote, but they must have established comms. Internally and externally. Customers also benefit because they can go to one place to report things to the SOC. But again, a SOC is not a room. Most likely the SOC is an email address as far as the customer is concerned.

A SOC is capabilities

Tools

tools are important BUT do not let tools drive your workflow. Some people say the first thing to consider when creating a SOC is tools. This is wrong. Tools should be selected to assist existing process. You need to first determine what capabilities you want the SOC to have, and then select tools to accomplish that.

What capabilities should a SOC have?

  1. detection
  2. analysis
  3. response

Notes

Do we want Assessment inside or outside of the SOC?

Tiered vs tierless

Tiered

how important is retention? with students, what is the expected min/max retention?

scheduling

what coverage do we need? 24/7? probably not…

m-f 8am - 5pm ??? we may be able to condense coverage.

extended shifts can cause extra stress and increase turnover

MSSP

“espect 30-60 days minimum for onboarding”

###################
  
  $progress = 14
  
  Write-Host ('|'*$progress) -ForegroundColor DarkGreen -BackgroundColor DarkGreen -NoNewline
  Write-Host ('-'*(100-$progress)) -ForegroundColor DarkRed -BackgroundColor DarkRed -NoNewline

hiring and selecting.

some things we cannot teach. If those are important, filter for them in the selection process.

Interviews are a good tool if you ask the right questions.

Security Operations Center

What is a SOC?

SOC = Security Operations Center

ok, but what does that mean?

  1. What is Security?
  2. What is Operations?
  3. …..

Security

British Defence Doctrine defines security as the following:

Security is the provision and maintenance of an operating environment that affords the necessary freedom of action, when and where required, to achieve objectives. 1

The US Army Field Manual defines security like this:

Security – Never permit the enemy to acquire unexpected advantage. Security enhances freedom of action by reducing vulnerability to hostile acts, influence, or surprise. Security results from the measures taken by a commander to protect his forces. Knowledge and understanding of enemy strategy, tactics, doctrine, and staff planning improve the detailed planning of adequate security measures. 1

What is Security Operations?

SecOps vs OPSEC

These are two different things but the distinction is so subtle that I don’t know if I can put it into words. I will try anyway.

SecOps = Security Operations

OPSEC = Operations Security

OPSEC is more of a millitary term, regarding the security of a millitary operation. But it has been heavily borrowed bu infosec. The phrase “Loose lips sink ships” is commonly used to explain the concept

OPSEC is an analytical process used to deny an adversary information (generally unclassified) concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. -USCG

OPSEC is described as a five step process:

  1. Identify Critical Information
  2. Analyze the Threat
  3. Analyze Vulnerabilities
  4. Assess Risk
  5. Apply Countermeasures

Analyze Vulnerabilities: Determining vulnerabilities involves conducting a detailed analysis of how an operation is normally conducted. The operation must be viewed from the adversarial perspective. An OPSEC vulnerability exists when the adversary is capable of collecting critical information or indicators, analyzing it, and then acting quickly enough to impact friendly objectives. -USCG

A SOC is not a room.

A soc isnt a bunch of computers and screens on the wall with dashboards and maps. A SOC is not a SEIM or an EDR. A SOC is not tools. A SOC is people. I think the “Center” part confuses people. We centralize SecOps people because it can be more efficient sometimes2. When you centralize SecOps, it lets the people communicate more easily because they are closer together. But again, a SOC is not a room. The SecOps people might even work remote, but they must have established comms. Internally and externally. Customers also benefit because they can go to one place to report things to the SOC. But again, a SOC is not a room. Most likely the SOC is an email address as far as the customer is concerned.

A SOC is capabilities

Tools

tools are important BUT do not let tools drive your workflow. Some people say the first thing to consider when creating a SOC is tools. This is wrong. Tools should be selected to assist existing process. You need to first determine what capabilities you want the SOC to have, and then select tools to accomplish that.

What capabilities should a SOC have?

  1. detection
  2. analysis
  3. response

Notes

Do we want Assessment inside or outside of the SOC?

Tiered vs tierless

Tiered

how important is retention? with students, what is the expected min/max retention?

scheduling

what coverage do we need? 24/7? probably not…

m-f 8am - 5pm ??? we may be able to condense coverage.

extended shifts can cause extra stress and increase turnover

MSSP

“espect 30-60 days minimum for onboarding”

###################
      
      $progress = 14
      
      Write-Host ('|'*$progress) -ForegroundColor DarkGreen -BackgroundColor DarkGreen -NoNewline
      Write-Host ('-'*(100-$progress)) -ForegroundColor DarkRed -BackgroundColor DarkRed -NoNewline

hiring and selecting.

some things we cannot teach. If those are important, filter for them in the selection process.

Interviews are a good tool if you ask the right questions.