Security Operation Center (computing)

A Security Operation Center (SOC) is an organization that delivers IT security services. It attempts to prevent unauthorized access and manage security related incidents using processes and procedures. The mission is risk management through centralized analysis using the combined resources consisting of personnel, dedicated hardware and specialized software. Typically, these systems operate constantly. These resources offer continuous risk analysis and guarantee protection against intrusion. Internet security is a resource intensive task in time and personnel. Many organizations prefer to outsource this task to specialists in this field. Outsourcing to a Security Partner allows an organization to lower its IT management costs and focus on its core business. The Security Partner delivers high quality service by hiring only the most qualified professionals. The SOC consists of monitoring and analyzing firewall activity, Intrusion Detection System (IDS) activity, antivirus activity, individual vulnerabilities, etc. These technologies and processes are transient and require that personnel stay abreast of the latest developments

Possible SOC Services

*Proactive Analysis & System Management
*Security Device Management
*Reporting
*Security Alert
*DDos Mitigation
*Security Assessment
*Technical Assistance

Proactive Analysis and System Management

This security system provides proactive analysis of the systems and security devices of a system (Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, etc).

This anti-intrusion system offers centralized management of security.

Personnel need only concern themselves with the functions of monitoring tools, rather than the complexity of any device under scrutiny.

Tools used by the SOC must be is scalable. For example, adding a new IDS (Intrusion Detection System) to those already existing.

The SOC also performs Policy Management, including Remote Policy Management. Configuration of devices and security policies must be constantly updated as the system grows and evolves.

Security Device Management

The Security Device Management (SDM) service is composed of the following elements:

- Fault management- Configuration Management

Fault Management

The main objective of Fault Management is to ensure the continuous operation of the security infrastructure. The activity includes:

- Monitoring of client security devices- Fault Detection and Signaling- Fault Reporting - Corrective Action Determination- Corrective Action Implementation- System Recovery (if necessary)

Configuration Management

The main objective of Configuration Management is to ensure the continuous enforcement of firewall rules tailored to customer needs. It applies to all equipment managed by the SOC and includes data packet discard / acceptance rules between an external source and an internal destination (or vice versa) based on:

- Source address.

- Destination address.

- Network protocol.

- Service protocol.

- Traffic log.

Configuration Management may be performed remotely (Remote Configuration Management)

Reporting

Logs generated by various system components are consolidated and reformatted into an easily understandable report for the customer. This reporting is particularly important because, besides providing details of any possible intrusion by unauthorized parties or accidents, may also allow the customer to take preventative action.

Security Alert

The security alert service is designed to notify customers in timely fashion of the discovery of new vulnerabilities in such a way that countermeasures can be effected in time upon an attack to mitigate or negate the impact of the attack.

Distributed Denial of Service (DDos) Mitigation

The DDos Mitigation attempts to mitigate the effects of a Denial of Service attack directed at a critical function of a client’s web infrastructure. It receives notification of an attack on a client service. Countermeasures are activated and evaluated. Traffic is ‘cleaned’ and re-re-routed. An ‘End-of-attack Notification’ is reported and logged.

Security Assessment

These functions comprise the Security Assessment:

- Vulnerability Assessment

- Penetration Test

Vulnerability Assessment

The Vulnerability Assessment searches for known vulnerabilities of systems and software installed. This is carried out through specific technologies that are configured and customized for each assessment

Penetration test

The Penetration Test is performed to isolate and exploit known or unknown vulnerabilities of systems, services and installed web applications. It attempts to quantify the threat level represented on each system and the impact. This activity is carried out either through a number of technologies that are configured and customized per assessment, or manually for each service, system, and application.

Technical Assistance

The SOC can provide general technical assistance for any issue regarding system operation, system violations,system update, security hardware and software update and configuration. Technical assistance can be provided remotely or on-site depending on the level of service.