sales@itglobal.com

+1 302 498-83-59

Contacts

Services
Security
Security Operations Center (SOC)

Security Operations Center (SOC)

Counter cyber attacks and manage information security in real time

What is a Security Operations Center

A Security Operations Center (SOC) is a service that helps protect a company’s IT infrastructure by detecting attacks before attackers have time to cause damage. Its main task is to monitor and prevent cyber threats in real time.

How SOC works

Early threat detection

Continuously compares data from security events with a predefined set of unacceptable events and identifies potential threats

Alerting and response

If a potential threat is detected, the service quickly takes action to neutralize suspicious security events before they can cause damage

Events related to user account management

Account management statistics for the period

Distribution by event type

Distribution of actions for group management

Number of suspicious events during the period, distributed by criticality

Example of SSH login statistics with distribution by day

Visual display of login statistics for all components

Why is this important for business

Prevention of cyberattacks

Reduces the likelihood of successful attacks and minimizes associated risks

Maintaining business continuity

Ensures stable system operation and prevents downtime.

Compliance

Helps you comply with legislative and industry standards for data protection.

Test SOC: 30 days of free access

What’s included in the service

Collection of event logs on infrastructure components
Detection logic for identifying attacks
Incident response time
Incident and suspicious activity notification procedure
Quality of information for incident response
SOC client account

How SOC handles suspicious events

Priority	Notification time	Notification method
Critical	No more than 30 minutes after a suspicious event is detected	1. Personal account 2. Telegram chat message 3. Phone calls / email, etc. 4. SMS
High	No more than 40 minutes after detecting a suspicious event
Medium	No more than 60 minutes after detecting a suspicious event
Low	No more than 90 minutes after detection of a suspicious event

Typical events analyzed

Starting/stopping services

and processes in the OS

Changing privileges

for an account

Attempts to reset/

change the password

Unsuccessful account logins

during working/non-working hours

Change of security event logging policies

Change of technical information security settings

Multiple failed authentication attempts

Clearing/deleting event logs

Disabling/changing the logging level

Logging out of the system

Changing account privileges

Running unauthorized scripts

Typical event sources

Servers running Windows/Linux/other operating systems

Conducting face-to-face interviews with those responsible for information security, administration of IT infrastructure, and business processes

AD (ActiveDirectory) / LDAP

Information security measures

Antivirus protection system against malicious software
Systems for protection against unauthorized access
IPS/IDS (Intrusion Detection/Prevention System)
NGFW Next-Generation Firewall
WAF (web application firewall)
Other CPB

Network equipment

Application software

Email
Centralized management of virtual infrastructure
Database management system (DBMS)
Web server
Backup and archiving system
CRM (customer relationship management)
IDM (identity and access management) / PAM (privileged access management)
ERP (Enterprise Resource Planning)

Stages of implementation and operation

Establishing network connectivity between the Customer’s infrastructure and the SOC service

The customer’s network engineer is required for connection. The connection is made jointly with the SOC service team. 1 to 3 business days
Provision of SOC agent distribution

No specialists are required on the client’s side.

Within 24 hours
Installation of agents on the client’s IT infrastructure components

To install agents, the client needs a system administrator responsible for installing software on servers and workstations. 1 to 3 business days
Installation of a log collector

To install agents on the client’s side, a system administrator responsible for installing new IT infrastructure components is required. Depending on the type of component, an agentless connection to the SOC service is possible. With this connection method, a VM is installed in the client’s IT infrastructure. The log collector virtual machine image is provided by SOC service specialists. 1 to 3 business days
Configuring the transfer of security events from the client’s network equipment

A network engineer or system administrator is required to configure the transmission of security events from the client’s network equipment.

1 to 2 business days
Configuring advanced logging on all components of the customer’s IT infrastructure

The client will need system and network engineers. Configuration instructions are provided by SOC service specialists. 1 to 3 business days
Transfer, analysis, storage, and continuous monitoring of security events 24/7

After successful implementation, the service switches to continuous monitoring mode, in which specialists at various support levels analyze all suspicious security events. The client’s response is only required if suspicious events or security incidents are confirmed.

The service allows you to meet the requirements

GOST R 57580.1-2017: measures MAS.1-MAS.8, MAS.10-MAS.23 (possible increase to the GOST rating — 0.06);
Orders of the Federal Service for Technical and Export Control of Russia No. 21 and No. 17: requirements RSB.1-RSB.7, RSB.8 (17th order);
Federal Law No. 187: Article 4. Principles for ensuring the security of critical information infrastructure, including GosSOPKA requirements;
PCI DSS: requirements 10.1 (including subclauses), 10.2 (including subclauses), 10.3 (including subclauses), 10.5 (including subclauses), 10.6 (including subclauses), 10.7 (including subclauses), 10.8;
Order of the Federal Technical and Export Control Service of Russia No. 239: AUD.4-AUD.9.

SOC service team

Service managers

Service Engineers

Service System Engineers

SIEM system specialists

First-level support analysts

Second-level support analysts

Technologies used

Personal service account

Centralized processing of information security events

EDR components

Prevention of malicious activity on endpoints: network-connected workstations, servers, Internet of Things devices, etc.

Threat Intelligence Components

Knowledge base of threats obtained through data analysis and interpretation.

Benefits of ITG Security

Fast communication

SOC team response time – no more than 10 minutes at any time of the day or night

Fixed SLA

Access to “raw” data

Providing access to the SIEM system to view raw logs and dashboards

Flexible customization

Development of non-standard correlation rules at the client’s request

At the end of each month, we provide a report that includes:

A general list of events recorded during the reporting period
A list of suspicious information security events that are not incidents
Description of information security incidents identified during the reporting period

Additionally, the report may contain other information related to the results of the Service provision for the period.

Our clients

FAQ

How does SOC help prevent information security incidents?

The Security Operations Center works proactively using EDR analytics, behavioral analysis, and continuous vulnerability monitoring. After an incident, our analysts conduct a retrospective analysis, update correlation scenarios, and create regulations tailored to the specific features of your infrastructure. This is not passive monitoring, but continuous improvement of system stability.

How do you communicate with clients?

When suspicious events are detected, we promptly notify the client via one of the communication channels (Telegram message, phone call, email, personal account) — depending on the severity of the incident, within 30 to 90 minutes after detection. Specialists from the information security monitoring center accompany the client at all stages of the investigation.

How often are vulnerability scans performed?

IT infrastructure vulnerability scans are performed at least once a month. Based on the results, clients receive a report with recommendations for elimination and support from specialists in implementing protective measures.

How is interaction ensured without deep immersion in information security?

We provide full support — from configuring agents and SIEM infrastructure to analyzing events and providing recommendations for eliminating threats. The client does not need to employ information security specialists; one responsible contact person is sufficient.

How do you ensure trust and control if information security events go beyond our company?

All events are transmitted via a secure communication channel, and data is stored locally if required by company policy. We provide transparency for all processes, from event logs to incident chronology. If desired, the customer can participate in incident investigations together with our analysts, gaining full visibility into the monitoring center’s actions.