Detecting and preventing IT security related incidents 24x7 through 1st Line Security Monitoring.
The 1st line Security Monitoring from the Security Operation Center (SOC) is a service where the 1st line SOC operators continuously monitor for incidents and alert you about security incidents when detected within your IT infrastructure. Operators monitor the client’s logs, processes and systems using advanced techniques to collect and compare data from various sources to detect unusual or malicious activity within your infrastructure. Having detected a possible incident, the first line operators of the Security Operation Center record and describe the events in the event recording system, notifuing you about these events throughout your services or the 2nd Line SOC operators.
Service Level Agreement
Response time: 15 minutes
The 15 minute response time of first line operators is defined as the time between the occurrence of the incident in the SIEM system and first steps taken by SOC operators.
SOC24 Service Provision Options
|8/5||Monitoring in working hours, e.g. from 09:00 to 17:00 on week days|
|16/5 + 24/2||Monitoring outside of the working hours. The 1st line operators of SOC24 take over the monitoring of the infrastructure security, e.g. at 17:00 from the SOC 1st line of the client and hand it over back to the SOC 1st line on the next working day at e.g. 09:00. The monitoring covers the handling of all events occurring outside of the working hours of the Client and on non-working days and on holidays.|
|24x7x365||24-hour monitoring every day throughout the year|
SOC First Line service
The Security Operation Centre is a service that helps detect and prevent incidents related to IT security. First Line Security Monitoring by the Security Operation Center (SOC) is a service where SOC-operators pro-actively monitor for security incidents and alert you when incidents have been detected inside your IT infrastructure. The SOC24 operators monitor your logs, processes and systems using advanced technologies to collect and compare data from various sources. Having detected a possible incident, the first line operators of the Security Operation Center records and describes the event in the event recording system and notifies you or the 2nd Line operators of the Security Operations Center.
- Monitoring of events and incidents occurring in your infrastructure based on data from the SIEM system console, made available by the client with the correlation rules implemented on site.
- Analysis of events in accordance with procedures and scenarios agreed upon with you as a customer, including determination of the type and level of the incident and elimination of the so-called false-positive.
- Raising the incidents and recording details collected about the incidents in the reporting system.
SOC First Line service
- Handling incidents in the context of response scenarios developed together with you as a customer
- In the case of incidents for which no response scenarios have been developed, the incident service is transferred to the 2nd SOC line.
- If the 2nd SOC line is on the the customer side, information about the incident is provided in accordance with the SLA and the communication principles as agreed to with the customer.
SOC First Line service
Proactive and iterative monitoring of logs in the SIEM system for detection and isolation of advanced security threats which have not been detected with the pre-defined correlation rules.
Advanced Second Line SOC Services
Advanced services of SOC 2nd Line is an extension of the Security Monitoring service. The advanced SOC 2nd line services include any analytical task related to the handling of security incidents as well as proactive steps designed to ensure the best protection against possible cyber threats of your infrastructure.
The actions of the SOC 2nd line are performed on the basis of events recorded in the SIEM system as well as in other security systems made available by the client to SOC analysts and on the basis of data from security services made available to the client by SOC24 in the Security as a Service model.
The SOC 2nd line operates in the 8/5 mode and outside of working hours, in the “on demand” standby mode. If the 1st line identifies a significant issue (critical or high), which exceeds its competence and requires immediate action, then the 2nd line operator on duty is involved and takes necessary measures regarding the protection and security of the client’s infrastructure.
Tasks of the Second Line SOC
- Remote analysis of a reported event, collection of all information necessary for proper handling of the incident, verification of supplied source data for correctness and completeness;
- For high priority incidents:
- Designing a scenario for mitigating the threat caused by the incident and supporting the client’s personnel in the execution of the pre-defined scenario;
- Preparing a scenario of recovery measures designed to remove the effects of the incident;
- Elaboration of conclusions from the incident in order to reduce the possibility of recurrence of a given type of incident in the future.
- Possibility of providing support to the Client’s Security Team with the handling of the incident locally, in the premises of the client.
- Analysis of logs in terms of protecting the client from any new threats not covered by existing rules that were implemented in the SIEM system and the response procedures of the SOC 1st line;
- Analysis of logs in terms of optimisation of information about threats in SIEM;
- Proposing new security protection scenarios (correlation rules) to be implemented within the SIEM system and offering optimisation of the security scenarios already put in place;
- Proposing extensions of the monitoring scope to include successive IT communication systems of the client.
Consulting and Reporting
- Suggesting system protections against similar incidents in the future, identification of the root causes of the problem and its potential authors. Finally, possible alerting to proper emergency services, where appropriate or required.
- Holding quarterly meetings (meetings may be held with the use of video conferencing tools) designed to recapitulate events which occurred in the last quarter and to determine optimisation capabilities.
SLA for Second Line SOC service
- During working hours (9:00-17:00), the response time is defined as the time from the reporting of the incident to the SOC 2nd line to undertaking the first steps by the analyst of the 2nd line – 15 minutes.
- In the remaining cases the response time is 1 hour.
- The price for the service covers 40 hours monthly performed at any time. If that limit is exceeded, fees will be charged according to the hourly rate.
2nd Line Service Options
|8/5 and “On Call” outside working hours||Support of SOC 2nd line during working hours and outside of working hours in the “on demand” standby mode. This means that if the 1st line identifies an significant issue (Critical or High), which exceeds its competence and requires immediate action, then the on duty 2nd line operator is involved and take necessary measures regarding the protection and security of the client’s infrastructure.|