Netia

The SOC (Security Operations Center) service itself does not protect against any specific types of attacks (such as firewalls, IPSs, WAFs or anti-ddos systems). However, thanks to constant security monitoring, it provides the ability to quickly identify certain gaps (anomalies), e.g. in terms of user behavior, network traffic, or application queries. Thanks to this, in the event of a real incident, it is possible to react quickly and minimize the potential consequences of a cyberattack.

The price of the SOC (Security Operations Center) service is influenced by several essential elements:
•    the number of alerts generated by the SIEM system per day to be handled
•    the number of confirmed security incidents per day to be mitigated
•    number of monitored sources - SIEM system - client vs. supplied by Netia
•    amount of data (GB/day) or events per second (Events per Second) generated by sources to the SIEM system - time range of service provision (e.g. 24/7/365 vs only monitoring outside working hours and on holidays)
- service variant (full SOC vs SOC Lite; monitoring vs monitoring + incident handling)
- SLA level - contract length
 

The source is any element of the ICT infrastructure (including applications) that is able to generate and send a log - information about an event.

The SIEM system is the basic working tool of every SOC. This system collects logs from monitored sources, aggregates and normalizes them (standardizes them), and then, based on the rules implemented in it, it correlates logs. Based on these correlations, alerts are generated, which are then verified by a team of SOC analysts.

Employees of the first line of SOC support (SIEM analysts) take generated alarms in order to verify them. Most of the alarms that appear are false alarms, only some of them relate to real security incidents. If it is confirmed that an alarm was related to a security incident, a so-called ticket is set up to handle the incident properly, and a level of significance (criticality) is assigned. Incidents with the highest level of criticality (e.g. ongoing data leak, ransomware campaign) are handled with a higher priority than incidents such as SPAM campaign or network scanning of the organization. In order to handle the incident, the SOC analyst often needs to obtain additional information - e.g. by delving into retail data (logs) or by contacting the person responsible for security on the client's side.
The simplest incidents are handled on the 1st line of SOC support, however, in the case of some more advanced cases, the support of the 2nd and 3rd line of SOC is necessary.
After solving the problem (known as incident mitigation), the problem ticket is closed.

Yes, we can provide the service in this model. We can work directly on the client's SIEM system or integrate it with Netia's SIEM systems.

For smaller or less demanding clients, we usually implement a dozen or so generic correlation scenarios (e.g. network traffic anomalies, multiple failed logins). Their scope allows SOC monitoring to cover most of the most frequently occurring incidents. Currently, we offer about 100 generic scenarios defined - for immediate implementation in the SIEM system.

For larger entities, we prepare dedicated scenarios, taking into account the specificity of their industry, the size of employment, the size and complexity of the ICT infrastructure, as well as the specific needs and requirements of the client.

No, there is no such thing as complete IT security. Cybercrime takes more and more professional forms, the methods of carrying out attacks and the tools used in them evolve, which makes it more difficult to effectively protect against cyberattacks. The effectiveness of an attack depends on the attacker's time and financial capabilities, and there will always be a way to carry out such an attack.

Each ICT security solution or service (including SOC) minimizes the risk of an attack, and also reduces the risk of its effectiveness, and consequently - significantly reduces the risk of potential financial, image or legal losses.

There are 3 basic models for the provision of these services: - a one-time service (on demand, ad-hoc)