How to set up and run the Security Operations Center

A modern Cyber Security Operations Centre (CSOC) should have everything you need to intelligently protect an ever-changing information technology (IT) business.

This includes a wide range of advanced detection and prevention technologies, a virtual sea of cyber analysis reports and access to a fast-growing pool of talented IT professionals. Yet most CSOCs still fail to retain their opponents – even the most demanding companies.

Ensuring the confidentiality, integrity and availability of a company’s modern information technology (IT) is an important task.

It encompasses many tasks, from robust system development and configuration management (CM) to effective cyber or information security policies (IS) and extensive staff training.

It should also cover cyber security operations where a group of people are responsible for controlling and protecting an organisation against all cyber attacks.

What is the SOC?

The NCS is a team consisting mainly of security analysts, organized to detect, analyze, respond, report and prevent cybersecurity incidents.

The practice of protection against unauthorised activities on computer networks, including monitoring, detection, analysis (e.g. trend and pattern analysis) and response and recovery activities.

Many terms are used to refer to a group of cyber security experts set up for the implementation of CND.

These include :

  • Computer Security Incident Response Team (CSIRT)
  • Computer Incident Response Team (CBR)
  • Computer Incident Response Centre (of Opportunity) (IARC)
  • Computer Security Incident Response Centre (of Capabilities) (CSIRC)
  • Security Centre (SOC)
  • Cyber Security Operations Centre (CSOC)
  • Computer Emergency Response Team (CERT). Continued Windows Server Management.

In order to be considered an SOS, an organisation must be considered an SOS:

  • 1. Provide tools for voters to report suspicious Internet security incidents.
  • 2. Assistance to voters in the event of incidents
  • 3. Dissemination of information about incidents to voters and external parties.

Deployment and exploitation rate

CSR can vary from small companies with five employees to large national hubs. A typical mission statement for a medium-sized civil society organisation includes the following elements:

1. Preventing Cyber security incidents by means of proactive measures :

  • a. Ongoing threat analysis
  • b. Scan the network and host for vulnerabilities
  • c. Coordination of the deployment of countermeasures
  • d. Consultation on security policy and architecture.

2. Monitoring, detection and analysis of potential intrusions in real time and based on historical trends of safety-related data sources.

3. respond to confirmed incidents by coordinating resources and directing the deployment of appropriate countermeasures in a timely manner; and

4. Provide relevant organizations with situation information and reports on the status of cyber security, incidents and trends in hostile behavior.

5. Development and exploitation of NDT technologies such as IDSs and data acquisition and analysis systems.

Perhaps the most time-consuming of these tasks is the consumption and analysis of a large amount of safety-related data. Of the many security-related data channels that the Security Operations Centre is likely to accept, the best-known are SDIs.

IDSs are systems that are placed on the host or network to detect potentially harmful or unwanted activities that deserve the attention of an NCS analyst. In combination with security audit logs and other data channels, a typical SOC collects, analyzes and stores tens or hundreds of millions of security events every day.

An event is any observable event in the system and/or network. Events sometimes indicate that an incident has occurred (e.g. a warning generated by an SDI or a security audit service). An event is nothing more than raw data.

To determine whether further action is needed, human analysis is needed – the process of assessing the value of collecting fundamental data on the ten strategies of the Center for World Class Cyber Security Operations’ Center for World Class Cyber Security Operations, usually using specialized tools.


  1. Level 1
  2. Level 2
  3. Level 3
  4. Company employee

Level 1: Warning analyser


Continuously monitors the alert queue; sorts alerts; monitors the status of safety sensors and endpoints; collects the data and context necessary to start level 2 operations.

Required training

Alert sorting procedures; intrusion detection; training in network, security information and event management (SIEM) and host research; and other types of training using specific tools. Certificates may contain SEC401 WITHOUT SEC401 : Style Boat Camp Essentials.

Level 2: Incident Response


Carries out in-depth analysis of incidents by comparing data from different sources; determines whether a critical system or set of data is affected; makes recommendations for corrective action; and supports new methods of threat analysis.

