Professional Documents
Culture Documents
08 - Art - Security Operation Center SOC
08 - Art - Security Operation Center SOC
08 - Art - Security Operation Center SOC
with each other. In general, the SOC activities can up with the need. Therefore, it is necessary to
be classified as reactive and proactive, although make the work within an SOC more efficient
these cannot always be clearly separated. and less demanding in terms of security expert
In the following, the three main building knowledge. This can be achieved by providing
blocks of an SOC are described briefly: employees with advanced tools, such as applying
People: Since people play an essential role in visualization software or simulation techniques
companies’ security, this is also an important part such as in Dietz et al. (2020). Additionally,
of an SOC. From the SOC manager to the analyst, more effort should be put into the effective
a variety of roles can be defined within an SOC. training of SOC analysts. Another solution to the
The analyst roles within an SOC are commonly problem mentioned can be offered by security
classified according to their expertise in tier 1 to orchestration, automation, and response (SOAR),
tier 3. Thereby, tier 1 analysts, often referred to currently receiving much attention in the research
as triage specialists, are mainly responsible for community. Here, research is still necessary in
raw data collection and forward most problems order to lower the dependence on human analysts.
or incidents to higher tier analysts. In contrast, As mentioned before, the area of processes
tier 3 analysts are the most experienced staff in within an SOC is largely neglected in academic
an SOC and handle the most complex incidents. research. This leads to a lack of general guide-
Usually, only the SOC managers are superior lines on establishing an SOC within an organiza-
to those. Furthermore, the security awareness of tion. In future research, frameworks or guidelines
employees can also be attributed to an SOC. should be developed to facilitate an SOC setup in
Processes: Processes in an SOC are usually close cooperation with the practice. Since SOCs
aligned with the incident lifecycle consisting are already quite popular in bigger enterprises,
of incident detection, incident analytics, and research should focus on deriving the gained best-
response. In this context, forensics and threat practice knowledge.
intelligence are often mentioned as particularly
important and, therefore, are highlighted as
stand-alone process steps. Cross-References
Technologies: A central technology utilized
within an SOC usually is a Security Informa- Security Information and Event Management
tion and Event Management tool. This supports
employees by centrally collecting all security-
relevant information needed to detect incidents. References
It also offers visualization options and the ability
to detect incidents automatically. Bidou R, Bourgeois J, Spies F (2004) Towards a
global security architecture for intrusion detection
SOCs are quite common in today’s IT secu- and reaction management. In: Information security
rity landscape, especially in medium to large applications, vol 2908. Springer Berlin Heidelberg,
size companies. It usually comprises about 2–25 Berlin/Heidelberg, pp 111–123
analysts, and most SOCs use SIEM technology Crowley C, Pescatore J (2019) Common and best
practices for security operations centers: results of
to correlate and analyze event data for threat the 2019 SOC survey, SANS Institute. Available
detection (Crowley and Pescatore 2019). online at https://www.sans.org/media/analyst-program/
common-practices-security-operations-centers-results-
2019-soc-survey-39060.pdf
Dietz M, Vielberth M, Pernul G (2020) Integrating digital
Open Problems and Future Directions twin security simulations in the security operations
center. In: Proceedings of the 15th international confer-
An upcoming challenge is the future lack of ence on Availability, Reliability and Security (ARES).
well-trained IT security staff, as on the one ACM, pp 1–9
Kelley D, Moritz R (2006) Best practices for building a
hand, the need for staff is raising, and on the security operations center. Inf Syst Secur 14(6):27–32
other hand, the training of new staff cannot keep
Security Operations Center (SOC) 3
Madani A, Rezayi, S, Gharaee, H (2011) Log manage- Schinagl S, Schoon K, Paans R (2015) A framework for
ment comprehensive architecture in Security Opera- designing a Security Operations Centre (SOC). In: 48th
tion Center (SOC), 2011 International Conference on Hawaii International Conference on System Sciences
Computational Aspects of Social Networks (CASoN), (HICSS), Kauai, pp 2253–2262
Salamanca, pp 284–289 Syed R, Syrame M, Bourgeois J (2013) Protecting grids
Miloslavskaya N (2017) Security intelligence centers for from cross-domain attacks using security alert sharing
big data processing. In: 5th international conference mechanisms. Futur Gener Comput Syst 29(2):536–547
on Future Internet of Things and Cloud Workshops
(FiCloudW), Prague. IEEE, pp 7–13