Part 13.6

SOC and SIEM

"Eyes on Your Network 24x7"

Security Operations Center setup, SIEM implementation, log management, 180-day retention requirements, NTP synchronization, and incident response playbooks.

6.1

SOC - Security Operations Center

What is a SOC?

Definition: A Security Operations Center is a centralized unit that monitors, detects, analyzes, and responds to cybersecurity incidents using people, processes, and technology.

Key Functions:

1. Continuous monitoring of IT infrastructure

2. Threat detection and analysis

3. Incident response and containment

4. Security event investigation

5. Compliance reporting and audit support

6. Threat intelligence integration

SOC Model	Description	Best For	Cost Range
In-house SOC	Fully owned and operated internally	Large enterprises, banks, CII	Rs. 5-20 Cr setup + Rs. 3-10 Cr/year
Managed SOC (MSSP)	Outsourced to security provider	Mid-size companies, cost-sensitive	Rs. 50L - Rs. 2 Cr/year
Hybrid SOC	Internal team + MSSP support	Growing organizations	Rs. 1-5 Cr/year combined
Virtual SOC	Remote monitoring, no physical center	SMEs, startups	Rs. 10L - Rs. 50L/year

6.2

SIEM - Security Information and Event Management

SIEM Functions

SIM (Security Information Management):

- Log collection from multiple sources

- Long-term storage and retention

- Compliance reporting

SEM (Security Event Management):

- Real-time event correlation

- Alert generation

- Dashboard and visualization

Combined SIEM:

- Unified platform for both functions

- Advanced analytics and ML-based detection

- Automated response capabilities

SIEM Solution	Type	Use Case	Approximate Cost
Splunk	Commercial	Enterprise, large data volumes	Rs. 50L - Rs. 5Cr/year
IBM QRadar	Commercial	Enterprise, compliance-heavy	Rs. 40L - Rs. 3Cr/year
Microsoft Sentinel	Cloud (Azure)	Azure/M365 environments	Usage-based (Rs. 10L+/year)
Elastic SIEM	Open-source/Commercial	Cost-sensitive, flexible	Free to Rs. 1Cr+ (enterprise)
Wazuh	Open-source	SMEs, startups	Free (support extra)
AlienVault (AT&T)	Commercial	Mid-market, MSSP	Rs. 20L - Rs. 1Cr/year

6.3

Log Management - CERT-In 180-Day Requirement

CERT-In Directions 2022

180-Day Log Retention

"All service providers, intermediaries, data centres, body corporate and Government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction."

Log Types to Retain

Log Category	Specific Logs	Retention Priority
Network	Firewall, IDS/IPS, Router, Switch, VPN	Mandatory
System	Windows Event Logs, Linux syslog, Authentication	Mandatory
Application	Web server, Database, Custom applications	Mandatory
Security	Antivirus, EDR, WAF, DLP	Mandatory
Cloud	AWS CloudTrail, Azure Activity, GCP Audit	Mandatory
Email	Mail server logs, Email gateway	Recommended
DNS	DNS query logs	Recommended

Log Storage Architecture

Hot Storage (0-30 days): Fast SSD storage for active analysis; immediate query access

Warm Storage (30-90 days): Standard HDD; slower but accessible for investigations

Cold Storage (90-180 days): Archive storage (tape, S3 Glacier); compliance retention

Location: Must be within Indian jurisdiction (CERT-In mandate)

Integrity: Tamper-proof logging; hash verification; chain of custody

6.4

NTP Synchronization

CERT-In Directions 2022

Time Synchronization Requirement

"All service providers, intermediaries, data centres, body corporate and Government organisations shall connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks."

Approved NTP Servers

Provider	NTP Server Address	Stratum
NIC (Primary)	time.nic.in	Stratum 1
NPL	time.nplindia.org	Stratum 1
NIC Pool	ntp.nic.in	Stratum 2

Why Important?

- Accurate timestamps for incident investigation

- Log correlation across systems

- Legal validity of evidence

- Compliance demonstration

6.5

Incident Response Playbooks

Sample Playbook: Ransomware Incident

Detection (T+0):

1. SOC analyst receives SIEM alert for mass file encryption

2. Verify alert is not false positive

3. Escalate to Tier 2 analyst

Containment (T+30 min):

4. Isolate affected systems from network

5. Disable affected user accounts

6. Block C2 communication if identified

Investigation (T+1-4 hours):

7. Identify ransomware variant

8. Determine initial infection vector

9. Assess lateral movement

10. Document all findings

Reporting (T+6 hours max):

11. Prepare CERT-In incident report

12. Submit via portal/email

13. Notify sector regulator if applicable

Recovery (T+6+ hours):

14. Restore from clean backups

15. Patch vulnerabilities

16. Monitor for reinfection

SOC Maturity Levels

Level	Description	Capabilities
Level 1: Basic	Reactive monitoring	Log collection, basic alerting
Level 2: Managed	Defined processes	SIEM correlation, incident response
Level 3: Defined	Documented playbooks	Threat intelligence, hunting
Level 4: Quantified	Metrics-driven	KPIs, SLAs, continuous improvement
Level 5: Optimized	Predictive, automated	AI/ML, SOAR, proactive defense

Key Points - Part 13.6

SOC - Centralized unit for continuous security monitoring and incident response
SOC Models - In-house, Managed (MSSP), Hybrid, Virtual; choose based on size and budget
SIEM - Combines log management (SIM) and real-time event correlation (SEM)
180-Day Logs - CERT-In mandates 180-day rolling retention within Indian jurisdiction
Log Types - Network, system, application, security, cloud logs must be retained
Hot/Warm/Cold - Tiered storage strategy balances cost and accessibility
NTP Sync - Mandatory sync with NIC (time.nic.in) or NPL servers
Playbooks - Pre-defined response procedures for common incidents (ransomware, breach, DDoS)
SOC Maturity - Progress from basic (Level 1) to optimized (Level 5) over time
CERT-In Compliance - SOC/SIEM essential for meeting 6-hour reporting and log retention