Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.

1. Design and Build
Security Operation Center
Sameer Paradia

2. Contents
• Presentation Objective
• Security Operation Center(SOC)
– What is it? Why is it required?
• Designing SOC
• Building Blocks
– Infrastructure
– People
– Process
– Tools
– Securing the SOC
• New Trends
• Acronyms

3. Objective of this Presentation
Useful to both
enterprise and
service provider
Insight in design
methodology &
components
Define framework
from design to
build SOC
Define and roll
out SOC
services

4. 4

5. CFO: “Reduce
TCO now, limit
liability in
future”
IT: “Reduce risk,
improve
incident
management ”
Business Head: “Protect
Brand, ALWAYS!”
Why SOC?, Overcome Challenges
Aligned with
Business goals
Shared service to
reduce cost
Improves Risk
posture
SOC
Goals

6. • Operates 24x7 from central offsite location
• Proactive response to security incidents
• Predict security attacks and reduce its impact
• Implements security policy across the enterprise
• Reduce cost of security support by providing centralized
remote support
• SOC Delivers
– Incident Management
– Governance Risk Compliance
– Monitoring and Management of Devices / Events
– Implement security policy
• Operates 24x7 from central offsite location
• Complete & proactive in response to security incidents
• Predict security attacks and minimize the impact
• Implement security policy across the enterprise
• Reduce cost of security support by providing centralized
remote support
• SOC Delivers
– Incident Management
– Governance Risk Compliance
– Monitoring and Management of Devices / Events
– Implement security policy
What is SOC?

7. 7

8. Design Criteria
• Infrastructure
• Human Resources
• Process Management
• SOC Tools and Technologies
• Security Controls – Secure the SOC
• Link with Government agency and knowledge sites

9. Two ThreeOne
Inputs for SOC
design
a) Service
catalogue
based on
business need /
client
requirements
b) EPS
c) Number and
types of devices
under
management
Tools selection and
designing
a) EPS, number of
devices,
b) SLA, Reporting
c) SIEM
d) Web portal
Storage/ Back up
e) Connectivity
f) Integration of
tools
Human resources
a) One resource for
50 Devices
management in
shift of 8 hours
b) One admin per 5-
7 resources,
c) One analyst for
10 resources
d) Tool
management and
Consultants
based on tools
and GRC services
Design Flow

10. Five SixFour
Service desk
a) Separate
function
b) Receive and
forward calls/
ticket opening,
initial support.
c) 12 -15 calls per
shift of 8 hours
per resource
Infrastructure
a) 55 Square Feet
per seat(Agent)
b) One seat means
overall usable
area including all
facilities
Power usage and
UPS capacity to be
calculated based on
rated power usage
of all tools and
uptime SLA
Design Flow

11. Eight NineSeven
Security Controls –
Secure the SOC
a) Physical Security
b) Information
Security
c) Authentication
& Access
Management
Compliance
Management
a) Law of the
region
b) ISMS
c) Data protection
laws
Process
Management
a) BAU Day to day
process/ SOP
b) Foundation
process
c) Service
improvement
d) Governance
process
Design Flow

12. Build SOC Approach
RUN & SUPPORT
BUILD & TRANSIT
DESIGN/ SECURE
MANAGE
BUSINESS CASE
ENGAGE
STRATEGIC TACTICAL
Risk Assessment
Business requirement
Business Case
Planning
Designing
Project Management
Resource Management
Infra/ Tools implement
SOC process setup
SOC Detailed Design
Process Framing
SOC Security Design
Day to day operations
Deliver service catalog
Improvement plan
OPERATIONAL
• SOC service catalog need to put in place
• Phased wise rollout of services is advisable

13. BUILDING SOC APROACH- DETAILED STEPSBUISENSS
BusinessRequirementAnalysisDemandManagement
RiskAssessmentServiceLevelManagement
IT Strategy Planning IT Governance
Security Architecture, Policies and Standards
Develop & Approve Business case Program Portfolio Management
BUSINESS CASE AND PLANENGAGE
STRATEGIC
IT Finance & Resource
Management
IT Human Resource
Management
Project
Management
Knowledge
Management
Work Request Management Monitor &Report Performance Quality and Improvement
MANAGE
Security Service Catalog Supplier Management
Availability and Capacity
Management
IT Service Continuity Management
Security
Management
DESIGN AND SECURE
Service Request
Fulfillment
Incident
Management
Problem
Management
Access Management
SUPPORT
TACTICAL
BUILD AND TRANISTION
Build
SOC
Service Transition
& Planning
Service Validation/
Testing
Service
Evaluation
Release and Deployment Management Change Management
Event
Management
Operations
Device
Management
Application
Management
Service Asset and Configuration Management
RUN (OPERATE AND CONTROL)
OPERATIONAL
SOC Detailed Engineering

