SOC Hizmeti - 7x24 Güvenlik Operasyon Merkezi
SOC (Security Operations Center), işletmenizin dijital varlıklarını 7x24 saat kesintisiz izleyen, tehditleri tespit eden, analiz eden ve müdahale eden merkezi güvenlik birimidir. Modern siber tehditlerin hiç uyumadığı bir dünyada, SOC ekibi işletmenizin dijital bekçisidir.
Kuvve Technology olarak, Tier 1-2-3 SOC analisti ekibi, SIEM/SOAR platformları ve threat intelligence ile işletmenizin güvenliğini 7x24 koruyoruz. Kendi SOC ekibinizi kurmak yerine, SOC-as-a-Service ile daha hızlı, daha uygun maliyetli ve daha etkili güvenlik elde edebilirsiniz.
SOC Neden Kritik?
Siber Tehditler Hiç Uyumaz
İstatistikler:
- Ortalama bir veri ihlali 287 gün sonra tespit ediliyor (IBM 2023)
- Saldırılar genellikle mesai dışı saatlerde gerçekleşiyor (gece, hafta sonu)
- Ortalama kayıp (veri ihlali): $4.45 milyon (global ortalama)
- Ransomware saldırısı: Ortalama 11 saniyede bir (2024)
Sorun: Geleneksel 9-5 IT ekibi bu tehditlere yetersiz kalıyor.
Çözüm: 7x24 SOC monitoring + proaktif threat hunting.
SOC’un Faydaları
Without SOC:
├── Reactive security (saldırı olduktan sonra fark edilir)
├── Limited visibility (log'lar incelenmez)
├── Slow response (saatler veya günler)
├── High false-positive (alert yorumu yok)
└── Compliance gaps (audit zorlukları)
With SOC:
├── Proactive security (tehdit avcılığı, early detection)
├── 360° visibility (tüm sistemlerden log toplama)
├── Fast response (dakikalar içinde triage ve containment)
├── Contextualized alerts (false positive %5 altında)
└── Compliance ready (otomatik raporlama)
➜ Result: %80 daha hızlı threat detection, %60 daha düşük incident maliyeti
SOC Hizmet Modelleri
1. In-House SOC (Kendi Bünyenizde)
Gereksinimler:
- Dedicated SOC facility (NOC room, CCTV, access control)
- SIEM/SOAR platform ($50K-500K/yıl)
- SOC analysts (8-12 kişi, 24x7 shift coverage)
- Tier 1/2/3 ekip yapısı
- Threat intelligence feeds
- Incident response playbooks
Avantajlar:
- ✅ Tam kontrol
- ✅ Domain expertise (kendi altyapınızı iyi bilirler)
- ✅ Data privacy (log’lar dışarı çıkmaz)
Dezavantajlar:
- ❌ Yüksek maliyet ($800K-2M/yıl)
- ❌ Uzman bulma zorluğu (cybersecurity talent shortage)
- ❌ 24x7 coverage (tatil, hastalık, turnover)
- ❌ Tool management overhead
Uygun: Enterprise (1000+ çalışan), regulated industries (bankacılık, sağlık)
2. Hybrid SOC (Karma Model)
Model:
- Internal Tier 2-3: İleri analiz, incident response, threat hunting (kendi ekip)
- Outsourced Tier 1: 24x7 alert monitoring, triage (SOC-as-a-Service)
Avantajlar:
- ✅ Maliyet optimizasyonu (Tier 1 outsource daha ucuz)
- ✅ 24x7 coverage (vendor sağlar)
- ✅ Kritik yetenekler in-house (domain knowledge)
Dezavantajlar:
- ⚠️ İki ekip koordinasyonu gerekir
- ⚠️ Handoff process critical (Tier 1 → Tier 2 escalation)
Uygun: Mid-size enterprise (500-1000 çalışan)
3. Fully Managed SOC (SOC-as-a-Service)
Model:
- Vendor sağlar: SIEM/SOAR platform, Tier 1-2-3 analysts, threat intelligence
- Müşteri: Log sources gönderir, escalation alır
Avantajlar:
- ✅ Hızlı başlangıç (4-6 hafta)
- ✅ OpEx model (CapEx yok)
- ✅ 24x7 coverage guaranteed
- ✅ Vendor expertise (binlerce müşteriden öğrenilen tehdit pattern’leri)
- ✅ Latest tools (SIEM, threat intel, SOAR)
Dezavantajlar:
- ❌ Log’lar vendor’a gider (data privacy concern)
- ❌ Generic playbooks (domain-specific tuning gerekir)
Uygun: SMB-Mid (50-500 çalışan), hızlı başlangıç isteyen kurumlar
SOC Maturity Levels
Level 1: Basic (Foundational)
Capabilities:
- SIEM log collection (firewall, AD, endpoint)
- Out-of-the-box detection rules
- Email/ticket based alerting
- Business hours monitoring (8x5)
Team:
- 1-2 part-time security analysts
Threat Detection: Bilinen signature-based threats
Response Time: Hours
Level 2: Intermediate (Managed)
Capabilities:
