安全运营中心(SOC)

Learn how a security operations center serves as a tactical console for performing complex tasks.

查看MDR服务

什么是安全运营中心(SOC)?

安全操作中心, 通常称为SOC, 中央总部是真的吗, 物理位置或虚拟组织—用于监视, 检测, 和 responding to security issues 和 incidents that a business may face. 有几种模型可以将SOC作为更大的系统的一部分来实现 事件检测和响应(IDR) program, including in-house models, co-managed models, 和 fully managed or outsourced models.

You might think of a SOC like a stereotypical movie war room: a dark room filled with complex maps, 的显示器, 还有戴着耳机的分析师. 然而, most SOCs aren't really a physical presence or room; more accurately, they're a formally organized team dedicated to a specific set of security roles for 检测 和 validating threats within a company or organization's environment.

 

SOC是做什么的?

SOC执行许多与安全相关的任务, including continuously monitoring security operations 和 incidents 和 responding to issues that may arise. The various responsibilities within a cybersecurity team can be extremely complex, 和 a SOC not only serves as the tactical console to empower team members to perform their day-to-day tasks, 但也作为一个战略中心,让团队意识到更大, 长期安全趋势.

A typical SOC tracks any number of security alerts that an organization might encounter, 包括通过技术和工具通知潜在威胁, 还有员工, 合作伙伴, 还有外部资源.

The SOC then typically investigates 和 validates the reported threat to ensure it's not a false positive (i.e. 一个实际上无害的威胁报道). 如果 security incident is deemed to be valid 和 requires a response, the SOC h和s it over to the appropriate persons or teams for response 和 recovery.

这需要复杂的专业知识组合, 过程, 和组织有效地运行SOC作为整体的一部分 威胁检测和响应程序. That's why every organization may not be able to support or resource a SOC in-house. Instead, many opt to have their SOC managed by an outside agency, known as 安全运营中心即服务(SOCaaS).

SOC有哪些组件? 

The components in a SOC are many in number 和 must be structured 和 in place before a SOC is a viable option. 让我们来看看其中几个: 

  • 攻击面管理程序: This includes threat prevention technology for all threat ingress 和 egress avenues, regular 漏洞扫描 (以及相关的补丁), 渗透测试, 用户身份验证和授权, 资产管理, 外部应用程序测试(带有相关的补丁), 远程访问管理. 
  • 事件应变计划:通常, one of the main goals of introducing a SOC into an IDR program is increasing the effectiveness of 检测 threats in the organization's environment. 如果 事件响应流程 that follow a breach's discovery are not in place 和 tested regularly, 你只是在处理一个有效的IDR计划的一些组成部分. 
  • 灾难恢复计划: A breach is simply one specific example of a disaster from which organizations need to recover. Once the detected breach has been fully scoped 和 the affected assets, 应用程序, 用户也得到了控制, there needs to be a plan in place to restore normal business operating 过程es. 这需要时间,而且说起来容易做起来难, but it’s necessary to get essential systems up 和 running as close to normal as possible 和 as quickly as possible – returning to something close to normal will also help organizational morale.

SOC设置需要什么? 

SOC设置需要三个主要元素. Regardless of whether the SOC is created in-house or outsourced to a managed provider, 准备好这些核心功能对成功至关重要.

Underst和ing SOC analysts’ roles 和 responsibilities is an important precursor to selecting the technology that will run your SOC. The teams you create 和 the tasks you give them will be dependent on your organization’s existing structure. 例如, if you’re building a SOC to augment existing threat detection 和 response capabilities, you’ll want to consider which specific tasks the SOC team members are responsible for 和 which fall on the non-SOC IDR teams.

You’ll also want to divide responsibilities between SOC analysts – 和 potentially consider SOC automation where possible – so there’s a clear underst和ing of who h和les high-fidelity alerts, 谁验证低保真警报, 谁升级警报, 谁去寻找突发威胁, 等. Many SOCs operate within a tiered-staffing framework to establish clear responsibilities 和 hierarchy.

技术

Deciding what technology the SOC uses is where time spent establishing the roles 和 responsibilities mentioned above will pay off. 他们会使用什么技术? 他们可能需要组合日志聚合工具, 用户行为分析、端点查询、实时搜索等等. It’ll be important to look at how SOC analysts are using your technology 和 determine whether the existing technology is helping or hindering 过程es – 和 whether new tech will need to replace it. It’s also important to have communication tools in place to enable collaboration among analysts. 其他重要考虑因素:

  • 您的操作环境(云、内部部署或混合) 
  • 您面临的威胁类型(恶意软件、网络钓鱼等).)
  • The compliance m和ates you're required to uphold (HIPAA, SOC2, ISO 27001, 等.) 

流程

Establishing 过程es that the people 和 technology outlined above will follow is the final component you’ll need to consider when getting started with a SOC. 如果需要验证安全事件会发生什么, 报道了, 升级, 或者交给另一个团队? 你将如何收集和分析指标?

These 过程es must act as a framework precise enough to ensure investigative leads are h和led in order of criticality, 但是足够松散,不能支配分析过程. 流程可以建立或破坏SOC的有效性, so incident management workflows should be established from the start to ensure each step in the 过程 is part of a larger strategy.

以上几点在使用an时仍然适用 托管SOC提供商. SOC将是一个值得信赖的组织伙伴, 和 as such it’s essential they’re proactive 和 regular in their communications, 透明度, 反馈, 和 collaboration with you to make sure your SOC is as successful 和 effective as possible.

阅读更多关于SOC战略