The practice of making a Security Operations Center

Abstract

The rapidly changing landscape of information security threats, directly related to the development of information technologies, requires continuous automated monitoring of information security events for the purpose of quick response, retrospective analysis for targeted attacks, as well as compliance with the requirements of the regulators of the sphere. This article presents the process of creating a concept that is being implemented everywhere – an information security monitoring center. This complex, multifactorial process takes into account the elaboration of regulatory legal acts and regulatory and methodological documentation, the analysis of current international practices, the formation of a pool of technologies used, the formation of a service team and the debugging of workflows. At the same time, the possibility of the SOC's interaction with regulatory authorities, the specific of communication with customers, its own resistance to attacks, economic feasibility, the peculiarities of human psychology, etc. should be taken into account. To visualize the work of the SOC, a process diagram of the SOC's work is presented. In the article attention is paid to the choice of the core of the SOC – SIEM system. The result clearly represents the current cross-section of the Russian market of systems of this class, which is important in the context of import substitution.