Required training

Advanced network forensic investigation, host forensic investigation, incident response procedures, log auditing, basic malware assessment, network forensic investigation and threat analysis. Certificates may contain SEC501 WITHOUT SEC501 : Advanced Security Basics – Enterprise Defender; SEC503 WITHOUT SEC503 : Deep intrusion detection; WITHOUT SEC504 : Hacking tools, technology, exploits and incident handling.

Level 3 Technical assistant/fighter


He has in-depth knowledge of networks, endpoints, threat analysis, forensic and malware reverse engineering, as well as the operation of specific applications or the underlying IT infrastructure; acts as an incident hunter without waiting for incidents to escalate; and is actively involved in the design, configuration and implementation of analytical threat detection tools.

Required training

Advanced training in anomaly detection; specialized training in data aggregation and analysis and in the collection of threat information Certificates may include SEC FREE503: Deep intrusion detection; WITHOUT SEC504 : Hacking tools, technologies, exploits and incident handling; WITHOUT SEC561 : Intensive development of pen testing capabilities; WITHOUT FOR610 : A malicious reverse engineering program: Tools and methods for malware analysis.

Head of SOC


Manages resources, including staff, budget, team planning and technology strategy for the implementation of SLAs; communicates with management; acts as a point of contact for critical incidents; provides general direction to NCS; and contributes to the overall security strategy.

Required training

Project management, incident management training, general human relations skills. The certificates include CISSP, CISA, CISM or CGEIT.

The NCS normally uses both internal and external resources to respond to and recover from an incident. It is important to understand that the NCS does not always take countermeasures at the first sign of a burglary. There are three reasons for this:

  • 1. The NCS wants to make sure that it does not block benign activities.
  • 2. The response may have a greater impact on the services of a constituency mission than the incident itself.
  • 3. Understanding the extent and severity of an invasion by observing the enemy is sometimes more effective than performing a static analysis of compromised systems when the enemy is no longer present.

To determine the nature of an attack, the NOC often needs to perform advanced forensic analysis of artifacts such as hard drive images or full session packet (FSPC) capture or reverse engineering of malware from malware samples collected to support the incident. Sometimes forensic evidence has to be collected and analysed in a legally sound manner. In such cases, the NCS must follow stricter and more repeatable procedures than would otherwise be necessary.

Construction of a security centre

In addition to the NCS analysts, the Security Operations Centre needs a washing machine for many moving parts.

The director of the NCS often burns inside and outside the NCS. The NCS manager is responsible for prioritising the work and organising the resources with the ultimate aim of detecting, investigating and limiting incidents that may affect the company.

How to set up and run the Security Operations Center

The CSR manager should develop a workflow model and implement Standard Operating Procedures (SOPs) for the incident handling process, guiding the analysts through triage and response procedures.


The identification of recurring incident triangulation and investigation processes standardizes the actions of an NCS analyst and ensures that no significant tasks fall through the cracks.

By creating a workflow for the management of recurring incidents, the responsibilities and actions of the team members are defined, ranging from the creation of a report and a first level 1 assessment to escalation to level 2 or 3 employees.

Resources can be allocated efficiently through a workflow.

One of the most commonly used models for incident management is the DOE/CIAC model, which consists of six steps: Preparation, identification, containment, removal, recovery and lessons learned.


The solution for enterprise-wide data collection, aggregation, discovery, analysis and management is the core technology of a successful NCS.

An effective security monitoring system includes data from continuous monitoring of endpoints (PCs, laptops, mobile devices and servers), networks and log and event sources.

By using network data, protocols and endpoints collected before and during an incident, NCS analysts can immediately move from using the security monitoring system as an investigative tool to using it as a tool for investigating, dealing with suspicious activities that represent an actual incident and even managing the response to an incident or violation.

Technology compatibility is crucial and data warehouses are poor, especially if an organization has a security monitoring solution (SIEM, terminal, network or other) and wants to integrate its reports into the incident management solution.

Adding context to security incidents

Including threats, assets, people and other contextual information is another way an effective enterprise security monitoring solution can help NCS analysts investigate.

