CMMC Requirement IR.L3-3.6.1E – Security Operations Center: Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-call staff.
Links to Publicly Available Resources – Coming Soon
Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information. This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cybersecurity practices. This NIST Special Publication focuses on providing plans and procedures to facilitate resuming normal business operations as quickly as possible during a cybersecurity event. This NIST Special Publication offers guidance for incident response by identifying best practices and other recommendations. This guide from NIST discusses how important forensics can be for an organization during a cyber incident.
A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers); in some instances operates 24 hours per day, seven days per week; and implements technical, management, and operational controls (e.g., monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to security-relevant event data from multiple sources. Sources of event data include perimeter defenses, network devices (e.g., gateways, routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. An SOC capability can be obtained in many ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability.
[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP800-101] provide guidance on integrating forensic techniques into incident response. [NIST SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184] provides guidance on cybersecurity event recovery.
Further Discussion
Security operations centers are created to monitor and respond to suspicious activities across an organization’s IT applications and infrastructure. A SOC may be implemented in a variety of physical, virtual, and geographic constructs. The organization may also opt to not hire their own staff but to engage a third-party external service provider to serve as their SOC.
The SOC is typically comprised of multiple levels of cybersecurity analysts. Each tier of cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC may also have dedicated cybersecurity engineers to support configuration and management of defensive cyber tools. The SOC may work with staff in IT operations who provide support to the SOC.
SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC, the capability alerts staff members and directs them to go to a facility or perform SOC actions from a remote location. Staff members should be scheduled or on call to ensure they are available when needed.