Choosing a SOC facility is an important step and depends upon multiple factors:
• Does the facility have permission to run 24*7?
• Is it allowed to have two or more internet link in the building for redundancy?
• Does the building is deployed with required physical security controls (like CCTV, Water Sprinkler, Fire Extinguishers, Access Controls, DR Drills etc.)?
MSSP can deploy technology platform at the same location where the SOC team is deployed for monitoring. Also, the SOC team can be separated from the facility where technology platform is implemented. Most MSSP providers outsource their technology platform to cloud providers and deploy technical controls to cloud node. SOC team connects to the cloud node for monitoring and incident management.
SOC Facility Element
• SOC Room: SOC team is deployed in SOC room for monitoring and Incident Management
• Secure Phone Booth: For phone calls to discuss sensitive issues in a soundproof booth
• Monitors / LED’s: LED’s for Analysts for real-time tracking
• Lockers: For Analysts to keep their belonging like phones etc. outside of the SOC room
• War Room: Dedicated room for customers, third-party vendors, conference calls etc.
• Physical Access Control: Two-factor authentication or multi-factor authentication to access SOC facility like biometric, pin, access card etc.
• Visitor Management: To log visitors, customers, third-party vendor details
These are the basic requirement to build SOC, and other components can be deployed depending upon the budget and needs.
SOC: Technology Components
SIEM : To collect the logs from Security Devices, Network Devices, Operating Systems, Applications, Infra etc.
Incident Management tool : For Managing Incidents, alerts
Customer Portal: MSSP can also deploy web-based portal for the customer to provide them with a dashboard view on their infrastructure, on the security posture like the view on the number of security incident occurred, number of threats, risk status etc.
SIEM Availability platform: Its necessary to deploy availability platform to monitor SIEM availability and make sure it is available all the time and in case of Primary SIEM is not available to redirect the traffic to backup SIEM.
SOAR: Security Orchestration Automation and Response, a tool to automate the mitigation process.
UEBA: User and Entity Behavior Analytics, a tool to learn and understand by the User experience,
behavior , pattern. It defines a baseline, and alert SOC team in case of baseline threshold exceeded.
Firewall: To create a secure tunnel between customer premises and SOC
Bandwidth: To collect the logs from customer premises
Threat Intelligence Platform: for Feeds, IOC’s to detect advanced, latest known threats
Vulnerability Management feeds: For correlation and detects security incidents effectively.