- Comprehensive log collection (network, endpoint, cloud, app)
- Custom correlation rules
- 24x7 monitoring
- Tier 1-2 analysts
- Basic incident response playbooks
- Monthly reporting
Team:
- 4-6 SOC analysts (24x7 shifts)
- 1 SOC manager
Threat Detection: Korelasyon-based, bazı behavior analytics
Response Time: <1 saat (triage), <4 saat (initial containment)
Level 3: Advanced (Proactive)
Capabilities:
- Full-spectrum monitoring (SIEM + EDR + NDR + CASB)
- Advanced correlation (multi-layer)
- Threat intelligence integration (MITRE ATT&CK)
- User Behavior Analytics (UEBA)
- Proactive threat hunting
- SOAR automation (automated response)
- Forensic analysis
- Red team / purple team exercises
- Weekly executive reporting
Team:
- 8-12 SOC analysts (Tier 1-2-3)
- 2-3 Threat hunters
- 1 Incident response lead
- 1 SOC manager
Threat Detection: ML-based anomaly detection, insider threats, APTs
Response Time: <15 dakika (triage), <1 saat (containment)
Level 4: Elite (Intelligence-Driven)
Capabilities:
- AI/ML threat detection
- Automated incident response (self-healing)
- Threat intelligence production (kendi IOC’ler üretilir)
- Deception technology (honeypots, deception nets)
- Adversary simulation
- Continuous security validation
- Predictive analytics
Team:
- 15-20 SOC analysts
- 4-5 Threat intelligence analysts
- 2-3 Security researchers
- 1 SOC director
Threat Detection: Zero-day, APT, nation-state actors
Response Time: <5 dakika (automated)
SOC Team Structure (Tier Model)
Tier 1: Alert Triage (L1 Analysts)
Responsibilities:
- 24x7 SIEM dashboard monitoring
- Alert triage (true positive vs false positive)
- Initial classification (low/medium/high/critical)
- Basic investigation (source IP lookup, GeoIP, VirusTotal)
- Playbook execution (run checklist)
- Escalation to Tier 2 (eğer belirsiz veya kritik)
Skills:
- SIEM kullanımı (Splunk, QRadar, ELK)
- Network/security fundamentals
- Windows/Linux event log okuma
- Basic scripting
Metrics:
- Alert handling time (avg <10 dakika)
- False positive rate (<10%)
- Escalation quality (Tier 2’ye doğru escalation)
Shift: 24x7 rotation (3-4 kişi)
Tier 2: Incident Investigation (L2 Analysts)
Responsibilities:
- Deep-dive investigation (Tier 1’den gelen escalation)
- Correlation analysis (farklı log source’ları birleştirme)
- Threat intel lookup (IOC check: IP, domain, hash)
- Root cause analysis
- Containment recommendations (firewall rule, EDR isolation)
- Incident report writing
- Escalation to Tier 3 (major incident veya APT şüphesi)
Skills:
- Advanced SIEM query (SPL, KQL, AQL)
- Network packet analysis (Wireshark)
- Malware analysis (basic)
- MITRE ATT&CK framework
- Incident response methodology
Metrics:
- Mean Time To Investigate (MTTI): <1 saat
- Investigation accuracy (doğru root cause tespiti)
Shift: 24x7 on-call
Tier 3: Threat Hunting & Forensics (L3 Analysts)
Responsibilities:
- Proactive threat hunting (hypothesis-driven)
- Advanced forensics (memory dump, disk image analysis)
- Malware reverse engineering
- Threat intelligence research
- Detection rule development (yeni SIEM rule’lar)
- Incident response coordination (major breach)
- Post-mortem analysis ve lessons learned
Skills:
- Forensic tools (EnCase, FTK, Volatility)
- Malware analysis (IDA Pro, Ghidra, debuggers)
- Programming (Python, PowerShell)
- Threat intelligence platforms (MISP, ThreatConnect)
- APT tactics & techniques
Metrics:
- Threat hunting finds (proaktif tespit edilen tehditler)
- False negative reduction (detection coverage artışı)
Shift: Business hours (on-call for major incidents)
SOC Technology Stack
Core Technologies
┌─────────────────────────────────────────────────┐
│ DETECTION LAYER │
├─────────────────────────────────────────────────┤
│ SIEM: Splunk, ELK, QRadar, Wazuh │
│ EDR: CrowdStrike, Carbon Black, Defender│
