Services Team At Work
As soon as the CSOC is operational in the live environment, the team will have to carry out its mission and will have to react to incidents. This is the phase where the CSOC has the opportunity to show the value it provides the business with.. When an incident arises, a ticket is opened and a case will be investigated. Many parts of the team will be involved, maybe someone external to the SOC (part of the same organization or even a third party actor) will be concerned, depending on the nature, extent and the severity of the incident. Different levels of escalations, leading possibly to the CSIRT, could be put in place and the team must collaborate leveraging all the available tools and procedures until the closure of the case. To be successful, security incident detection and monitoring and the subsequent phase of the incident response, require the right mix of sound technologies, clearly defined (and repeatable) processes and procedures, together with highly specialized skills. Intuition, ability to react quickly and precisely even under stressful conditions and relying on previously learned lessons are key points for an effective CSOC team.