Often the message refers to network or host activity and may initially only contain the IP address of the suspicious endpoint. For network flows Network traffic Identification of security events/End context logs Threats for Intel SECURITY MONITORING SYSTEM flows End-point system logs

Collect data to identify compatible technologies for a better understanding of incident management. By centralising these different data sources in a security monitoring system, the NCS gets an effective overview of possible anomalies indicating threat activity. The engine. Based on this information, automatic and manual interventions can be performed, such as installing a patch, changing the firewall, quarantining or replaying the system and recalling the badge. Analysis.

Security operations analysts can analyze data from various sources and then study and sort the devices of interest to capture the incident.

Roadmap SOC analyst to examine the system in question, the analyst usually needs additional information such as the name of the owner and host of the machine or the DHCP source of the recording to display the IP and host information at the time of the alarm.

When a security monitoring system contains information about assets and identities, it offers a huge advantage in terms of the analyst’s time and effort, not to mention the key factors that can be used to prioritise security incidents – usually the company’s most valuable assets should be given priority over cheaper assets.

Determination of the standard by Basel

One of the advantages of aggregated data collected from different business sources is the ability to create an activity base for users, applications, infrastructure, network and other systems by creating normal-looking data.

Defining normality makes it easier to detect suspicious behavior – actions that somehow go beyond normal.

A well based and configured security monitoring system sends effective alerts that are reliable and often automatically prioritized before they reach a level 1 analyst.

One of the main problems in using the log data mentioned by the respondents is the inability to distinguish between normal and suspicious activities.

Best practice is to use platforms that can establish baselines by monitoring the network and the endpoints of operations over a period of time to determine how normal it seems, and then provide the opportunity to set event thresholds as the primary drivers for notification.

If unexpected behaviour or deviations from normal activity are detected, the platform generates a warning indicating that further investigation is needed.

Threat to intelligence services

Adult SOCs are constantly developing the ability to consume and use threat information from their previous incidents and from information sharing sources, such as a threat intelligence provider, industry partners, cybercrime law enforcement agencies, information sharing organisations (such as ISAC), or their providers of security monitoring technology.

According to the SANS 2015 Cyber Threat Survey (CSD), 69 percent of respondents said their organizations had some capacity to collect cyber threat information, and 27 percent said their teams fully shared the concept of CSD and integrated response procedures between systems and employees.

The ability of the security monitoring system to rapidly collect and use threat data to identify patterns in access points, protocols and network data and to link anomalies to previous alerts, incidents or attacks can improve an organization’s ability to detect a compromised system or user before it shows signs of a breach.

In fact, 55% of ITC survey respondents now use a centralized safety management system to consolidate, analyze and deploy their ITCs.

Effective handling of SOC incidents In order to achieve effective handling of incidents, SOC must prevent bottlenecks in the infrared process leading to Level 1, Level 2 and finally Level 3 incidents.

Bottlenecks can be caused by excessive white noise, small impact warnings or false alarms that cause analyst fatigue.

This is a common experience among incident investigators, with 15% of respondents indicating that they responded to more than 20 false positives classified as incidents. When choosing a business security monitoring tool, you need to look for features such as alarm threshold settings and the ability to combine multiple alarms into a single incident.

In addition, analysts can sort more quickly for incidents that contain an additional context, lowering the level of assessment that must take place before a problem can be confirmed and quickly resolved.

Types of SOC

Divide the CSR in the group into five organizational models that show how a team is formed,

1. Safety group.

There is no permanent capacity to detect or respond to incidents. In the event of an IT security incident, resources are collected (usually within the constituency) to solve the problem, rebuild systems and then shut down.

The results can vary widely because there is no central control or uniform group of specialists and the processes for handling incidents are generally poorly defined. This category generally includes groups of less than 1000 users or IPs.

2. SOC internally distributed.

There is a permanent CPI, but it consists mainly of persons who are not part of the CPI and whose main work relates to IT or security, but not necessarily to FTL.