│ NDR: Darktrace, ExtraHop, Vectra │
│ CASB: Netskope, McAfee MVISION │
│ Threat Intel: MISP, ThreatConnect, Anomali │
└──────────────────────┬──────────────────────────┘
↓
┌─────────────────────────────────────────────────┐
│ ORCHESTRATION LAYER │
├─────────────────────────────────────────────────┤
│ SOAR: Splunk Phantom, Palo Alto XSOAR │
│ Ticketing: JIRA, ServiceNow │
│ Comms: Slack, PagerDuty │
└──────────────────────┬──────────────────────────┘
↓
┌─────────────────────────────────────────────────┐
│ RESPONSE LAYER │
├─────────────────────────────────────────────────┤
│ Firewall: Palo Alto, Fortinet │
│ EDR: Automated isolation │
│ AD: User account disable │
│ Cloud: AWS Lambda, Azure Logic Apps │
└─────────────────────────────────────────────────┘
Typical Log Sources (Monitored)
Network Security:
- Firewall (Palo Alto, Fortinet, Cisco ASA)
- IPS/IDS (Snort, Suricata)
- VPN (OpenVPN, Cisco AnyConnect)
- Proxy/Web Gateway (Squid, Zscaler)
Endpoint:
- Windows Event Logs (Sysmon, Security, System)
- Linux syslog (auth.log, secure, audit.log)
- EDR telemetry (CrowdStrike Falcon, Carbon Black)
- Antivirus alerts
Identity:
- Active Directory (login, group changes, privilege escalation)
- LDAP
- SSO (Okta, Azure AD)
- MFA logs
Cloud:
- AWS CloudTrail, GuardDuty, VPC Flow Logs
- Azure Monitor, Sentinel
- Google Cloud Logging
- O365 (Exchange, SharePoint, Teams)
Applications:
- Web server (Apache, Nginx, IIS)
- Database (SQL, MongoDB, PostgreSQL)
- Email gateway (Office 365, Gmail)
- Custom applications (API logs)
SOC Workflow: From Alert to Resolution
Example: Brute Force Attack Detection
┌─────────────────────────────────────────────────────────┐
│ 14:00:00 EVENT: 50 failed SSH login attempts │
│ Source IP: 203.0.113.50 (Russia) │
│ Target: web-server-01 (user: root, admin) │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ 14:00:05 SIEM ALERT: High - Brute Force SSH │
│ Correlation: >50 failed auth in 5 min │
│ Assigned to: Tier 1 Analyst (John) │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ 14:01:00 TIER 1 TRIAGE: │
│ ✓ IP reputation check: Known scanner (bad) │
│ ✓ Successful login: NO │
│ ✓ GeoIP: Russia (unexpected location) │
│ ✓ Similar attacks: 3 other customers today │
│ Decision: TRUE POSITIVE, medium severity │
│ Action: Block IP at firewall (SOAR automated) │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ 14:03:00 CONTAINMENT: │
│ SOAR Playbook executed: │
│ 1. Firewall block rule added (203.0.113.50) │
│ 2. SSH rate limiting enabled │
│ 3. Notification sent to IT team │
│ 4. Ticket created: INC-2024-00523 │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ 14:30:00 TIER 2 INVESTIGATION: │
│ Deep dive: Attacker tried 250+ usernames │
│ No successful login confirmed │
│ Threat actor: Likely automated botnet │
│ Recommendation: Enable MFA for SSH │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ 15:00:00 REMEDIATION: │
│ 1. IP permanently blocked │
│ 2. SSH MFA enabled (Google Authenticator) │
│ 3. Failed login alert threshold lowered │
│ 4. Incident report sent to CISO │
└──────────────────────┬──────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ CLOSED Incident closed - No damage │
│ Total resolution time: 1 hour │
│ MTTR: 60 minutes (target: <2 hours) │
└─────────────────────────────────────────────────────────┘
Metrics:
- MTTD (Mean Time To Detect): 5 seconds (SIEM correlation)
- MTTI (Mean Time To Investigate): 3 minutes (Tier 1 triage)
- MTTC (Mean Time To Contain): 3 minutes (automated SOAR)
- MTTR (Mean Time To Resolve): 60 minutes (full investigation + remediation)
SOC Metrics & KPIs
Detection Metrics
MTTD (Mean Time To Detect):
- Goal: <15 minutes
- Measurement: Time from event occurrence to SIEM alert
- Industry benchmark: 197 days (without SOC), <1 hour (with SOC)
