About SOCs

The CCN understands that a Cybersecurity Operations Center (COS/SOC) is an organizational structure that includes a set of technologies, processes, and people that through their interrelation, cooperation, and coordination provide cybersecurity services to their community.

Its mission is to act as the main measure for the protection of the cybersecurity of the community itself. This community can be of various types, from both public and private organizations, to individuals or groups. Its institutionalization is the decision of the organization that promotes it and its recognition is obtained through participation in different exchange forums.

The cybersecurity services that they can provide are:

Prevención
Prevention Service

To expand knowledge regarding its vulnerabilities, both technical and human, to reduce the exposure surface.

Protección
Protection Service

To apply blocking measures, at different points of the infrastructure, to prevent or limit cyber attacks.

Public entities
Detection Service

To observe everything that happens in the organization, to look for existing threats.

Respuesta
Response Service

To act against cyber incidents, to minimize the impact on the Organization.

Security
Cybersecurity Management Service

To establish the direction of the rest of the services, to carry out correct governance.

A special mention deserves government SOCs, which provide these services to one or several public institutions in a country, acting as a fundamental component of the national capacity for prevention, protection, detection, coordination and response to cyber incidents. In these cases, institutionalization is promoted and sponsored by a public institution with powers in matters of national security.

Details of services

The aforementioned cybersecurity services are divided into the following subservices:

Prevention Service:

  • Vulnerability Analysis: A service focused on the automated scanning of an organization's assets to identify existing vulnerabilities in the constituent elements of its information and security systems.
  • Technical security inspections and intrusion testing (Ethical Hacking): This is a technical audit focused on identifying security flaws and exploitable vulnerabilities in an organization's information systems and the technological ecosystem that supports them. These techniques tend to simulate the activity of a potential attacker and how they could end up compromising the organization.
  • Digital Surveillance: A service focused on the early detection of external threats in open sources, the Internet, and the Deep and Dark Web. Some examples of this scope include: early warning of trends and vulnerabilities, illicit brand use, phishing, identity theft, information and/or credentials leakage or theft, reputation, social networks, VIP tracking, among others.

Protection Service:

  • Cybersecurity Operation: A service focused on the supply, implementation, administration, operation, and/or maintenance of the various elements that make up an organization's security infrastructure, aimed at providing security protection for networks and endpoints. Some of the tools or technologies that may be covered by the service include: EDR, Firewall, IPS/IDS, Proxy, DNS, AV, CASB, DLP, IRM, NAC, WAF, CMDB, etc. The service must ensure the proper functioning, configuration, and availability of these technologies.

Detection Service:

  • Security Monitoring: A service focused on the continuous identification, analysis, and reporting of potential security threats, ensuring proactive and reactive detection of security incidents.
  • Threat Hunting: A service focused on threat hunting or proactive search for security threats, allowing the identification of anomalies and potential security incidents that traditional or passive processes are unable to identify.
  • Threat Intelligence: A service focused on obtaining information to generate intelligence on advanced threats in a way that aids in cybersecurity management, continuous improvement, and decision-making for organizations.

Response Services:

  • Incident Response Team (IRT): This consists of an expert service that is activated upon confirmation of a security incident, allowing for forensic analysis, containment, mitigation, recovery, and post-incident or lessons learned. Incident Response Procedures and Playbooks for action related to different types of threats and customized to the entity or organization receiving the service must be available.

Cybersecurity Management Service:

  • Cybersecurity coordination and strategy: This involves managing, monitoring, and advising on various aspects of cybersecurity, including short-, medium-, and long-term cybersecurity strategy, management and monitoring of services provided or outsourced, security architectures and implementation, associated documentation and procedures, maintenance, as well as planning and implementation thereof.
  • Legal and regulatory compliance: This involves adapting to current cybersecurity regulations.
  • Dashboards: There must be a dashboard that centralizes the information generated by the SSGs to provide a complete view of the security status of each entity.

Implementation

When implementing a Security Operations Center (SOC) in an organization, it is essential to begin by establishing the Cybersecurity Management Service, which acts as a strategic and cross-functional layer. This service allows for defining the cybersecurity strategy, objectives, governance model, as well as the mechanisms for managing, monitoring, and continuously improving the SOC.

Once this foundation is established, it is recommended to implement the Detection Service, which constitutes the operational core of the SOC: the identification, analysis, and notification of security threats and incidents. To this end, relevant information is gathered from multiple sources, which is then analyzed to detect unauthorized use or anomalous behavior. This service is structured vertically into the subservices defined in CCN-STIC 896 (listed above), and horizontally according to the strategic, operational, and tactical levels(1).

For its correct implementation, the following steps can be followed(2):

  1. Planning: Identifying relevant information, defining sources, planning processing, generating alerts, and creating a response model.
  2. Acquisition: Prioritized configuration of information sources (primarily perimeter and endpoint).
  3. Processing: Normalizing and storing data on SIEM/XDR platforms according to established policies.
  4. Analysis: Automated and manual analysis, including Threat Hunting activities, which may generate new alerts or use cases.
  5. Alert Management: Recording and tracking suspicious activity using ticketing tools.
  6. Response: Executing automated or manual procedures based on the nature and criticality of the alert.
  7. Feedback: incorporation of lessons learned for continuous improvement of the cycle.

These steps must be accompanied by the deployment of the appropriate tools and technologies, both for data collection and correlation (SIEM, EDR/XDR, traffic sensors), and for the management of alerts, assets, and cyber intelligence (ticketing, CMDB, TIP, intelligence feeds). It is also essential to define team organization, shifts, operating procedures, and escalation models.

With the implementation of the Cybersecurity Management Service and the Detection Service, a Basic SOC is available. The progressive incorporation of Prevention and Response services will allow evolution towards an Advanced SOC, and the additional inclusion of the Protection Service will result in a Complete SOC, in accordance with the maturity levels defined in the CCN-STIC 896 guide.

(1) The concepts of "strategic" level (definition of strategy and objectives by the management layer), "operational" level (planning and execution of tactics and techniques), and "tactical" level (use of technology and tools) can be widely found on the internet.

(2) https://www.isaca.org/resources/isaca-journal/issues/2026/volume-1/this-is-how-they-tell-me-a-soc-works

Certification

To ensure that the aforementioned services provided are of quality, a SOC must be able to demonstrate its operational capabilities, as well as its technical competencies in the field of cybersecurity.

More information