One person or a small team is responsible for the coordination of the security activities, but the heavy work is done by persons who are part of the matrix with other organisations. This category often includes CROs that support small to medium sized groups, perhaps 500-5000 users or IPs.

3. Internally centralised SOC.

A dedicated team of computer and cyber security experts consists of permanent NDC employees who provide ongoing services.

The necessary resources and powers to support the day-to-day task of protecting the network are available in an officially recognised structure, which usually has its own budget. This group reports to the head of the NCS, who is responsible for monitoring the NEC programme for the constituency. Most SOCs fall into this category and typically serve between 5,000 and 100,000 users or IP addresses.

4. SOC internally distributed and centralised.

The Security Operations Centre consists of both a central group (as in the case of internally centralised SOCs) and resources from other headquarters within the constituency (as in the case of internally distributed SOCs). Persons supporting CND activities outside the main CND shall not be recognised as a separate and distinct structure of the CND.

For larger populations, this model offers a balance between team cohesion and synchronisation and insight into IT resources and enclaves. N SOCs with an audience of 25,000 to 500,000 users/IPs can opt for this approach, especially if their audience is geographically dispersed or if they serve a very heterogeneous computing environment.

5. Coordinate the NCS.

An NCS acts as an intermediary and facilitates NCD activities between various individual NCS subordinates, usually for a large constituency, perhaps measured in millions of users or IP addresses.

The coordinating NCS generally provides advice to a wide range of supporters.

It generally has no active or full visibility to the final host and generally has little authority over its constituents.

Co-ordinated CSRs often serve as centres for disseminating e-information, best practices and training. They can also provide analytical and forensic services at the request of NCS staff.


The NCS meets the needs of constituencies in terms of network monitoring and defence by offering a range of services.

NCS have matured and adapted to the increased requirements, the changing threat environment and the tools that have significantly increased the technological level of NDC operations. We also want to articulate the full range of what the LSB can do, whether a particular position serves the interests of the electorate, the LSB itself, or both. As a result, the SOC services become a comprehensive list of SOC capabilities.

The NCS governance chain is responsible for voting and for determining the options that best meet the needs of its electorate, given the constraints of politics and resources.

  1. Real-time analysis
  2. Intel & Trade
  3. Incident Analysis and Response
  4. Artifact analysis
  5. Life cycle support for SOC tools
  6. Audit and insider threats
  7. Analysis and evaluation
  8. Awareness-raising activities

Real Time Analysis

Information centre

NEC advice, incident reports and questions from voters by phone, e-mail, NEC website or otherwise This service is similar to a traditional computer helpdesk, with the difference that it is specific to NEC.

Real-time monitoring and transport

Real-time analysis of data flows (such as system logs and alerts) to detect possible intrusions

After the set time threshold, suspicious incidents are forwarded to the Incident Analysis and Response Team for further investigation. It is generally equivalent to SOC Level 1 for analysts focusing on real-time event feeds and other data visualizations.

Pay attention: This is one of the most recognizable and visible possibilities offered by NCS, but it is useless without a proper analysis of the incident and appropriate response options, as discussed below.


Cyber-Intel data collection and analysis

Collection, use, and analysis of cybersecurity intelligence reports, cyber-invasion reports, and information security news on emerging threats, vulnerabilities, products, and research. The material will be checked for any information requiring a response from the Security Operations Centre or distribution to voters. Intel can be selected from Certificate Authorities, vendors, media information sites, online forums, and mailing lists.

Intel Cyberdistribution

Compiling, summarizing, and redistributing cyber intelligence reports, cyber infringement reports, and security-related messages to voters, either on a regular basis (e.g., weekly or monthly cyberspace newsletters) or on an irregular basis (e.g., notification of emergency patches or notification of a phishing campaign).


Creation of Intel Main author of e-news, such as threat reports or milestones based on primary NCS research. For example, an analysis of a new threat or vulnerability that has never been seen elsewhere. This is usually due to the NCS’s own incidents, forensic analysis, malware analysis and enemy actions.

Cyber-Intel Merger

Extraction of data from e-information and its synthesis to create new signatures, content and understanding of hostile TTPs, and thus the development of surveillance operations (e.g. new signatures or SIEM content).