14. SOC Service Catalogue
Consult
Assess
Define
Deliver
Monitor
Device
Management
Management-
Incident
Change
Asset
Design
Build
Plan
Assessment
Risk Management
Security Management
Framework Assessment
Policy GAP Assessments
Penetration Testing &
Vulnerability Assessment
Governance Monitoring
Technology &
Architecture Reviews
Other Services from SOC
Endpoint Security
Anti-virus
Web Security
URL Filtering
Mail Security
Application
Security
Analytics
Multi factor
Authentication
Encryption
Federation
SSO
OPERATION
Project
Manage
ment
Analyze
Security Assurance Services
Remote Configuration & back up of logsNew projects – Remote support
Firewalls/VPN
IDS / IPS
UTM
Gateway level
Datacentre
DLP
Patch management / Software upgradation
Security Technology
Device level
security
End user security
Log analysis
Event
Management
Reporting
Content Security
Identity / Access
Management
Perimeter/
Datacentre
Policy
Compliance
Advance Services
Forensic /
Investigation
Governance
Risk
Management
Compliance
Service Assurance
Abuse Prevention
Call Service
Management
IPT Availability
Malware analysis
Black box testing
Suspicious
Activity
monitoring
Security Strategy
Define Security
framework
Security Policy
framing
Audit
Policy
Enforcement
Advisory Services
CERT Integration
Risk Assessment
Risk Mitigation
plan
VA/ PT
Ethical Hacking
Gap Analysis
Threat
Management/
Assessment
Data, Voice,
Video-
Technological
architecture
assessment
Risk repository
Log analysis
Security Policy
Assessment
Data Protection
Assessment
DLP Management
Information Act
compliance
assessment
Violation of
security policy
End point policy
assessment
Reporting
Maintain
BCP / DR Management
Other Services
Advisory Services
Black box testing
White box testing

15. Phase wise Service Launch
1st Phase 2nd Phase 3rd Phase
• Start with basic Perimeter /
Datacentre security
services
• Event Monitoring, Device/
Policy Management,
Incident/ Change/Asset
management
• Integrate networking
equipment security into
SOC
• Expand to endpoint and
cloud based security
• Bring in Endpoint
machines / BOYD under
SOC monitoring/
management
• GRC related services
• Consultancy services
• Forensic service
• Application level testing/
security
• Business process
monitoring and alert
frauds
Service Description
a. Firewall/VPN (IPSEC/ SSL)
b. IPS / IDS
c. UTM (Unified Threat
Management
d. Vulnerability Assessment
e. Event Co relation and
Incident/ Change/ Asset
management
f. Gateway level Antivirus
g. Datacenter security
a. In the Cloud services-
Clean Internet pipe, DDOS
protection, Secure Mail,
Secure Web access
b. Endpoint Security
c. URL Filter / Secure Proxy
d. Information Leak
Prevention
e. Datacenter / Application
level: Penetration Testing,
Ethical Hacking
a. Identity Management
b. Database Security
c. Application Security for
Web, SAP, Portal,
Database etc.
d. Compliance of ISMS,
Country specific IT / Data
protection act
e. Fraud Management
f. Forensic / Investigation

16. 16

17. Infrastructure Blocks of SOC
• SOC office Space: Minimum 55 Sq ft per seat
– Structured and secured LAN cabling
– Same types of furniture and PC/ Monitors, Hardware
– Video Walls
– Scalable area on same floor/ Building
– Card access and biometric access controls
• Power: Mains and Back up UPS/ DG set. Electrician available for
emergency
– PDP-Power Distribution Panels / Emergency power switching panel
– DG set: Diesel storage area
– Lighting in facility / Energy saving plan
• Precision Air conditioning
• Datacentre: Rack space to host tools and customer facing portals
– Hosts customer facing portal, SIEM, NMS, Service desk ,Storage, Back
up tools
– Storage for logs and configurations of IT assets
– Back up devices and Tape library

