The continued growth of cybersecurity incidents calls for effective cybersecurity monitoring solutions. The operation of security operation centers (SOCs) is the recommended best practice to which large and medium-size organizations rely for the detection, notification, and ultimately response to cybersecurity incidents. However, current SOCs face several issues, such as inferior defense against specific types of attacks, low-quality threat intelligence, low speed of response and low level of automation.
In this paper, a comprehensive SOC is introduced to mitigate above mentioned issues of current SOCs. First, the SOC collects a wide variety of data including network traffic, server logs, security incidents logs. The collected data is preprocessed and stored in a big-data storage platform. Secondly, the SOC provides multi-perspective behavior analysis which can combine the detection performance of multiple behavior detectors. Different detectors can analyze different and specific types of attack based on the data on the big data storage platform. Besides, threat intelligence is collected accurately from unstructured open-source cyber threat intelligence reports by using deep learning model and is correlated with incidents detection to identify attacks rapidly. Finally, the SOC can uniformly manage and automatically respond the incidents identified from multi-perspective behavior analysis and threat intelligence. At the same time, visualization is adopted to reveal the cybersecurity situation of entire organizations. The framework of the SOC is derived from the CERN design, and is customized to make it is practical and deployable for the Institute of High Energy Physics to discover, identify, understand, analyze, and respond to cybersecurity incidents from a comprehensive perspective.