Detection Coverage:
- Goal: 90%+ of MITRE ATT&CK techniques
- Measurement: % of attack techniques covered by detection rules
False Positive Rate:
- Goal: <5%
- Measurement: (False positives / Total alerts) × 100
Response Metrics
MTTR (Mean Time To Respond):
- Critical: <1 hour
- High: <4 hours
- Medium: <24 hours
- Low: <72 hours
Containment Success Rate:
- Goal: 95%+
- Measurement: % of incidents contained before data loss/damage
Operational Metrics
Alert Volume:
- Track daily/weekly trend
- Goal: Decreasing false positives over time
Escalation Rate:
- Tier 1 → Tier 2: <20%
- Tier 2 → Tier 3: <5%
Incident Severity Distribution:
- Critical: <1%
- High: 5-10%
- Medium: 20-30%
- Low: 60-75%
SOC Use Cases
Use Case 1: Ransomware Detection
Detection Signals:
- High file modification rate (>100 files/min)
- File extension changes (.encrypted, .locked)
- Shadow copy deletion (vssadmin)
- Suspicious process names (enc.exe, crypt.exe)
- Network connection to known C2 servers
SIEM Rule:
index=endpoint
| transaction host maxspan=5m
| eval ransomware_score =
(file_modify_count * 2) +
(shadow_delete * 50) +
(c2_connection * 100)
| where ransomware_score > 100
| alert critical "Ransomware detected on {host}"
Response Playbook:
- Isolate: EDR network isolation (CrowdStrike, Carbon Black)
- Snapshot: VM snapshot (vCenter, Hyper-V)
- Kill: Terminate malicious process
- Notify: Page on-call Tier 2 analyst
- Backup Check: Verify backup integrity
- Forensics: Memory dump, disk image
Success Metric: Ransomware stopped before encryption >10% of files
Use Case 2: Insider Threat (Data Exfiltration)
Detection Signals:
- Off-hours access (22:00-06:00)
- Sensitive file access (HR, Finance, IP)
- Large data transfer (>5 GB)
- USB device connection
- Cloud upload (Dropbox, Google Drive, personal email)
- Unusual database queries (SELECT * FROM customers)
UEBA (User Behavior Analytics):
Baseline (30 days):
- User: john.doe
- Normal work hours: 09:00-18:00
- Avg data transfer: 50 MB/day
- File access: Marketing docs only
Anomaly Detected:
- Time: 02:30 AM (off-hours)
- Data transfer: 15 GB (300x baseline)
- Files: customer_database.csv (unusual)
- Destination: personal Gmail
- USB device: Connected
Risk Score: 95/100 (Critical)
Response Playbook:
- Monitor: Don’t block yet (gather evidence)
- Alert: Notify HR and Legal
- Investigation: Review activity timeline (past 7 days)
- Action: If confirmed malicious → disable account, legal process
Use Case 3: Phishing Campaign Response
Detection:
- Email gateway alert (suspicious attachment)
- Multiple users reporting phishing email
- Link clicked by 5+ users
Response Playbook:
T+0 min: Email gateway alert (O365 ATP)
T+5 min: Tier 1 confirms phishing (VirusTotal, URLhaus)
T+10 min: SOAR action:
1. Search all mailboxes for email (subject/sender)
2. Delete emails (O365 PowerShell)
3. Block sender domain (email gateway)
4. Check if link clicked (proxy logs)
T+30 min: Investigation:
- 50 users received email
- 5 users clicked link
- 2 users entered credentials (compromised)
T+45 min: Containment:
- Reset passwords (2 compromised users)
- Enable MFA
- Block malicious IPs (threat intel IOCs)
T+2 hour: User awareness:
- Email blast: "Phishing campaign warning"
- Security training reminder
T+24 hour: Lessons learned:
- Update email filter rules
- SIEM alert tuning
Threat Hunting
What is Threat Hunting?
Reactive (Traditional): Wait for alert → Investigate → Respond
Proactive (Threat Hunting): Hypothesize threat → Search for IOCs → Discover hidden threats
Threat Hunting Process
1. HYPOTHESIS GENERATION
"Are there any systems communicating with known APT C2 servers?"
"Is there lateral movement using stolen credentials?"
"Are there signs of living-off-the-land (LOLBins) attacks?"
