Sustainable and smart city development is the objective of multiple countries in the world, the cities are facing a lot of challenges such as the city’s infrastructure not meeting development needs, incredibly fast increase in the number of means of transport. In the inner city, roads are becoming overloaded, public traffic systems are ineffective and resources to develop facilities, socio economy, high technology are inadequate, etc. In order to deal with the issues above, Zetanano proposes the construction of Intelligent Operation Center and Security Operation Center as a general brain that controls and operates the entire activities of the city via data collection and standardization. At the same time, the Center will analyze, process and provide reports, decisions and direct the city’s activities, effectively serve the chief officers, agencies and units.
As the smart brain of a city, the IOC needs to fulfill the responsibilities of the four centers of the city: the decision-making, warning, governance, and command centers.
• Decision-making center: Big data is used for data analytics and mining in order to present the key points and difficulties in city management, supporting government decision-making.
• Warning center: Predicts potential risks, and provides warnings in advance to prevent major emergencies.
• Governance center: Collects, processes, and monitors city operations in a unified manner to improve collaboration efficiency, implement quick response, optimize city management resources, and improve city governance.
• Command center: When a major event or emergency occurs in the city, the command center coordinates multiple departments to implement unified command, action, and resource allocation, achieving cross-level, cross-region, and cross-department command and dispatch. The command center must support video dispatching, multi-party communication, video consultation, and mobile office operations, to ensure that the command center is available wherever the government officials are. This enables the officials to make informed decisions remotely if there is an emergency.
Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
A SOC acts like the hub or central command post, taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.
The function of a security operations team and, frequently, of a security operations center (SOC), is to monitor, detect, investigate, and respond to cyberthreats around the clock. Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. As the implementation component of an organization's overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.
SOCs have been typically built around a hub-and-spoke architecture, Wherein, spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).
The SOC is usually led by a SOC manager, and may include incident responders, SOC Analysts (levels 1, 2 and 3), threat hunters and incident response manager(s). The SOC reports to the CISO, who in turn reports to either the CIO or directly to the CEO
1. Take Stock of Available Resources
The SOC is responsible for two types of assets—the various devices, processes and applications they’re charged with safeguarding, and the defensive tools at their disposal to help ensure this protection.
2. Preparation and Preventative Maintenance
Even the most well-equipped and agile response processes are no match for preventing problems from occurring in the first place. To help keep attackers at bay, the SOC implements preventative measures, which can be divided into two main categories.
3. Continuous Proactive Monitoring
Tools used by the SOC scan the network 24/7 to flag any abnormalities or suspicious activities. Monitoring the network around the clock allows the SOC to be notified immediately of emerging threats, giving them the best chance to prevent or mitigate harm. Monitoring tools can include a SIEM or an EDR, better even a SOAR or an XDR, the most advanced of which can use behavioral analysis to “teach” systems the difference between regular day-to-day operations and actual threat behavior, minimizing the amount of triage and analysis that must be done by humans.
4. Alert Ranking and Management
When monitoring tools issue alerts, it is the responsibility of the SOC to look closely at each one, discard any false positives, and determine how aggressive any actual threats are and what they could be targeting. This allows them to triage emerging threats appropriately, handling the most urgent issues first.
5. Threat Response
These are the actions most people think of when they think of the SOC. As soon as an incident is confirmed, the SOC acts as first responder, performing actions like shutting down or isolating endpoints, terminating harmful processes (or preventing them from executing), deleting files, and more. The goal is to respond to the extent necessary while having as small an impact on business continuity as possible.
6. Recovery and Remediation
In the aftermath of an incident, the SOC will work to restore systems and recover any lost or compromised data. This may include wiping and restarting endpoints, reconfiguring systems or, in the case of ransomware attacks, deploying viable backups in order to circumvent the ransomware. When successful, this step will return the network to the state it was in prior to the incident.
7. Log Management
The SOC is responsible for collecting, maintaining, and regularly reviewing the log of all network activity and communications for the entire organization. This data helps define a baseline for “normal” network activity, can reveal the existence of threats, and can be used for remediation and forensics in the aftermath of an incident. Many SOCs use a SIEM to aggregate and correlate the data feeds from applications, firewalls, operating systems and endpoints, all of which produce their own internal logs.
8. Root Cause Investigation
In the aftermath of an incident, the SOC is responsible for figuring out exactly what happened when, how and why. During this investigation, the SOC uses log data and other information to trace the problem to its source, which will help them prevent similar problems from occurring in the future.
9. Security Refinement and Improvement
Cybercriminals are constantly refining their tools and tactics—and in order to stay ahead of them, the SOC needs to implement improvements on a continuous basis. During this step, the plans outlined in the Security Road Map come to life, but this refinement can also include hands-on practices such as red-teaming and purple-teaming.
10. Compliance Management
Many of the SOC’s processes are guided by established best practices, but some are governed by compliance requirements. The SOC is responsible for regularly auditing their systems to ensure compliance with such regulations, which may be issued by their organization, by their industry, or by governing bodies. Examples of these regulations include GDPR, HIPAA, and PCI DSS. Acting in accordance with these regulations not only helps safeguard the sensitive data that the company has been entrusted with—it can also shield the organization from reputational damage and legal challenges resulting from a breach.
While dealing with incidents monopolizes much of the SOC's resources, the chief information security officer (CISO) is responsible for the larger picture of risk and compliance. To bridge operational and data silos across these functions, an effective strategy requires an adaptive security architecture that enables organizations to enact optimized security operations. This approach increases efficiency through integration, automation, and orchestration, and reduces the amount of labor hours required while improving your information security management posture.
An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into day-to-day processes. SOC tools like centralized and actionable dashboards help integrate threat data into security monitoring dashboards and reports to keep operations and management apprised of evolving events and activities. By linking threat management with other systems for managing risk and compliance, SOC teams can better manage overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency into security operations. Centralized functions reduce the burden of manual data sharing, auditing, and reporting throughout.
Operationalizing threat management should start with a thoughtful assessment. In addition to defenses, an organization should evaluate processes and policies. Where is the organization strong? What are the gaps? What is the risk posture? What data is collected, and how much of that data is used?
While every organization is different, certain core capabilities and security operations best practices represent due care today. A reasonable threat management process starts with a plan, and includes discovery (including baseline calculation to promote anomaly detection, normalization, and correlation), triage (based on risk and asset value), analysis (including contextualization), and scoping (including iterative investigation). Threat management processes feed prioritized and characterized cases into incident response programs. A well-defined response plan is absolutely key to containing a threat or minimizing the damage from a data breach.
Copyright © 2021 ZetaNano - All Rights Reserved.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.