Security Operations Center (SOC)
Security is not a state, but a process.
It is impossible to ensure security once and forever, but it must be maintained and improved constantly.
Consider subscription to our continuous services: Team Extension, Website Protection, and comprehensive SOC as a Service (SOCaaS) described below. We also help large companies assess and improve their own SOCs, and build them from scratch.
SOC mission and goals
SOC mission statement is comprehensive continuous management of cyber security risks, vulnerabilities, threats and incidents. The mission statement includes the following five proactive and reactive practical goals:
- Prevention of cybersecurity incidents through proactive:
- continuous threat analysis;
- network and host scanning for vulnerabilities;
- countermeasure deployment coordination;
- security policy and architecture consulting.
- Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources. These SOC functions are the most required. Security Information and Event Management (SIEM) systems are used as a tool for that.
- Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures.
- Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations.
- Engineering and operating Computer Network Defense (CND) technologies such as IDSes and data collection/analysis systems.
Characteristics of our Cyber SOC Services
Please choose the characteristics most suitable for you, depending on your policies, prerequisites, needs and plans. Here and below, we are using the terms and definitions from “Ten Strategies of a World-Class Cybersecurity Operations Center” by MITRE.
- Organizational relationship of our SOC services can be external SOC or combined external/internal SOC, where part of the SOC team is your staff, and another part is our experts. Also we can just consult your internal SOC team.
- Organizational model of our SOC services is full-scale centralized SOC. Also we can help bring to the full-scale centralized model your SOC team, which can still be distributed, combined, or centralized, but without full capabilities.
- SOC authority you choose can be no authority (only monitoring and/or consulting), shared authority or full authority, where the SOC is able to take certain actions like sending user notifications or requests, without seeking or waiting for the approval or support from any higher level party, for example, your corporate IT or security management.
- Incident life cycle authority can be reactive or proactive SOC. Reactive SOC can, for example, unplug a system from the network because something bad did happen (a security incident has occurred). Proactive SOC can act even because something bad might happen (for example, a security vulnerability has detected).
Capabilities of our Cyber SOC Services
Please choose the SOC capabilities that best fit your needs, given political and resource constraints.
- Real-time analysis. We provide both Call Center (usually corresponds to the Tier 1 or Level 1 team) and Real-Time Monitoring/Triage (usually corresponds to the Tier 2 or Level 2 team) capabilities. See also SOC Tiers.
- Intelligence and Trending. We provide Cyber Intelligence Collection and Analysis and Cyber Intelligence Distribution. Upon your request, we can deliver other intelligence capabilities.
- Incident Analysis and Response. We provide Incident Analysis, Incident Response Coordination, Countermeasure Implementation, On-site and/or Remotely. Upon your request, we can support other incident analysis and response capabilities.
- Artifact Analysis. We provide Forensic Artifact Handling, and Malware and Implant Analysis (reverse engineering). Depending on your demand, we can also provide Forensic Artifact Analysis.
- SOC Tool Life-Cycle Support. We provide Border Protection Device Operation and Maintenance (O&M), SOC Infrastructure O&M, Sensor Tuning and Maintenance and Custom Signature Creation. Depending on your demand, we can also provide Tool Engineering and Deployment, and Tool Research and Development.
- Audit and Insider Threat. We provide the full set of audit and insider threat capabilities: Audit Data Collection and Distribution, Audit Content Creation and Management, Insider Threat Case Support, and Insider Threat Case Investigation.
- Scanning and Assessment. We provide the full set of scanning and assessment services: Network Mapping, Vulnerability Scanning, Vulnerability Assessment, and Penetration Testing.
- Outreach. We can do for you any SOC-related activities, namely: Product Assessment, Security Consulting, Training and Awareness Building, Situational Awareness, Redistribution of Tactics, Tasks and Procedures, and Media Relations.
Components of H-X SOC Services
It is well known that a SOC is based on the "three pillars":
- Technology: log management, security event and incident management, event sources, security orchestration automation & response, user behavior analytics and machine learning, threat hunting, etc.
- Processes: technological, business, analytical, operational, communications, etc.
- People: IT and security engineers, security analytics, incident response team, etc.
Our SOC components include all modern technology capabilities for incident and threat management:
- Log management platforms
- Security information and event management (SIEM) systems: IBM QRadar, Splunk, Micro Focus ArcSight and others.
- Threat intelligence functionality
- Risk & Vulnerability management tools and processes
- User behavior & Entity analysis
- Machine learning
- Orchestration & Response
- Honeypots and Threat hunting
- Digital Forensics
- Distributed cloud platform with high availability architecture, etc.
Our capabilities include monitoring of the most popular server platforms, network technologies, applications, databases, virtualization platforms, storage, backups, cloud platforms, etc.
Tiers of Cyber SOC Teams
Our specialists cover all levels of SOC team functionality:
- Tier 1 (Level 1) – Alert Analysts. Continuously monitor the alert queues; triage security alerts; monitor health of security sensors and endpoints; collect data and context necessary to initiate Tier 2 work.
- Tier 2 (Level 2) – Incident Responders. Perform deep-dive incident analysis by correlating data from various sources; determine if a critical system or data set has been impacted; advise on remediation; provide support for new analytic methods for detecting threats.
- Tier 3 (Level 3) – Subject Matter Experts and Threat Hunters. Possess in-depth knowledge on network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; act as an incident “hunter”, not waiting for escalated incidents; closely involved in developing, tuning and implementing threat detection analytics.
SOC Delivery Workflow
SOC as a Service and In-house SOC implementation service have much common, therefore can be described within the single workflow :
Why we are special
Our features and distinctions from the other providers are:
- Employing modern scientific results in the field of cyber security threat management for practical purposes of SOC assessment, implementation and optimization.
- Multi-vendor solution experience.
- Experience of SOC/SIEM optimization and scaling.
- Highest flexibility and deepest competence of SIEM components.
- Combination of the defensive and offensive security methods, and of the DevOps and security engineering functions.
Therefore, we are able to:
- inventory assets, assess and optimize the event logging and estimate event capacity even before signing the contracts;
- audit any legacy or existing SOC capabilities, effectively find gaps, refactor code and optimize methods and processes;
- design and implement distributed, scalable and fault-tolerant SIEM architectures;
- analyze assets deeply before connecting them to the SIEM: configure required controls, logging levels and risks assessments, flexibly define appropriate types of collection (agent or agentless);
- develop custom parsing rules for non-standard or in-house developed applications;
- simulate real attack and vulnerability exploitations to model deep logs discovery and to get minimum of false positive alerts after the implementation;
- make modern vulnerability scanners, public reputation and security tracking services work for you continuously;
- deploy automatic incident handling tools;
- implement not only monitoring SOCs, but also operational SOCs or control SOCs, to respond to your business needs better.
Thus, we have a comprehensive set of SOC technologies, processes and people to satisfy small, medium enterprise business needs.