[go: up one dir, main page]
Scribd
Upload
50 views19 pages

Security Management Essentials

The document discusses security operations centers (SOCs), including their purpose, components, workflow, and types of models. A SOC continuously monitors an organization's IT systems to detect, prevent, and respond to security incidents. It collects data from various security tools and analyzes logs to identify abnormal activities. Key functions of a SOC include log collection, analysis, monitoring, event correlation, and incident management. The typical SOC workflow involves collection, ingestion, validation, reporting, and response. A successful SOC requires integration of people, processes, and technologies.

Uploaded by

Sartika Utami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
50 views19 pages

Security Management Essentials

The document discusses security operations centers (SOCs), including their purpose, components, workflow, and types of models. A SOC continuously monitors an organization's IT systems to detect, prevent, and respond to security incidents. It collects data from various security tools and analyzes logs to identify abnormal activities. Key functions of a SOC include log collection, analysis, monitoring, event correlation, and incident management. The typical SOC workflow involves collection, ingestion, validation, reporting, and response. A successful SOC requires integration of people, processes, and technologies.

Uploaded by

Sartika Utami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

CHAPTER 1

SARTIKA UTAMI
1. SECURITY MANAGEMENT
• Collection of a systematic, repetitive set of interconnected security activities
that help organizations to maintain their security posture at an adequate level.
• It is an ongoing effort that focuses on both physical safety and digital security
of assets. It is a crucial and essential part of every organization. Its main
purpose is to protect the organization’s assets like information, hardware, and
software from malicious activities and reduce the overall risk on the
organization.
Security activities involved in Security management
1. Security infrastructure
2. Security prevention
3. Compliance and validation
4. Security operations
2. SECURITY OPERATIONS
• Security operation is the continuous operational practice for maintaining
and managing a secure IT environment through the implementation and
execution of certain services and processes.
• Its main purpose is to prevent, detect, prioritize, and respond to security
incidents.
Security operation may consist of various security
operation tasks, which include:

1. Security Monitoring
It involves collecting and analyzing information to identify abnormal behavior and
unusual activities in the network. Also, escalating malicious activities to incident
response system for resolution.
2. Security Incident Management
It includes detecting, managing, and monitoring security vulnerabilities in real-
time with minimal adverse impact.
3. Vulnerability Management
It is a cyclical process that includes continuous monitoring, triage, and mitigation
of system vulnerabilities. It is an integral part of computer security and network
secu
4. Security Device Management
It involves maintaining and managing security infrastructure and devices, as well
as updating software in the organization. It helps in securing an organization's
assets and maintaining a compliance requirement for regulations.
5. Network Flow Monitoring
It detects and analyzes inflow and outflow of packets in the network and generates
alerts whenever suspicious activities
3. SECURITY OPERATIONS CENTER
(SOC)
• SOC is a centralized unit that continuously monitors, manages, and
analyzes ongoing activities on the organization’s information systems such
as networks, servers, endpoints, databases, applications, and websites
• Its end-goal is to maintain the continuity of an organization by
determining, preventing, detecting, and responding to intrusion events
before they affect the business.
• It gathers data from logs, IDS/IPS, firewalls, endpoint devices, and
network flows and facilitates incident detection, investigation, and
response
Needs of SOC:

Organizations use various security measures such as intrusion


detection/prevention system, firewall, email filtering, URL filtering, and
antivirus to protect the organization's network from threats
SOC is responsible for performing the following types of activities:
1. Proactively identifying suspicious activities in the network and system.
2. Performing vulnerability management to identify which activities are vulnerable to the
network.
3. Getting aware of hardware and software assets working in the network.
4. Performing log management that facilitates forensics at the time of security breaches.
5. Evaluating policies and procedures required for business operations.
6. Checking whether the organization has appropriate internal controls and processes to
provide proper services to the clients.
SOC CAPABILITIES
The basic capabilities of a SOC include are:
1. Preventive Capability
It refers to stopping an attack from getting successful. To prevent the attack, SOC uses
fine-tuning and maintenance tools
2. Detection Capability.
It refers to monitoring a system or network to identify suspicious activities and security
breaches.
3. Response Capability
It refers to analyzing and handling documented alerts and security incidents instantly
with security teams.
4. Reporting Capability
SOC offers various reports, which keeps you updated about the various assets and their
security events, level of compliance, and alarms generated
5. Forensics SOC
SOC analysts use structured log data to conduct an investigation for identifying the root
cause of a particular attack pattern and restrict the attacker’s ability to perform attacks
against the organization
6. Audit and compliance
SOC not only collects and stores logs, but also efficiently retrieves them at the time of
preparing for an audit
SOC OPERATIONS
Typical functions of SOC include:

1. Log Collection
A SOC collects logs generated from any security system or transactional activities, as it behaves like an
aggregator of data.

2. Log Retention and Archival


Logs collected by SOC are stored centrally and can be utilized easily whenever required.

3. Log Analysis
After collecting, cleaning, and structuring the log data, it gets analyzed to identify abnormal activities.

4. Monitoring of Security Environments for Security Events


Information received by log analysis is transferred to the SOC team for monitoring purpose so that it
can identify the current security position of an organization.
5. Event Correlation
It is an ability to correlate and contextualize events automatically from various sources.
6. Incident Management
Incident management is the process of taking action against reported security incidents.
7. Threat Identification
It is the process of determining threats and vulnerabilities correctly in real-time.
8. Threat Reaction and Response
A SOC reacts either reactively or proactively to threats.
9. Reporting
SOC generates clients’ detailed security reports, including different types of requests ranging from
real-time management to audit requirements.
SOC also performs various secondary security operations, like the following:
• Malware Analysis
Malware represents different types of malicious programs such as virus, worm, Trojan
horse, rootkit, or backdoor.
• Vulnerability Management
SOC performs vulnerability management by identifying, classifying, remediating, and
mitigating vulnerabilities, using different methodologies like automated testing and
manual testing.
• Security Device Management
It means managing and optimizing the security tools and technologies infrastructure.
SOC WORKFLOW
Typical SOC workflow includes the following activities:

1. Collection
Security logs are collected and forwarded to the SIEM.

2. Ingestion
SIEM ingests log data, threat information, indicators of compromise, and asset inventory
for machine-based correlation and anomalous activity detection.

3. Validation
SOC analysts identify the indicators of compromise, triage alerts, and validate incidents.

4. Reporting
Validated incidents are submitted to the incident response teams through a ticketing
system.
5. Response
SOC team reviews incidents and performs incident response activities.

6. Documentation
At last, incidents are documented for business audit purposes.
COMPONENTS OF SOC: PEOPLE,
PROCESSES, AND TECHNOLOGY
A SOC requires cooperation and communication among people, processes,
and technologies to collect, sort, and investigate security events.
5. TYPES OF SOC MODELS
6. SOC IMPLEMENTATION

You might also like