2. DATA COLLECTION
- SIEM query
- EDR telemetry
- Network flow data
- Threat intel feeds
3. ANALYSIS
- Pattern recognition
- Anomaly detection
- Correlation
4. RESPONSE
IF threat found:
- Incident response
- IOC extraction
- New detection rule
ELSE:
- Document findings
- Improve detection coverage
Threat Hunting Example: PowerShell Empire Detection
Hypothesis: “Attackers may be using PowerShell Empire for C2”
Hunt Query (Splunk):
index=windows EventCode=4688 (NewProcessName=*powershell.exe OR NewProcessName=*pwsh.exe)
| rex field=CommandLine "(?<b64_command>-[eE](?:nc)?\s+(?<base64>[A-Za-z0-9+/=]{50,}))"
| where isnotnull(base64)
| eval decoded=base64decode(base64)
| search decoded=*"System.Net.WebClient"* OR decoded=*"Invoke-Expression"* OR decoded=*"IEX"*
| stats count by host, user, CommandLine, decoded
Findings:
- 3 hosts found running obfuscated PowerShell
- Decoded: Empire stager downloading from 198.51.100.50
- Conclusion: Active compromise
Action:
- Isolate 3 hosts
- Full forensic investigation
- New detection rule added
SOC Automation (SOAR)
What is SOAR?
SOAR = Security Orchestration, Automation, Response
Problem: SOC analysts spend 80% time on repetitive tasks (IP lookup, ticket creation, email alerts)
Solution: Automate routine tasks, let analysts focus on investigation.
SOAR Use Cases
1. Automated Triage:
Alert: Suspicious login from new location
↓
SOAR Playbook:
1. IP reputation check (AbuseIPDB, VirusTotal)
2. GeoIP lookup
3. User risk score calculation (UEBA)
4. Check if MFA used
5. Enrich alert with context
6. Auto-assign to Tier 1 analyst
7. Send Slack notification
2. Automated Response:
Alert: Malware detected on endpoint
↓
SOAR Playbook:
1. EDR: Isolate host from network
2. Firewall: Block malicious IPs (IOCs)
3. AD: Disable user account
4. Email: Notify user + IT team
5. Ticket: Create incident (ServiceNow)
6. Collect: Trigger memory dump
7. Escalate: Page Tier 2 analyst
3. Phishing Email Handling:
User reports phishing email
↓
SOAR Playbook:
1. Extract email metadata (sender, subject, attachments)
2. Sandbox analysis (Cuckoo, Joe Sandbox)
3. URL analysis (urlscan.io)
4. Threat intel lookup (MISP)
5. Search mailboxes (O365 PowerShell)
6. Delete emails from all inboxes
7. Block sender domain
8. Send confirmation to user
SOAR Platform Comparison
| Platform | Strengths | Pricing |
|---|---|---|
| Splunk SOAR (Phantom) | Deep Splunk integration, 350+ apps | $20K-100K/year |
| Palo Alto Cortex XSOAR | Best-in-class playbooks, TIM | $35K-150K/year |
| IBM Resilient | Enterprise-grade, QRadar integration | $40K-200K/year |
| Swimlane | Low-code automation, visual workflow | $25K-100K/year |
| TheHive + Cortex (Open Source) | Free, customizable | Free (self-hosted) |
Fiyatlandırma ve Paketler
SOC-as-a-Service (Fully Managed)
Starter SOC (50-200 Assets)
Monitoring:
- 7x24 Tier 1 monitoring
- SIEM (Wazuh-based)
- 50-200 endpoint agents
- Firewall, AD, VPN, Web logs
- Email alerting
- Monthly reporting
Detection:
- 20 out-of-the-box use cases
- Signature-based detection
- Threat intel feeds (public)
Response:
- Alert triage (8x5)
- Incident investigation (business hours)
- Recommendations (manual)
- MTTR: <24 hours
Fiyat: $2,500 - $5,000/ay
Professional SOC (200-1000 Assets)
Monitoring:
- 7x24 Tier 1-2 monitoring
- SIEM (ELK Stack / Splunk)
- 200-1000 endpoint agents
- Comprehensive log sources (network, endpoint, cloud, app)
- Slack/PagerDuty integration
- Weekly reporting
Detection:
- 50+ custom use cases
- Behavioral analytics (basic UEBA)
- Threat intel (commercial feeds)
- Correlation rules
Response:
- Alert triage (24x7)
- Incident investigation (Tier 2, 24x7)
- SOAR automation (basic playbooks)
- MTTR: <4 hours
Fiyat: $12,000 - $25,000/ay
Enterprise SOC (1000+ Assets)
Monitoring:
- 7x24 Tier 1-2-3 monitoring
- SIEM (Splunk Enterprise / IBM QRadar)
- Unlimited endpoint agents
