The security operations center utilizes the tools defined in the incident response chapter of this book, and those tools should be used as a reference to build out the technical capability of a SOC.

Key tools to highlight for SOC use include:

• Security information and event management (SIEM): Provides deep visibility into your network, systems, and applications. The SIEM is really where the magic happens for the SOC. The SIEM is the tool that ties your other security tools such as malware analysis and intrusion prevention tools into a unified system that can produce very intricate events and alerts. In turn, this capability can serve to provide the necessary ingredients to conduct identification and remediation activities.
• Host and network-based intrusion prevention and intrusion detection systems (IPS/IDS): Perform real-time monitoring of your network and server/workstation activity.
• Vulnerability scanners: Identify vulnerable systems on your enterprise network and include potential remediation recommendations for vulnerabilities identified as part of a vulnerability scan.
• Net flow analyzers: Examine the actual packets on the network and can be used to inspect for anomalous behavior.