Long-term analysis of event logs, collected malware and incident data to detect malicious or abnormal activity or to better understand the constituents or opponents of TTPs. This may include unstructured, open and in-depth analysis of different data streams, trend and correlation analysis for weekly or monthly logs, low-level and slow level data analysis, and esoteric anomaly detection techniques.

Threat assessment

A comprehensive assessment of the threats that different actors pose to a constituency, its enclaves or its activities in cyberspace. This includes the use of existing resources, such as e-information channels and trends, as well as the business architecture and state of vulnerability. Often in coordination with other actors involved in cyber security.

Analysis of incidents and response

Analysis of incidents

Extensive and long-term analysis of potential attacks and advice from other NCS members This capability is usually performed by analysts at Level 2 and above as part of the NCS incident escalation process. It needs to be completed within a certain period of time in order to provide an appropriate and effective response. This possibility usually involves analysing artifacts using different data to determine who, what, when, where and why the invasion took place – its extent, how the damage can be limited and how it can be repaired. The analyst documents the details of this analysis, usually with a recommendation for further action.

Trade analysis

Closely coordinated action by the opponent, with members of the CPVO conducting ongoing research and analysis of the opponent’s TTPs in order to gain a better understanding of and information on ongoing supervision. This activity differs from other options because (1) it sometimes includes special equipment for networks and systems to concentrate on activities that are important, such as a honey jar, and (2) it allows the enemy to continue without being immediately cut off from the activity. This ability is closely linked to trend analysis, malware and implants, and can in turn support the creation of e-information.

Coordination of the response to incidents

Work together with the affected population to gather additional information about the incident, understand its importance and assess the impact of the operation. More importantly, this function includes the coordination of response and incident reporting. The service does not include the direct implementation of countermeasures by the Security Operations Centre.

Implementation of the countermeasure

Effective implementation of incident response measures to contain, block or disrupt the presence or damage of the enemy. Possible countermeasures include logical or physical isolation of the affected systems, firewall blocking, black holes in the DNS, IP address blocking, patching and deactivation of the account.

On-site incident management

Work with voters to respond and recover from the incident on the ground. This usually requires NCS members who are already on or visiting the founder’s site to apply their expertise to analyze the damage, remove changes left behind by the enemy and return systems to a known good state. This work is done in cooperation with system owners and administrators.

Remote incident response

Work with voters to recover from the incident. This includes the same work as reacting to incidents on site. However, the members of NCS are relatively little involved in the collection of artifacts or system repair. Remote support is usually delivered via telephone and email, or in rare cases via remote terminals or administrative interfaces such as Microsoft Terminal Services or Secure Shell (SSH).

Analysis of artifacts

Treatment of forensic objects

Collect and store forensic artifacts (such as hard drives or removable media) related to the incident in a manner that facilitates their use in legal proceedings. Depending on the jurisdiction, this may involve manipulating media to document the supply chain, ensuring secure storage and supporting verifiable binary copies of evidence.

Malware and implant analysis

Also known as malware reverse engineering or simply reverse engineering. Removes malware (viruses, Trojan horses, implants, pipettes, etc.) from network traffic or media images and analyzes them to determine their nature. NCS members tend to search for an initial vector, behavior and possibly informal attribution to determine the degree of intrusiveness and to encourage rapid response. This can be a static analysis of the code by decompilation, or an analysis of the execution time (e.g. detonation), or both. This capacity is primarily intended to support effective monitoring and response. Although it uses some of the same methods as traditional forensic medicine, it does not necessarily support law enforcement.

Forensic artifact analysis

Analysis of digital artifacts (media, network traffic, mobile devices) to determine the extent and justification of an incident, usually by making a detailed incident plan. It uses methods similar to some aspects of malware and implant analysis, but follows a more extensive and documented process. This is often done through processes and procedures, the results of which can be used as a basis for legal action against those who may have been involved in the incident.

