भाग 13.6 / 7

SOC और NOC Operations

Security Operations Center, Network Operations Center, SIEM Implementation, Threat Intelligence, और 24x7 Monitoring।

13.6.1 SOC - Security Operations Center

SOC (Security Operations Center) एक Centralized Facility है जहां Security Team 24x7 Organization की Security Posture को Monitor और Manage करती है।

SOC क्या करता है?

  • Monitoring: Networks, Systems, Applications की 24x7 Monitoring
  • Detection: Security Threats और Incidents की पहचान
  • Analysis: Alerts और Events का Analysis
  • Response: Incidents पर तुरंत Response
  • Reporting: Security Reports और Metrics

SOC Team Structure

RoleResponsibilityLevel
SOC Analyst L1Initial Triage, Alert MonitoringEntry Level
SOC Analyst L2Deep Analysis, Incident HandlingMid Level
SOC Analyst L3Advanced Threats, Threat HuntingSenior
SOC ManagerTeam Management, StrategyManagement
CISOOverall Security LeadershipExecutive

13.6.2 NOC - Network Operations Center

NOC vs SOC

AspectSOCNOC
FocusSecurityAvailability
GoalThreat DetectionUptime Maintenance
MonitorsSecurity EventsNetwork Performance
ToolsSIEM, EDR, SOARNMS, APM
IncidentsSecurity BreachesOutages, Slowdowns

NOC Functions

  • Network Monitoring: Bandwidth, Latency, Uptime
  • Performance Management: Application Performance
  • Fault Management: Outages की पहचान और Resolution
  • Configuration Management: Network Devices Configuration
  • Change Management: Network Changes Implement करना
Integration

Best Practice: SOC और NOC को Integrate करें या Close Coordination रखें। Security Events अक्सर Network Issues से जुड़े होते हैं।

13.6.3 SIEM - Security Information and Event Management

SIEM क्या है?

SIEM (Security Information and Event Management) एक Technology है जो सभी Sources से Logs Collect करती है, Correlate करती है, और Security Threats Detect करती है।

SIEM Components

  • Log Collection: सभी Sources से Logs Collect करना
  • Normalization: Different Formats को Standard Format में
  • Correlation: Multiple Events को जोड़कर Pattern देखना
  • Alerting: Suspicious Activity पर Alerts
  • Dashboards: Visual Representation
  • Reporting: Compliance और Management Reports

Popular SIEM Solutions

  • Open Source: ELK Stack, Wazuh, OSSIM
  • Commercial: Splunk, IBM QRadar, Microsoft Sentinel
  • Cloud-native: Google Chronicle, AWS Security Hub
CERT-In Compliance

SIEM से CERT-In के 180-day Log Retention और Incident Detection दोनों Requirements पूरी होती हैं।

13.6.4 Threat Intelligence

Threat Intelligence क्या है?

Threats के बारे में Organized और Analyzed Information जो Decisions लेने में मदद करे।

Types of Threat Intelligence

  • Strategic: High-level Trends, Threat Landscape (Board के लिए)
  • Tactical: TTPs - Tactics, Techniques, Procedures (Security Teams के लिए)
  • Operational: Specific Campaigns, Attack Details
  • Technical: IOCs - Indicators of Compromise (Automated Tools के लिए)

IOCs (Indicators of Compromise)

  • IP Addresses: Malicious IPs
  • Domains: Malicious Domains
  • File Hashes: Malware File Hashes (MD5, SHA256)
  • URLs: Phishing या Malware URLs
  • Email Addresses: Phishing Sender Addresses

Threat Intelligence Sources

  • CERT-In: Indian Threat Advisories
  • NCIIPC: CII Specific Threats
  • Commercial: Recorded Future, Mandiant
  • Open Source: OTX, VirusTotal, AbuseIPDB

13.6.5 24x7 Monitoring

क्यों जरूरी है?

  • Attackers: हमलावर समय नहीं देखते
  • Global Threats: Different Timezones से Attacks
  • Dwell Time: जितना जल्दी Detection, उतना कम Damage
  • Compliance: CERT-In 6-hour Reporting के लिए

Monitoring Model Options

ModelDescriptionBest For
In-house SOCOwn Team और InfrastructureLarge Enterprises
Managed SOCOutsourced to MSSPMid-size Organizations
Hybrid SOCIn-house + MSSPFlexible Needs
Virtual SOCRemote TeamDistributed Organizations

Key Metrics

  • MTTD: Mean Time to Detect
  • MTTR: Mean Time to Respond
  • MTTC: Mean Time to Contain
  • False Positive Rate: गलत Alerts का Percentage

13.6.6 SOAR - Security Orchestration, Automation and Response

SOAR क्या है?

SOAR Tools Security Operations को Automate और Orchestrate करते हैं।

SOAR के Benefits

  • Automation: Repetitive Tasks Automate
  • Orchestration: Multiple Tools को Integrate
  • Playbooks: Standard Response Procedures
  • Faster Response: Machine Speed पर Response
  • Consistency: Consistent Response हर बार
Use Case Example

Phishing Email Detected → SOAR Automatically: (1) Block Sender, (2) Delete Email from all Mailboxes, (3) Add URL to Blocklist, (4) Create Incident Ticket, (5) Notify SOC Team।

मुख्य बिंदु (Key Takeaways)

  • SOC: Security Monitoring और Incident Response
  • NOC: Network Availability और Performance
  • SIEM: Log Collection, Correlation, और Alerting
  • Threat Intel: IOCs, TTPs, और Threat Information
  • 24x7: Round-the-clock Monitoring Essential
  • SOAR: Automation और Orchestration for Faster Response