SOC Kurulumu 2025: Security Operations Center

SOC (Security Operations Center), kuruluşunuzun siber güvenliğini 7/24 izleyen, tehditleri tespit eden ve müdahale eden merkezi birimdir. Modern SOC kurulumu rehberi.

SOC Nedir?

Security Operations Center bileşenleri:

• 🔍 Monitoring - Sürekli izleme
• 🚨 Detection - Tehdit tespiti
• 📊 Analysis - Olay analizi
• ⚡ Response - Hızlı müdahale
• 📈 Reporting - Raporlama

SOC Maturity Levels

Level 1: Reactive (Reaktif)

• Manual monitoring
• Limited tools
• No automation

Level 2: Repeatable (Tekrarlanabilir)

• Some automation
• Basic SIEM
• Defined processes

Level 3: Proactive (Proaktif)

• Threat intelligence
• Automated response
• Advanced analytics

Level 4: Optimized (Optimize)

• AI/ML integration
• Predictive analytics
• Continuous improvement

SOC Team Structure

SOC Manager
├── Tier 1: Analyst (Monitoring & Triage)
│   - Alert monitoring
│   - Initial triage
│   - Ticket creation
│
├── Tier 2: Incident Responder
│   - Deep investigation
│   - Threat hunting
│   - Remediation
│
├── Tier 3: Senior Analyst/Architect
│   - Complex investigations
│   - Tool tuning
│   - Process improvement
│
└── Threat Intelligence Team
    - Research
    - IOC management
    - Threat feeds

Core Technologies

1. SIEM (Security Information and Event Management)

Popular SIEM Solutions:

• Splunk Enterprise Security
• IBM QRadar
• Microsoft Sentinel
• Elastic Security
• LogRhythm

SIEM Configuration:

# Log Sources
sources:
  - Windows Event Logs
  - Linux Syslogs
  - Firewall Logs
  - IDS/IPS
  - Web Application Firewall
  - Cloud Logs (AWS/Azure)
  - Endpoint Detection (EDR)

# Use Cases
use_cases:
  - Failed login attempts
  - Privilege escalation
  - Malware detection
  - Data exfiltration
  - Lateral movement
  - Suspicious network traffic

# Alerts
alerts:
  critical:
    - Multiple failed logins
    - Ransomware indicators
  high:
    - Unusual outbound traffic
    - New admin account
  medium:
    - Policy violations
  low:
    - Information events

2. EDR/XDR (Endpoint Detection & Response)

Solutions:

• CrowdStrike Falcon
• Carbon Black
• SentinelOne
• Microsoft Defender for Endpoint
• Cortex XDR

3. SOAR (Security Orchestration & Automation)

Automation Examples:

# Automated Response Playbook
def handle_malware_alert(alert):
    # 1. Isolate infected host
    edr.isolate_host(alert.hostname)
    
    # 2. Block malicious hash
    firewall.block_hash(alert.file_hash)
    
    # 3. Create ticket
    ticket = jira.create_ticket({
        'summary': f'Malware detected: {alert.hostname}',
        'priority': 'Critical'
    })
    
    # 4. Notify team
    slack.send_message(
        channel='#security-alerts',
        message=f'Malware alert: {alert.hostname} isolated'
    )
    
    # 5. Collect forensics
    forensics.collect_memory_dump(alert.hostname)
    
    return ticket.id

4. Threat Intelligence Platform

TIP Features:

• IOC management
• Feed aggregation
• Threat actor tracking
• STIX/TAXII integration

SOC Processes

1. Alert Triage

Incoming Alert
    ↓
Is it a true positive?
    ↓ Yes
Severity assessment
    ↓
Critical → Immediate escalation
High → Tier 2 investigation
Medium → Queue for analysis
Low → Log and monitor

2. Incident Response

NIST Framework:

1. Preparation
2. Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. Post-Incident Activity

3. Threat Hunting

# Proactive threat hunting query
# Hunt for suspicious PowerShell activity
query = """
index=windows sourcetype=powershell
| where command contains "DownloadString"
  OR command contains "IEX"
  OR command contains "Invoke-Expression"
| stats count by host, user, command
| where count > 5
"""

# Hunt for lateral movement
query = """
index=network sourcetype=firewall
| where src_ip in internal_network
  AND dst_port in (445, 135, 139, 3389)
  AND dst_ip in internal_network
| stats dc(dst_ip) as unique_destinations by src_ip
| where unique_destinations > 10
"""

Metrics & KPIs

SOC Performance Metrics

Detection Metrics:
  - Mean Time to Detect (MTTD): < 15 minutes
  - Detection Rate: > 95%
  - False Positive Rate: < 5%

Response Metrics:
  - Mean Time to Respond (MTTR): < 30 minutes
  - Mean Time to Contain (MTTC): < 1 hour
  - Mean Time to Recover (MTTR): < 4 hours

Operational Metrics:
  - Alert Volume: Track daily/weekly
  - Analyst Workload: < 20 alerts/analyst/day
  - Automation Rate: > 60%
  - Playbook Coverage: > 80%

Business Metrics:
  - Prevented Incidents: Track monthly
  - Cost per Incident: Calculate
  - Compliance: 100%

24/7 Operations

Shift Structure

Shift 1: 08:00 - 16:00 (Day shift)
├── 2x Tier 1 Analyst
├── 1x Tier 2 Analyst
└── 1x Threat Hunter

Shift 2: 16:00 - 00:00 (Evening shift)
├── 2x Tier 1 Analyst
└── 1x Tier 2 Analyst

Shift 3: 00:00 - 08:00 (Night shift)
├── 1x Tier 1 Analyst
└── On-call Tier 2/3

Budget Planning

Small SOC (< 500 employees):

• SIEM: $50K - $100K/year
• EDR: $30K - $60K/year
• Staff: 3-5 analysts = $200K - $400K/year
• Total: $280K - $560K/year

Medium SOC (500-2000):

• SIEM: $150K - $300K/year
• EDR/XDR: $100K - $200K/year
• SOAR: $50K - $100K/year
• Staff: 8-12 analysts = $600K - $1.2M/year
• Total: $900K - $1.8M/year

Enterprise SOC (2000+):

• SIEM: $500K - $1M+/year
• Full stack: $500K - $1M+/year
• Staff: 20-30 analysts = $1.5M - $3M/year
• Total: $2.5M - $5M+/year

Best Practices

✅ People:

• Continuous training
• Career development
• Burnout prevention
• Knowledge sharing

✅ Process:

• Documented playbooks
• Regular drills
• Lessons learned
• Process optimization

✅ Technology:

• Tool integration
• Automation first
• Regular updates
• Scalable architecture

Profesyonel SOC kurulumu için bize ulaşın! 🛡️ 📧 iletisim@cesayazilim.com | 📞 +90 850 225 53 34