18. • Various control rooms need to be in place as below:
– Building Management System (BMS) room: Centralized room to
monitor integrated with video surveillance, visitor management
system and Fire management system
– Security surveillance room: same room as BMS
– Fire management systems: Same room as BMS
• Connectivity:
– To connect various Telecom from customer premise- MUX room
– Feasibility for same must be in place,
– VPN concentrator: To connect to customer over Internet using
IPSEC VPN/ SSL VPN
Infrastructure Blocks of SOC

19. Visitor lounge / Presentation area
Visitor lounge
• Customers visit SOC to audit the infra as per contract signed
• Must be in quarantine area to interact with SOC staff
• Secured PC to be provided, in case visitors need to access their
systems
• NDA must be signed by visitors
Presentation area
• SOC need a separate area at entrance which is physically isolated
using a glass wall with curtain from SOC sitting area
• Presentation conference hall should be able to accommodate enough
people
• Equipped with projectors/ Video Conferencing facility

20. War Room
• War room is a dedicated space where entire team responsible for major
incident resolution meet up and handle the issue.
• They need to interact with customers and partners to resolve the incident
• Equipped with communication like LAN, voice, Video Conference
• Separate War room is required to ensure other SOC operations teams are
not disturbed and customer issue confidentiality is ensured

21. 21
-

22. SOC TEAM
SOC Governance Model
Board/ Share
Holders
SOC
Manager
CISO
CFO/ CIO
CEO/ COO
Risk
Manager
Auditor/
Consultant
Incident
Response
Monitoring
Team
Technical/
Tools Admin
Analyst/ SME
Organization Risk
Management
Information
Security
Forensic
Expert
Service Desk
Business
Head
Admin/HR
Legal
Compliance
Sales
Branding
Partners
Vendors/
Suppliers
Internal
Teams
External
Stake Holders
Country
Legislation
Data Protection
Laws
Industry specific
Compliance
Industry Best
Practice

23. SOC PEOPLE
23
Analyst
• Expert of Security Technology and
process
• Understand attacks and threat matrix
• Good at low level programming
language
• Extremely good at reaching to root cause
• Think out of box
• Understand Virus, Trojans, backdoor,
malicious code
• Drive people
• Proactive by nature
Tech admins
• Expert of Security, OS, Network, Web
technology, Database
• Configure tools and security technologies
• Great at low level designing
• Frame and implement security policies in
technologies under SOC
• Forensic expert
• Quick at Incident response
• Can interact and drive vendors, OEM,
Government bodies
Management
• Leadership to take all stakeholders together
• Stitch the solutions from different teams and drive it to conclusion
• Understand security posture and able to guide the team
• Good communication skills

24. -

25. SOC Process Framework
BAU SOC Operation Process
Tools&
Technology
Human
Resources
Process
GRC Forensic
Consultancy
BCP-DR
Foundation Process
People Operations, Shift Scheduling, Daily Checklist, Training, Talent
Management, New Project Management
Reporting, Realtime Dashboard, Analysis, Portal
KGI
Best
Practice
CERT
Feed
SOC ISMS/ Law
Compliance Support
Log Management
Testing Advisory
QMS/KEDB/Documentation/Improvement
SOP-
Develop/
Review
QMS /
SOC
Process
KPI
System
Modeling
Configuration
Management
Access/ User
Management
Event Triage of
Correlation,
Monitoring,
Routing
SOC Infra/ Application
Management
Event
Fusion
Use Cases
Project
Management
Fusion,
Analysis,
Reporting
Existing Tool Management,
Updation, Testing
Security tools like SIEM,
VA, NMS/EMS, Service
Desk, Web Portal, Back
up, Storage, Middleware
Integration with current &
new tools, Client systems
Transition and on boarding of
new devices with tools
POC of new release and
upcoming technologies
SOC
Governance
Incident
Management
Major Attack
response
Incident
Analysis
Event
Correlation
Problem
Management
Release
Management
Configuration
Management
Change
Management
Event
Monitoring
Service Desk