Life cycle support for SOCtools

Border Guard O&M device

Operation and maintenance (O&M) of border security equipment (e.g. firewall, web proxy, e-mail proxy and content filters). Including updates of knowledge management systems and policies, sometimes in response to a threat or incident. These activities are closely coordinated with the NOC.

NCS O&M infrastructure

SOC technologies that go beyond the installation of sensors. This includes the maintenance and power supply of the SOC’s IT equipment: Servers, workstations, printers, relational databases, error warning systems, storage space networks (SAN) and tape backup. If the Security Operating Center has its own enclave, this probably includes the maintenance of the routers, switches, firewalls and any domain controllers. This may also include operation and maintenance of monitoring systems, operating systems (OS) and hardware. Personnel supporting this service have basic rights to NCS equipment.

Sensor installation and maintenance

Maintenance and delivery of sensor platforms owned and managed by SOC IDS, IPS, SIEM, etc. This includes updating the IDS/IPS and SIEM systems with new signatures, configuring their signature sets to keep the number of events at an acceptable level, minimizing false alarms and maintaining the health of the sensors and data channels. NCS members involved in this service should be well aware of NCS’s monitoring needs so that NCS can keep pace with the ever-changing sequence and hazardous environment. Changes to all built-in prevention devices (HIPS/NIPS) are generally compatible with the NOC or other areas of computer operations. This possibility may include a large number of specific scenarios for data migration and integration of tools and data channels.

Creating user-defined signatures

Authorisation and implementation of original detection content for surveillance systems (IDS signatures, SIEM usage cases, etc.) based on threats, vulnerabilities, protocols, missions or other specific characteristics of the interest group environment This function uses the tools available to the NCS to fill gaps caused by commercial or community supplied signatures. The NCS can share its user signatures with other NCSs.

Design and application of tools

Market research, product evaluation, prototyping, design, integration, implementation and upgrade of SOC devices mainly based on free or open source software (FOSS) or commercial off-the-shelf (COTS) technologies. This service includes the budgeting, purchase and regular recapitalisation of SOC systems. The staff supporting the service must keep an eye on the changing threat environment and offer new opportunities in the coming weeks or months, depending on the needs of the mission.

Research and development of instruments

research and development (R&D) of non-standard instruments where there are no suitable commercial or open source means to meet operational requirements The spectrum of this activity ranges from the development of codes for a known and structured problem to many years of academic research to solve more complex problems.

Audit and Insider Threats

Collection and dissemination of test data

Gather a range of safety data sources to correlate and analyze incidents. This data collection architecture may also be used to support the dissemination and subsequent retrieval of audit data for research or analysis purposes on request outside the NCS mission. This capacity includes long-term storage of security-related data for use by facilities outside NCS.

Content review Creation and management of content

Create and modify the SIEM or logging content (LM) (correlation, dashboards, reports, etc.) to test service components and detect misuse This service is based on audit data distribution capabilities and offers not only raw data, but also content created for ingredients outside the SOC.

Support from insiders for the threat

To support the analysis and investigation of insider threats in two related but distinct areas: 1. Look for clues to possible insider threats (e.g. misuse of computer resources, time card fraud, financial fraud, industrial espionage or theft).

The NCS will advise the competent investigative bodies (law enforcement, Inspector General [IG], etc.) on matters of interest to them. 2. On behalf of these investigative bodies, the NCS will ensure the continuous monitoring, collection and analysis of information in support of the insider threat case.

Investigation of insider threats

The NCS uses its own independent regulatory or legal authority to investigate insider threats, including targeted or continuous surveillance of individuals, without the need for outside assistance or authority. In practice, few CSRs outside law enforcement have such a power, so they usually operate under the direction of another organisation.

Analysis and evaluation

Network cards

Continuous and periodic mapping of district networks to understand the size, shape, composition and interfaces along the perimeter of a district using automated or manual methods. These cards are often made and shared with other stakeholders.

Vulnerability assessment

Assess the host’s vulnerability status for consistency, focusing on the level of patches in each system and compliance with security requirements, typically using automated and distributed tools. Just like mapping out the network, this allows the Security Operations Centre to better understand what it needs to protect. The Security Operations Centre may make this information available to voters, possibly in the form of a report or summary. This function is performed on a regular basis and is not part of any specific evaluation or exercise.

