Role of the Security Operations Center
A Security Operations Center (SOC) is a security team that continuously monitors and analyzes an organization's network. In addition, a SOC is responsible for incident detection, containment, eradication, and recovery. According to Juliana De Groot from Digital Guardian, roles within a SOC include:
Manager
Analyst
Investigator
Responder
Auditor
Incident Detection & Containment
Incident Detection is all about being proactive. Continuous monitoring consists of proactive vulnerability detection and log/configuration tracking. Periodic Pentests should also be implemented to check the perimeter security (Silent Breach, n.d.). Finally, containment refers to the strategies used to stop the spread of a cyberattack. Misnomer from Infosec Nirvana lays out some of these strategies.
Stop outbound communication from infected machines
Block inbound traffic
IDS/IPS Filters
Web Application Firewall policies
Null route DNS
Switch based VLAN isolation
Port blocking
IP or MAC Address blocking
ACLs
Eradication & Recovery
Eradication means removing threats and restoring affected systems to their previous state. At the same time, recovery is "Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised (Lord, 2021). Zbigniew Banach from Netsparker lists seven crucial components of cyber incident recovery.
Define specific recovery goals
Determine Vital Assets
Have an effective backup policy
Determine Personnel
Define Communication Channels
Summary
It is important to understand the best practices for each phase of incident response. Incident Detection, Containment, Eradication, & Recovery. Understanding what a SOC is and its roles before, during, and after a cyber incident are essential for success.
References
Banach, Z. (2019, September 17). 7 crucial components of cyber incident recovery. Netsparker. https://www.netsparker.com/blog/web-security/incident-recovery/
Groot, J. (2020, November 25). What is a security operations center (SOC)? Digital Guardian. https://digitalguardian.com/blog/what-security-operations-center-soc
Lord, N. (2021, August 6). What is incident response? Digital Guardian. https://digitalguardian.com/blog/what-incident-response
Misnomer. (2015, March 10). Part 4 – Incident containment. InfoSec Nirvana. https://infosecnirvana.com/part-4-incident-containment/
Silent Breach. (n.d.). continuous monitoring and incident response. https://silentbreach.com/incident-detection-and-response.php