26. SOC Process
Number of processes and procedures for an SOC is determined by its scope, how many services are offered, the
number of customers supported, and the number of different technologies in use. An established global SOC
environment may have tens or even hundreds of procedures. At a minimum, the basic procedures that are
required for maintaining the SOC are:
• Monitoring procedure
• Notification procedure (email, mobile, home, chat, etc.)
• Notification and escalation processes
• Transition of daily SOC services
• Shift logging procedures
• Incident logging procedures
• Compliance monitoring procedure
• Report development procedure
• Dashboard creation procedure
• Incident investigation procedures (malware, etc.)
SIEM monitoring and correlation
• Antivirus monitoring and logging
• Network and host IDS/IPS monitoring and logging
• Network and host DLP monitoring and logging
• Centralized logging platforms (syslog, etc.)
• Email and spam gateway and filtering
• Web gateway and filtering
• Threat monitoring and intelligence
• Firewall monitoring and management
• Application whitelisting or file integrity monitoring
• Vulnerability assessment and monitoring

27. GRC
Define Risk Control - Risk Governance
 Framing of Security policy
based on Gap analysis
 Implementation
 Mapping of IT laws with
security policy
 Set objective and form
steering committee
 Review of security
posture and risk profile
 Periodic assessment/
Audit
 Reporting of compliance
status to Management
Periodic Assessment
 Implement & manage IT
controls / checkpoints
Sustain
Controls
State of Control State of Control
Compliance
To Law of region, Data protection law, InfoSec Policy

28. Forensics
Process
• Acquisition
• Physically or remotely obtaining possession
of the computer, all network mappings from
the system, and external physical storage
devices
• Identification (Technical Analysis)
• Identifying what data could be recovered and
electronically retrieving it by running various
Computer Forensic tools and software
suites
• Evaluation (What the Lawyers Do)
• Evaluating the information/data recovered to
determine if and how it could be used again
the
suspect for employment termination or
prosecution
in court
• Presentation
• Presentation of evidence in a manner
understood by lawyers, non-technically staff
and suitable as evidence determined by
court of law.

29. Acquisition
 Handling Huge volume
 Indentifying and taking control of equipment
Identification (Technical Analysis)
 Co relating data from various technologies and
equipments
 Speed of processing
Evaluation (What the Lawyers Do)
 Defending evidence in court by Police
Presentation
 Relating evidence with Law clauses(IPC)
 Creation of supporting cases
Challenges in Forensics

30. 30
-

31. SOC Tools Modules
1. Event generators
• All devices/ software under SOC
• Log generators
• External feed viz. CERT
2. Event collectors
• Local as well as central devices to collect and normalize huge events/ logs into few
useful messages, device status and alerts
• NMS/ EMS / Service Desk
3. Message database
• Analyze and display messages as per configured policy
4. Knowledge base
• System Modelisation is configured based on Risk Management, Threats and action
taken by security controls/policy deployed
• Real time event correlation and create incidents based on Risk posture feed into it
5. Client / User facing portal hosts
• Reports, Analysis, Knowledge management, Real-time status & events

32. Working of SOC Tools
VA / RA Tools
IPS
Network Equip
OS
Applications
Firewall
Events
Polling
Syslog, SNMP,
SMTP, HTTP/XML,
Proprietary
Message
Status
Alerts
Incident
Handling
Analysis
Real time
Monitor
Correlation
Client Config
records
Analysis
Security Policy
Customer Status
Vulnerability DB
System
Modelisation
Status
Integrity
Risk Evaluation
Security Activity
System Status

33. Key Tools for SOC
-
• Storage & Back up
• Syslog server
• FTP server
• Client facing Webportal for
Reports / Status update
• Device Management
servers
Service Desk
ITIL Process
Automation
Strengthen
Service Desk and SOC Process
Management
SOC Core Technology & Services Support Tools
Analytics /
Reporting
Network
and OS
scanner
Traffic
Generator
Forensic
Tools
Certificate
Authority
Log
analyzer/
Storage
Encryption
Key
Generator
NMS/EMS
OS/DB/
Network
Scanner
SIEM
Password
Recovery/
EH Tool
VA/ PT
Assessment
Registry
Scanner
Honeypot
Web Portal
Device
Manageme
nt Servers
GRC Tool
Patch
Manageme
nt
Packet
Analyzer
Authenticat
ion / IDM
PreventAssess
Device Management & Client facing portal