Vulnerability assessment

Full knowledge, open assessment of the security of the site, enclave or system, also called Blue Team. NCS members work with system owners and administrators to comprehensively investigate the security architecture and vulnerabilities of their systems through analysis, system configuration reviews, system design documentation reviews, and interviews.

These activities can use network and vulnerability analysis tools and more invasive technologies to interrogate the configuration and status of systems. On the basis of the results of the investigation, the team members draw up a report of their findings and recommend corrective action. Civil society organisations use vulnerability assessments as an opportunity to increase the coverage of their analysts and the knowledge of their constituencies.

Penetration test

Lack of knowledge or limited appreciation of a certain constituency, also known as the Red Team. Members of the SOC carry out a simulated attack on a segment of a moving vehicle in order to assess the target’s resistance to the actual attack.

These actions are generally only carried out with the knowledge and consent of senior management as part of the series and without warning from the system owners. The tools used actually make it possible to carry out attacks in different ways: Buffer overflow, introduction of SQL (Structured Query Language) and data entry blur. Red teams usually limit their objectives and means to simulate a specific player, for example by simulating an enemy campaign that can start with a phishing attack.

At the end of the operation, the team makes a report with its findings in the same way as the vulnerability analysis. However, as penetration testing activities have a limited set of objectives, they do not cover as many aspects of system configuration and best practices as vulnerability assessments.

In some cases, Security Operations Centre staff simply coordinate Red Team activities, with a designated third party carrying out most of the actual testing to ensure that testers have no prior knowledge of the group’s systems or vulnerabilities.


Product evaluation

Test the protective properties of the point products purchased by the voters. Similar to a miniature vulnerability assessment of one or more hosts, this test enables a thorough analysis of the security strengths and weaknesses of a particular product. This can be an internal product test rather than a remote evaluation of production or pre-production systems.

Security Council

Advice on cybersecurity to non-UNOCI countries; assistance with the development of new systems, business continuity and disaster recovery planning; development of a cybersecurity policy; production of security configuration guides and other efforts.

Training and awareness

Proactively engage with voters, supporting general user training, ballots and other educational materials that help them understand different cyber security issues. The main objectives are to help voters protect themselves from common threats such as phishing and drugstore systems, security systems, raise awareness of NCS services and help voters to report incidents correctly.

Awareness of the situation

Regular and repeated repackaging and redistribution of NCS knowledge about resources, networks, threats, incidents and vulnerabilities of supporters. This capability goes beyond the dissemination of e-information and improves voters’ understanding of the state of cyber security and its role, facilitating effective decision-making at all levels. This information can be sent automatically via the website, the web portal or the NCS mailing list.

Redistribution of TTPs

Continuous exchange of products from the internal Security Operations Centre with other customers, such as partners or subordinate SOCs, in a more formal, refined or structured form. This can include almost anything developed by the NCS itself (e.g. tools, cybernetic information, signatures, incident reports and other raw data for monitoring). The pendant principle is often applied: The flow of information between the SOCs is bidirectional.

media relations

Direct communication with the news media. The NCS is responsible for disclosure without jeopardizing the reputation of the constituency or the ongoing response activities.


When you start setting up a Security Operations Centre (SOC), your ability to anticipate common obstacles will facilitate a smooth start, build up and maturation over time. While each organization is unique in terms of security, risk tolerance, expertise and budget, they all share a common goal: to minimize and harden the attack surface and quickly identify, prioritize and investigate security incidents as they occur.

Discover also

NCS Defence Phase One – Insight into the attack chain
NCS Defence Phase Two – Insight into the threat profiles
NCS Defence Phase Three – Insight into your organisational resources
NCS Defence Phase Four – Importance of Cyber Intelligence


Read also:designing and building security operations center pdf,physical security operations center,security operations center software,nist security operations center,security operations center hardware,security operations center training,managed security operations center,security operations center white paper