SOC
Definition
A Security Operations Center (SOC) is a centralized unit within an organization responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. The SOC team is tasked with protecting the organization’s information systems by leveraging a combination of technology solutions and a strong set of processes. The SOC operates continuously, often 24/7, to ensure the timely identification and mitigation of security threats.
Secure Settings Example
# Example SOC configuration for a SIEM tool
alerting:
enabled: true
threshold: 5
actions:
- type: email
recipients:
- security-team@example.com
- type: webhook
url: https://webhook.example.com/alert
monitoring:
log_sources:
- type: firewall
enabled: true
- type: IDS
enabled: true
- type: endpoint
enabled: true
retention_period: 90d
access_control:
- role: analyst
permissions: read
- role: admin
permissions: read, write, configure
Insecure Settings Example
# Example of insecure SOC configuration
alerting:
enabled: false # Alerts are disabled, leading to missed incidents
monitoring:
log_sources:
- type: firewall
enabled: false # Critical log source is disabled
- type: IDS
enabled: false # Critical log source is disabled
retention_period: 7d # Insufficient log retention period
access_control:
- role: analyst
permissions: read, write, configure # Excessive permissions for analysts