- Full-spectrum visibility (SIEM + EDR + NDR + CASB)
- Dedicated Slack channel + on-call phone
- Daily executive dashboard, weekly detailed report
Detection:
- 200+ custom use cases
- Advanced UEBA (machine learning)
- Threat intel (premium feeds + custom IOCs)
- Multi-layer correlation
- Proactive threat hunting (monthly)
Response:
- Alert triage (24x7, <5 min)
- Incident investigation (Tier 2-3, 24x7)
- Advanced SOAR automation (custom playbooks)
- Incident response team (on-site if needed)
- Forensic analysis
- MTTR: <1 hour (critical), <15 min (containment)
Fiyat: $40,000 - $120,000/ay
SOC Setup (One-Time)
SOC Kurulum Hizmetleri:
- Log source integration (firewall, AD, endpoint, cloud)
- SIEM tuning (parser, normalization, dashboards)
- Use case development (50-200 rules)
- Playbook creation (10-30 SOAR playbooks)
- Analyst training
- Runbook documentation
Küçük (50-200 asset): $15,000-30,000 Orta (200-1000 asset): $40,000-80,000 Kurumsal (1000+ asset): $100,000-250,000
Gerçek Vaka Çalışmaları
Vaka 1: SaaS Startup - Hızlı SOC Onboarding
Müşteri Profili:
- SaaS CRM platformu
- 150 çalışan (remote-first)
- AWS altyapısı
- Müşteri güveni kritik (SOC 2 compliance)
Sorunlar:
- In-house SOC kurmak için zaman/bütçe yok
- Önceki güvenlik olayını 3 hafta sonra fark ettiler
- Compliance audit yaklaşıyor (SOC 2 Type II)
- CISO yok, IT Manager güvenlikten sorumlu
Çözüm:
Model: SOC-as-a-Service (Professional Tier)
Onboarding Timeline:
Week 1-2: Log integration
├── AWS CloudTrail, GuardDuty, VPC Flow Logs
├── Okta (SSO)
├── Office 365 (Email, SharePoint, Teams)
├── GitHub (code repository)
├── Datadog (application logs)
└── Endpoint agents (150 laptops - macOS/Windows)
Week 3-4: Use case development
├── Unauthorized AWS API calls
├── Privilege escalation (IAM role changes)
├── Data exfiltration (S3 bucket public access)
├── Failed SSO login (Okta)
├── Office 365 suspicious activity
├── GitHub secrets exposed
└── Endpoint malware detection
Week 5-6: Tuning & training
├── False positive reduction (40% → 8%)
├── IT team training (escalation process)
├── Playbook handoff
└── Go-live
Platform: ELK Stack (managed by Kuvve)
Log Volume: 25 GB/day
Team: 24x7 Tier 1-2 monitoring
Sonuçlar (İlk 6 Ay):
- Threat detection: 8 major incident yakalandı
- 2x AWS credential compromise (exposed in GitHub)
- 3x Phishing attempts (O365)
- 1x Cryptominer (employee laptop)
- 2x Data exfiltration attempt (S3 bucket misconfigured)
- Compliance: SOC 2 Type II audit passed (first try)
- MTTR: 2.5 saat ortalama (önceki: 3 hafta!)
- Cost avoidance: 1 major data breach ($500K+) önlendi
Yatırım:
- Setup: $40,000 (one-time)
- Monthly: $18,000
- First year: $256,000
- Alternative (in-house SOC): $850,000/year
- Savings: $594,000/year
ROI: Payback <6 months (breach avoidance dahil)
Vaka 2: Manufacturing Company - Hybrid SOC Model
Müşteri Profili:
- Otomotiv parça üreticisi
- 800 çalışan, 3 fabrika
- OT network (SCADA, PLC) + IT network
- Hedefi: Ransomware saldırısından korunma
Sorunlar:
- Ransomware saldırısı (6 ay önce, $250K hasar)
- 24x7 monitoring yok (IT ekibi 8x5)
- OT/IT network ayrımı zayıf
- Backup yetersiz
Çözüm:
Model: Hybrid SOC
Internal Team (Tier 2-3):
├── 2x Security analysts (in-house, domain expertise)
├── Incident response (on-site, 8x5 + on-call)
└── OT security specialist
Outsourced (Tier 1, Kuvve SOC):
├── 24x7 SIEM monitoring
├── Alert triage
├── Initial investigation
└── Escalation to internal team
Technology Stack:
├── SIEM: Splunk Industrial (OT + IT)
├── EDR: CrowdStrike Falcon (IT endpoints)
├── NDR: Darktrace (OT network visibility)
├── Backup: Veeam (immutable backups)
└── SOAR: Splunk SOAR (automated containment)
Use Cases (OT-specific):
├── Unauthorized PLC programming
├── SCADA anomaly detection
├── Unusual Modbus/DNP3 traffic
├── OT/IT lateral movement
├── Removable media (USB) in OT zone
└── Maintenance window violation
Implementasyon (12 Hafta):
Phase 1 (Week 1-4): IT network
├── SIEM deployment
├── Endpoint agent rollout (500 devices)
├── Log integration (firewall, AD, email)
└── Basic use case (ransomware, phishing)
Phase 2 (Week 5-8): OT network
├── Passive monitoring (network TAP)
├── SCADA/PLC baseline learning
├── OT-specific use cases
└── Alert tuning (OT false positives)
Phase 3 (Week 9-12): Integration
├── OT/IT correlation rules
├── SOAR playbooks (automated isolation)
├── Backup verification automation
└── Tabletop exercise (ransomware simulation)
Sonuçlar (İlk Yıl):
- Threat detection:
- 2x Ransomware attempt (caught in initial stage, isolated)
- 1x Insider threat (USB data exfiltration from OT)
- 4x Unauthorized remote access (VPN abuse)
- Downtime prevention: 2 ransomware → $500K+ kayıp önlendi
- Compliance: IEC 62443 (OT security) audit passed
- MTTR: <1 saat (IT), <2 saat (OT)
- Production uptime: 99.8% (önceki: 97%)
Yatırım:
- SIEM/EDR/NDR: $180,000 (one-time)
- Backup upgrade: $40,000
- Setup: $120,000
- Outsourced SOC (Tier 1): $15,000/month
- Internal team: $200,000/year (2 FTE)
- Total first year: $560,000
- Annual (ongoing): $380,000
ROI:
- Prevented losses: $500,000+ (ransomware downtime)
- Insurance premium reduction: $50,000/year
- Net value (3 year): $1,200,000
SOC Best Practices
1. “Follow the Sun” Model
Challenge: 24x7 coverage with limited staff
Solution: Global SOC centers
- Istanbul SOC: 08:00-20:00 (EMEA coverage)
- US SOC: 16:00-04:00 (Americas coverage)
- Singapore SOC: 00:00-12:00 (APAC coverage)
Handoff: Detailed shift notes, open ticket review
2. Playbook-Driven
Every alert → Defined playbook
Example Playbook (Malware Detection):
1. Triage (5 min)
☐ Confirm malware detection (EDR alert)
☐ Identify affected host(s)
☐ Check if network isolated (EDR auto-isolate?)
2. Containment (10 min)
☐ If not isolated: EDR network isolation
☐ Disable user account (AD)
☐ Block malicious IPs (firewall)
3. Investigation (30 min)
☐ Check for lateral movement (SIEM query)
☐ Identify patient zero (first infected host)
☐ Extract IOCs (hash, IP, domain)
☐ Threat intel lookup (VirusTotal, MISP)
4. Eradication (1 hour)
☐ EDR: Quarantine malware
☐ Full system scan (all hosts)
☐ Forensic data collection (memory dump, disk image)
5. Recovery (variable)
☐ Reimage affected system(s)
☐ Restore from clean backup
☐ Re-enable user account
☐ Remove network isolation
6. Post-Mortem (24 hours)
☐ Root cause analysis
☐ Update detection rules
☐ Lessons learned document
3. Continuous Improvement
Monthly:
- Review top 10 alerts (false positive tuning)
- Update detection rules
- Threat hunting exercise
Quarterly:
- MITRE ATT&CK coverage assessment
- Penetration test / Red team exercise
- Incident response tabletop
Annually:
- SOC maturity assessment
- Technology stack review
- Team training (certifications)
4. Purple Team Exercises
Red Team (attackers) + Blue Team (SOC) = Purple Team (collaborative)
Goal: Improve detection/response
Example Exercise:
Scenario: Phishing → Credential theft → Lateral movement → Data exfiltration
Red Team Actions:
1. Send phishing email (Gophish)
2. Capture credentials (fake login page)
3. RDP to victim machine
4. Enumerate file shares (PowerView)
5. Exfiltrate data (C2 channel)
Blue Team Detection:
☑ Phishing email detected? (Email gateway, user report)
☑ Credential theft detected? (Impossible travel, new device login)
☑ RDP session detected? (SIEM correlation)
☑ Enumeration detected? (Windows Event 4648, 4624)
☑ Data exfiltration detected? (DLP, network flow anomaly)
Results:
- Detected: 3/5 stages
- Missed: Enumeration, exfiltration
- Action: New detection rules added
Sıkça Sorulan Sorular (FAQ)
1. SOC ve SIEM arasındaki fark nedir?
- SIEM: Platform (log collection, correlation, alerting)
- SOC: People + Process + Technology (SIEM + EDR + NDR + analysts)
SIEM, SOC’un kullandığı bir araçtır.
2. Küçük işletmeler SOC’a ihtiyaç duyar mı?
Evet, özellikle:
- Hassas veri işleniyorsa (PII, payment card, health)
- Compliance gereksinimi varsa (PCI-DSS, HIPAA, ISO 27001)
- Remote workforce varsa
- Cloud-first altyapı varsa
Çözüm: Managed SOC (SOC-as-a-Service) → Affordable
3. In-house SOC vs. Managed SOC hangisi daha iyi?
| Kriter | In-House | Managed (SOCaaS) |
|---|---|---|
| Maliyet | $800K-2M/yıl | $30K-1.5M/yıl |
| Başlangıç süresi | 6-12 ay | 4-8 hafta |
| Kontrol | Tam | Kısmi |
| Expertise | Hiring challenge | Vendor sağlar |
| Ölçek | Sabit (ekip boyutu) | Elastik |
Öneri:
- SMB (50-500 employee): Managed SOC
- Mid-market (500-2000): Hybrid
- Enterprise (2000+): In-house (veya hybrid)
4. SOC ne kadar sürede kurulur?
Managed SOC: 4-8 hafta (onboarding) In-house SOC: 6-12 ay (hiring, training, platform, processes)
5. SOC’un ROI’si nasıl hesaplanır?
Formula:
ROI = (Benefits - Costs) / Costs
Benefits:
- Prevented breach cost: $4.45M (IBM average)
- Reduced MTTR: Downtime cost × time saved
- Compliance: Audit efficiency, fine avoidance
- Insurance: Premium reduction
Costs:
- SOC service fee (managed) OR
- In-house: Staff + platform + infrastructure
Example (SMB, Managed SOC):
- Cost: $200K/year (SOCaaS)
- Prevented breach: $500K (conservative)
- ROI = ($500K - $200K) / $200K = 150%
6. SOC analyst olmak için hangi sertifikalar gerekir?
Entry-level (Tier 1):
- CompTIA Security+
- CEH (Certified Ethical Hacker)
- GIAC Security Essentials (GSEC)
Mid-level (Tier 2):
- GCIH (GIAC Certified Incident Handler)
- CySA+ (CompTIA Cybersecurity Analyst)
- OSCP (Offensive Security Certified Professional)
Advanced (Tier 3):
- GCIA (GIAC Certified Intrusion Analyst)
- GCFA (GIAC Certified Forensic Analyst)
- CISSP (Certified Information Systems Security Professional)
7. False positive nasıl azaltılır?
Tuning stratejileri:
- Baseline learning (2-4 weeks)
- Whitelist (known-good IPs, users, processes)
- Threshold adjustment (alert eşikleri)
- Context enrichment (asset criticality, user role)
- Correlation (multiple signals → single alert)
Target: <5% false positive rate
8. SOC dışardan saldırıları nasıl tespit eder?
Threat Intelligence:
- Commercial feeds (Recorded Future, ThreatConnect)
- Open-source (MISP, AlienVault OTX)
- ISAC/ISAO (industry sharing)
- Dark web monitoring
IOC Matching:
- Known malicious IPs, domains, file hashes
- Real-time reputation check (VirusTotal API)
- Sandbox analysis (Cuckoo, Joe Sandbox)
9. Incident response süresi ne kadar?
Tipikal timeline:
- Critical (ransomware, data breach): <1 saat (containment), <24 saat (eradication)
- High (malware, compromised account): <4 saat
- Medium (suspicious activity): <24 saat
- Low (policy violation): <72 saat
SLA örneği (Managed SOC):
- Triage: <15 dakika (24x7)
- Initial response: <1 saat (critical), <4 saat (high)
- Resolution: <24 saat (critical), <72 saat (high)
10. SOC hangi sektörler için zorunlu?
Regüle sektörler (yasal gereksinim):
- Finans: BDDK, PCI-DSS (log monitoring mandatory)
- Sağlık: HIPAA (SIEM + monitoring)
- Enerji: NERC CIP (critical infrastructure)
- Kamu: Ulusal Siber Güvenlik Stratejisi
Highly recommended:
- E-ticaret (PCI-DSS)
- SaaS companies (SOC 2, ISO 27001)
- Critical infrastructure (su, elektrik, ulaşım)
Başlarken
SOC hizmeti için Kuvve Technology ile iletişime geçin:
- Ücretsiz Security Maturity Assessment: Mevcut güvenlik seviyenizi değerlendirelim
- Threat Landscape Analysis: Sektörünüze özel tehdit raporu
- SOC Model Seçimi: In-house, Hybrid, Managed karşılaştırma
- Pilot Deployment: 30-60 günlük pilot (risksiz deneme)
- Full Production: 24x7 SOC monitoring
İletişim:
- Web: kuvve.com/iletisim
- E-posta: [email protected]
- Telefon: +90 (216)390 02 20
7x24 SOC hizmeti için bugün bizimle iletişime geçin ve işletmenizin güvenliğini hiç uyumayan bir ekibe emanet edin!
Bu çözüm işletmeniz için uygun mu?
Uzman ekibimizle görüşün, size özel bir teklif hazırlayalım.