34. Tools Integration
Portal (Reports / Analysis / Realtime Dashboard)
Middleware
API Correlation -Integration Layer
SIEM
SD/NMS/ EMS
Devicestatus
Database / KEDB
GRC Tools
PollingEngine/DataFlow
Events
Incidents
Device Management
VA/PT/EH
System
Modelisation
Security Policy
USERS

35. 35
-

36. Securing the SOC- Security Controls
It is imperative to protect SOC environment with following controls
• Layered security
– Information security for SOC users and Information
– Physical security for SOC users, visitors and Infrastructure
– Common security layer for entire information and based on
contract additional security controls implemented
• Information Security for SOC users and Infrastructure
– Process level: ISMS(Information Security Management System)
– Integration of security controls with SIEM/ Service desk tools
– IDM: Authentication and Identity access management, Multi
factor authentication
– Network level: Firewall, IPS, VPN, Antivirus, Web filter software`
– Desktop level: Antivirus, security compliance, Strong
authentication and access control
– Datacentre level: Firewall, IPS, VPN, Antivirus, Host based IDS
– Access log: Syslog server for user audit trail and analysis

37. Securing the SOC- Physical Security Controls
For SOC users, visitors and Infrastructure
– Security guards on round the clock duty
– Video Surveillance: monitor human movement
– Biometric controls: For access to Datacenter and
critical SOC areas
– Tape vault: To store the logs generated in tapes and
backup. This is statutory requirements
– Access card: to operate doors and movement in and
out of SOC
– Visitor Management System: Register entry and
pass generators, badge card for visitors
– Glass and other barriers for dedicated space for
certain clients in SOC

38. 38

39. Summary of future SOC and new trends:
• Future SOC will spend more time on security analytics and less time on device
monitoring
• New age SOC will use more resources to identify new, unknown threats/ malware/
malicious code and less time blacklisting known threats after attacks
• Big Data will be part of SOC tool set
• Out of the box SOC with lesser integration with different tool set in SOC
• Integrated with Social sites to know human behavior and predict the attacks
• Integrated with national agencies and international CERT to have uniform and instant
response to attacks
• Able to counter attack and stop all future activities from attackers from internet/
internal users
• SOC will act as single agency to prevent security incidents, frauds happening in E-
Systems, compliance of regional laws across geography boundaries
• Will proactively provides alerts for financial frauds and violation in business process
New trends

40. Acronyms
• API- Application Programming Interface
• BAU- Business As Usual – Daily operations
• BCP/ DR- Business Continuity Plan/ Disaster Recovery
Plan
• BYOD- Bring Your Own Device
• CEO- Chief Executive Officer
• CFO-Chief Finance Officer
• COO- Chief Operating Officer
• CERT- Computer Emergency Response Team
• CISO- Chief Information Security Officer
• DDOS- Distributed Denial of Service attack
• DG-Diesel Generator
• DLP- Data Leak Prevention
• EH- Ethical Hacking
• EMS- Enterprise Management System, used for
Datacenter device monitoring
• EPS- Events Per Second
• GRC- Governance, Risk, Compliance
• IDS- Intrusion Detection System
• IPS- Intrusion Prevention System
• ISMS(Information Security Management System)
• ITIL- Information Technology Infrastructure Library
• KPI- Key Performance Indicator
• KGI- Key Goal Indicator
• KEDB- Known Error Database
• OEM- Original Equipment Manufacturer
• OS- Operating System
• NOC- Network Operation center
• NDA- Non Disclosure Agreement
• NMS- Network Management System
• PC- Personal Computer
• PT- Penetration testing
• SD- Service Desk
• SIEM- Security Incident and Event Management
• SLA- Service Level Agreement
• SOC- Security Operation Center
• UTM-Unified Threat Management
• VA- Vulnerability Assessment
• VPN- Virtual Private Network

41. Sameer Paradia (CGEIT, CISM, CISSP)
(sameer_m_paradia@yahoo.com)
Practicing IT Security Services and Outsourcing for past 22+ years
Photo acknowledgment: https://www.flickr.com/photos/babalas_shipyards/5339531237/in/photostream/
http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostre