Security Operations Center (SOC)
You think it is possible to ensure security once and for all?
No, it must be maintained and improved constantly. Security is not a state, but a process.
Consider a subscription to our continuous services: Team Extension, Website Protection, and comprehensive SOC as a Service (SOCaaS) described below. We also help large companies assess and improve their own SOCs, and build them from scratch.
SOC mission and goals
The mission of a SOC is comprehensive continuous management of cyber security risks, vulnerabilities, threats, and incidents. The mission statement includes the following five proactive and reactive practical goals:
- Prevention of cybersecurity incidents through proactive:
- continuous threat analysis;
- network and host scanning for vulnerabilities;
- countermeasure deployment coordination;
- security policy and architecture consulting.
- Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources. These SOC functions are the most important. Security Information and Event Management (SIEM) systems are used to achieve this.
- Response to confirmed incidents, by coordinating resources and using timely and appropriate countermeasures.
- Situational awareness and reporting on cybersecurity status, incidents, and trends in criminal behavior, provided for appropriate organizations (customer, authorities).
- Engineering and operating Computer Network Defense (CND) technologies such as IDS and data collection/analysis systems.
Characteristics of our Cyber SOC Services
Please choose the characteristics most suitable for you, depending on your policies, prerequisites, needs, and plans. Here we use the terms and definitions from “Ten Strategies of a World-Class Cybersecurity Operations Center” by MITRE.
- Organizational relationship of our SOC services can be external SOC or combined external/internal SOC, where part of the SOC team is your staff, and another part is our experts. Also, we can just consult your internal SOC team.
- Organizational model of our SOC services is full-scale centralized SOC. Although your SOC team can be distributed, centralized or combined, it may still lack full capabilities. We can help you to upgrade your SOC solution to the full-scale centralized model
- SOC authority you choose can be no authority (only monitoring and/or consulting), shared authority or full authority, where the SOC can take certain actions like sending user notifications or requests, without seeking or waiting for the approval or support from any higher-level party, for example, your corporate IT or security management.
- Incident life cycle authority can be reactive or proactive SOC. Reactive SOC can, for example, unplug a system from the network because something bad did happen (a security incident has occurred). Proactive SOC can act even in situations where something bad might happen (for example, a security vulnerability has been detected).
Capabilities of our Cyber SOC Services
Please choose the SOC capabilities that best fit your needs, given political and resource constraints.
- Real-time analysis. We provide both Call Center (usually corresponds to the Tier 1 or Level 1 team) and Real-Time Monitoring/Triage (usually corresponds to the Tier 2 or Level 2 team) capabilities. See also SOC Tiers.
- Intelligence and Trending. We provide Cyber Intelligence Collection and Analysis and Cyber Intelligence Distribution. Upon your request, we can deliver other intelligence capabilities.
- Incident Analysis and Response. We provide Incident Analysis, Incident Response Coordination, Countermeasure Implementation, On-site and/or Remotely. Upon your request, we can support other incident analysis and response capabilities.
- Artifact Analysis. We provide Forensic Artifact Handling, and Malware and Implant Analysis (reverse engineering). Depending on your demand, we can also provide Forensic Artifact Analysis.
- SOC Tool Life-Cycle Support. We provide Border Protection Device Operation and Maintenance (O&M), SOC Infrastructure O&M, Sensor Tuning and Maintenance, and Custom Signature Creation. Depending on your demand, we can also provide Tool Engineering and Deployment, and Tool Research and Development.
- Audit and Insider Threat. We provide all available audit and insider threat capabilities: Audit Data Collection and Distribution, Audit Content Creation and Management, Insider Threat Case Support, and Insider Threat Case Investigation.
- Scanning and Assessment. We provide all available scanning and assessment services: Network Mapping, Vulnerability Scanning, Vulnerability Assessment, and Penetration Testing.
- Outreach. We can provide you with any SOC-related activities, including: Product Assessment, Security Consulting, Training and Awareness Building, Situational Awareness, Redistribution of Tactics, Tasks and Procedures, and Media Relations.
Components of H-X SOC Services
It is well known that a SOC is based on the "three pillars":
- Technology: log management, security event and incident management, event sources, security orchestration automation & response, user behavior analytics and machine learning, threat hunting, etc.
- Processes: technological, business, analytical, operational, communications, etc.
- People: IT and security engineers, security analytics, incident response team, etc.
Our SOC components include all modern technology capabilities for incident and threat management:
- Log management platforms
- Security information and event management (SIEM) systems: IBM QRadar, Splunk, Micro Focus ArcSight, and others.
- Threat intelligence functionality
- Risk & Vulnerability management tools and processes
- User behavior & Entity analysis
- Machine learning
- Orchestration & Response
- Honeypots and Threat hunting
- Digital Forensics
- Distributed cloud platform with high availability architecture, etc.
Our capabilities include monitoring of the most popular server platforms, network technologies, applications, databases, virtualization platforms, storage, backups, cloud platforms, etc.
Tiers of Cyber SOC Teams
Our specialists cover all levels of SOC team functionality:
- Tier 1 (Level 1) – Alert Analysts continuously monitor the alert queues; triage security alerts; monitor the health of security sensors and endpoints; collect data and context necessary to initiate Tier 2 work.
- Tier 2 (Level 2) – Incident Responders perform deep-dive incident analysis by correlating data from various sources; determine if a critical system or data set has been impacted; advise on remediation; provide support for new analytic methods for detecting threats.
- Tier 3 (Level 3) – Subject Matter Experts and Threat Hunters possess in-depth knowledge of network, endpoint, threat intelligence, forensics, and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; act as an incident “hunter”, not waiting for incidents to occur; closely involved in developing, tuning and implementing threat detection analytics.
SOC Delivery Workflow
SOC as a Service and In-house SOC implementation have much common, therefore can be described with the same workflow :
Why we are special
Our features and unique selling points are:
- Our SOC assessment, implementation, and optimization is based on modern scientific research in the field of cybersecurity threat management.
- Wide experience with the solutions of multiple vendors.
- Experience of SOC/SIEM optimization and scaling.
- High flexibility and competence working with SIEM components.
- Combination of the defensive and offensive security methods, and combination of the DevOps and security engineering functions.
Therefore, we can:
- make an asset inventory, assess and optimize the event logging and estimate event capacity even before signing the contracts;
- audit any legacy or existing SOC capabilities, effectively find gaps, refactor code and optimize methods and processes;
- design and implement distributed, scalable and fault-tolerant SIEM architectures;
- analyze assets deeply before connecting them to the SIEM: configure required controls, logging levels, and risks assessments, flexibly define appropriate ways of collecting logs (with or without an agent);
- develop custom parsing rules for non-standard or in-house developed applications;
- simulate real attacks and vulnerability exploitations to model deep analysis of logs and to minimize false positive alerts after implementation;
- make modern vulnerability scanners;
- provide public reputation and security tracking services for you continuously;
- deploy automatic incident handling tools;
- implement not only monitoring SOC but also operational SOC or control SOC, to respond to your business needs better.
Therefore, we have a comprehensive set of SOC technologies, processes and people to satisfy the business needs of small and medium enterprises.
We are passionate about what we do because we believe that we make this world safer and give people reassurance and confidence.
Click one of the buttons below to get a quote for a subscription to SOC as a service, or implementation/optimization of SOC on your premises: