Article Preview
Top1. Introduction
A Cyber Security Operations Center (CSOC) is a centralized operational facility to continually monitor, identify, analyze, and defend against cyber-attacks and threats. A CSOC should have clear visibility into the data and situational awareness (SA) to enrich cyber analysis with local and global contextual information for identification and detection of threats (Carson Zimmerman, 2014). Cyber adversaries have acquired machine intelligence capabilities to deploy state-of-the-art sophisticated and autonomous tools to launch and deploy threats (Omid E. David & Nathan S. Netanyahu, July 2015) (Kevin M. Peters, March 2019) (Konstantinos Demertzis, Lazaros Iliadis, April 2015). A continuous war of attrition for both defenders and attackers (James P. Farwell & Rafal Rohozinski, August 2012) has reached a state in which attack objects such as malware are becoming self-aware and smart and are able to successfully penetrate defenses, as demonstrated by recent breaches and attacks (Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, March 2016) (Sana Siddiqui, Muhammad Salman Khan, Ken Ferens, & Witold Kinsner, July 2017) (Kate O'Flaherty, December 2018) (Sana Siddiqui, May 2017). One of the main problems lies in keeping up with the ever-changing Tactics, Techniques, and Procedures (TTPs) of attacks that are mutating and using advanced intelligent techniques to hide their patterns; these attacks remain beyond state-of-the-art defense tools such as firewalls, Intrusion Detection/Protection Systems (IDS/IPS), and anti-malware technologies (Muhammad Salman Khan, December 2018).
In the current landscape of rapidly evolving cyber threats, a CSOC must be equipped with an advanced suite of tools and technological products that provide complete visibility into the environment and ensure the required security posture of the organization based on risk analysis and processes by a qualified security team. Required defense technologies should be identified based on a combination of the current skillset of the Security Operation Center (SOC) team as well as planned future training requirements. A CSOC should have a capability maturity improvement model to continually enhance the security capabilities. At a minimum, a CSOC should have four capabilities (Babu Veerappa Srinivas, n.d.): (1) Protection and Detection Technologies such as Firewalls, Antivirus, Intrusion Detection System, Intrusion Prevention System, Honeypots, Sandboxes, Endpoint Threat Detection and Response, Malware Analysis, and Forensics, (2) Analytical and Correlation Platforms such as Security Analytics, SIEM, and Visualization Tools, (3) Orchestration Tools such as Workflow Management, Response Orchestration, and Case Management, and (4) Threat Hunting and Intelligence.