Taking stock of available resources
SOC is responsible for two types of assets: the various devices, processes, and applications for which they are responsible for protection, and the defensive tools at their disposal to ensure that protection.
What the SOC protects
SOC Network cannot protect devices and data that it cannot see. Without visibility and control of devices in the cloud, there are likely to be blind spots in the network security posture that can be found and exploited. SOC's goal is therefore to have a complete picture of the business threat landscape, including not only the different types of terminals, servers and software on the site, but also third-party services and the traffic that flows between them. assets.
How SOC is protected
The SOC must also have a complete understanding of all available cybersecurity tools and all workflows used in the SOC. This increases agility and allows the SOC to operate at maximum efficiency.
Preventive preparation and maintenance.
Even the best equipped and fastest response processes cannot avoid problems in the first place. To help keep attackers at bay, the SOC implements preventive measures, which can be divided into two main categories.
Preparation
Team members must stay informed about the latest security innovations, the latest cybercrime trends, and the development of new threats on the horizon. This research can help create the creation of a safety roadmap that provides guidance for the company's future cyber security efforts, and a disaster recovery plan that will serve as a quick guide in the worst case scenario. case.
Preventive maintenance
This step includes all measures taken to hinder successful attacks, including regular maintenance and updating of existing systems; update firewall policies; repairing vulnerabilities; and the white list, black list and security of the application.
Continuous proactive monitoring
The tools used by SOC scan the network 24/7 to report any anomalies or suspicious activity. 24 hour network monitoring allows SOC to be immediately informed of emerging threats, providing the best opportunity to prevent or mitigate damage. Monitoring tools can include SIEM or EDR, the more advanced of which can use behavioral analysis to "teach" systems the difference between daily operations and actual threat behavior, thereby minimizing the amount of screening. and analysis to be performed by humans
Classification and management of alerts
When the monitoring tools issue alerts, it is the SOC's responsibility to examine each one closely, to eliminate any false positives and to determine how aggressive the real threats are and what they can target. This allows them to properly classify emerging threats, first addressing the most pressing issues.
Responding to threats
These are the actions that most people think of when they think of SOC. As soon as an incident is confirmed, the SOC acts as the first responder, performing actions such as closing or isolating endpoints, stopping dangerous processes (or preventing their execution), deleting files, etc. The objective is to meet the need and have the least possible impact on business continuity.
Recovery and sanitation
After an incident, the SOC will work to restore systems and recover lost or compromised data. This may include cleaning and restarting endpoints, reconfiguring systems, or, in the case of ransomware attacks, implementing viable backups to prevent ransomware. If successful, this step will return the network to the state it was in before the incident.
Records management
SOC is responsible for collecting, maintaining and periodically reviewing the log of all network activities and communications for the entire organization. This data helps define a baseline for "normal" network activity, can reveal threats, and can be used for correction and forensic analysis after an incident. Many SOCs use SIEM to aggregate and correlate data streams from applications, firewalls, operating systems, and endpoints, which produce their own internal records.
Root cause investigation
After an incident, the SOC is responsible for determining exactly what happened when, how, and why. During this investigation, SOC uses log data and other information to trace the problem back to its source, which will help prevent similar problems in the future.
Refine and improve security
Cybercriminals are constantly improving their tools and tactics, and to stay one step ahead of them, SOC must constantly improve. During this stage, the plans outlined in the safety roadmap come to life, but this refinement can also include practical practices, such as teamwork in red and purple.
Compliance management
Many SOC processes are guided by established best practices, but some are governed by compliance requirements. SOC is responsible for the regular audit of its systems to ensure compliance with these regulations, which may be issued by its organization, its sector or its government agencies. Examples of such regulations include GDPR, HIPAA and PCI DSS. Acting in accordance with these regulations not only protects the confidential data entrusted to the company, but also protects the organization against damage to reputation and legal challenges resulting from a violation.
No comments:
Post a Comment