Overview
The Enterprise SOC Architecture is designed to support compliance with major security and privacy frameworks. This page outlines how the architecture addresses common compliance requirements and provides guidance for audit preparation and evidence collection.While the SOC architecture provides technical controls to support compliance, organizational policies and procedures are also required for full compliance with regulatory frameworks.
Supported Compliance Frameworks
NIST Cybersecurity Framework
Comprehensive framework covering Identify, Protect, Detect, Respond, and Recover functions
ISO 27001
International standard for information security management systems (ISMS)
PCI DSS
Payment Card Industry Data Security Standard for organizations handling cardholder data
GDPR
General Data Protection Regulation for EU data privacy and protection
SOC 2
Service Organization Control 2 for service providers handling customer data
HIPAA
Health Insurance Portability and Accountability Act for healthcare data protection
Framework Mapping
NIST Cybersecurity Framework
The SOC architecture addresses all five core functions:Identify (ID)
Identify (ID)
Asset Management
- Wazuh agent inventory tracks all endpoints and systems
- Zabbix maintains infrastructure asset database
- Automated discovery of network devices via IDS/IPS
- Vulnerability detection via Wazuh and integrated scanners
- Threat intelligence integration for emerging risks
- Configuration compliance monitoring
- Centralized logging provides audit trail for policy compliance
- TheHive tracks security incidents and risk treatment
- Compliance reporting dashboards in Wazuh
Protect (PR)
Protect (PR)
Access Control
- Identity and authentication logging from all systems
- Privileged access monitoring and alerting
- Failed authentication detection and alerting
- Security event dashboards for awareness
- Incident case studies via TheHive
- File integrity monitoring (FIM) via Wazuh
- Encryption monitoring and validation
- Data loss prevention (DLP) event collection
- IDS/IPS protection (Snort/Suricata)
- Endpoint protection monitoring via Wazuh
- Firewall log analysis and correlation
Detect (DE)
Detect (DE)
Anomalies and Events
- Multi-layer threat detection (network, endpoint, infrastructure)
- Behavioral analytics and correlation in Wazuh
- Performance and availability anomaly detection
- 24/7 log collection and analysis
- Real-time alerting via Prometheus and Wazuh
- Threat intelligence integration
- Centralized detection rule management
- Regular rule updates from threat intelligence
- Detection testing and validation processes
Respond (RS)
Respond (RS)
Response Planning
- TheHive incident response case management
- Documented response playbooks and procedures
- Automated response via Cortex SOAR
- Incident tracking and notifications via TheHive
- Stakeholder reporting and dashboards
- Integration with communication platforms
- Centralized log analysis in Elasticsearch
- Forensic data collection and preservation
- Root cause analysis capabilities
- Automated containment actions via Cortex
- Coordination of mitigation activities in TheHive
- Mitigation effectiveness tracking
Recover (RC)
Recover (RC)
Recovery Planning
- Incident recovery tracking in TheHive
- Infrastructure recovery monitoring via Zabbix
- Service restoration validation
- Lessons learned documentation
- Detection gap analysis and improvement
- Metrics and KPI tracking for continuous improvement
- Stakeholder updates during recovery
- Post-incident reporting
- Recovery status dashboards
ISO 27001 Controls
Key ISO 27001 controls addressed by the SOC architecture:| Control Area | Control | SOC Component | Implementation |
|---|---|---|---|
| A.12.4 | Logging and Monitoring | Wazuh, Elasticsearch | Centralized logging of security events |
| A.12.6 | Technical Vulnerability Management | Wazuh | Vulnerability detection and tracking |
| A.16.1 | Incident Management | TheHive | Incident detection, response, and documentation |
| A.12.2 | Protection from Malware | Wazuh, Snort/Suricata | Multi-layer malware detection |
| A.13.1 | Network Security | IDS/IPS, Firewall logs | Network traffic monitoring and analysis |
| A.9.4 | System and Application Access Control | Wazuh | Access logging and monitoring |
| A.12.3 | Backup | Elasticsearch, Configurations | Log retention and backup capabilities |
| A.18.2 | Compliance Monitoring | Wazuh | Compliance reporting and dashboards |
PCI DSS Requirements
Requirement 10
Track and monitor all access to network resources and cardholder data
- All access logged to Elasticsearch
- Real-time monitoring via Wazuh
- Audit trail protection via log integrity checking
- Automated log review and alerting
Requirement 11
Regularly test security systems and processes
- IDS/IPS monitoring (Snort/Suricata)
- File integrity monitoring (Wazuh FIM)
- Vulnerability detection
- Security testing documentation in TheHive
Requirement 6
Develop and maintain secure systems
- Configuration monitoring
- Vulnerability tracking
- Change detection and alerting
- Patch compliance monitoring
Requirement 12
Maintain a policy that addresses information security
- Security incident tracking (TheHive)
- Policy violation detection
- Compliance reporting dashboards
- Security awareness metrics
GDPR Compliance
The SOC architecture supports GDPR requirements:Article 32: Security of Processing
Article 32: Security of Processing
- Encryption: Monitor encryption implementation and compliance
- Confidentiality: Access control monitoring and alerting
- Integrity: File integrity monitoring and change detection
- Availability: Infrastructure monitoring via Zabbix/Prometheus
- Resilience: Incident detection and response capabilities
- Testing: Regular security testing tracked in TheHive
Article 33: Breach Notification
Article 33: Breach Notification
- Detection: Multi-layer threat detection for early breach identification
- Documentation: Incident tracking and documentation in TheHive
- Timeline: Automated alerting for rapid detection (< 72 hours)
- Evidence: Comprehensive logs for breach investigation
- Reporting: Incident reports generated from TheHive
Article 30: Records of Processing Activities
Article 30: Records of Processing Activities
- Audit Logs: Comprehensive logging of all data processing activities
- Access Tracking: Who accessed what data and when
- Retention: Configurable log retention policies
- Reporting: Compliance reports for processing activities
Ensure personally identifiable information (PII) in logs is properly protected, pseudonymized, or encrypted to maintain GDPR compliance.
Audit Logging and Reporting
Comprehensive Audit Trail
The SOC architecture provides comprehensive audit logging across all layers:User Activity
- Authentication events
- Authorization changes
- Data access
- Configuration changes
System Activity
- Process execution
- Network connections
- File modifications
- Service changes
Security Events
- Threat detections
- Policy violations
- Security incidents
- Response actions
Audit Log Requirements
All audit logs should include: timestamp, user/system identity, event type, affected resource, source IP/system, and outcome (success/failure).
- Collection: Logstash/Fluentd aggregate logs from all sources
- Storage: Elasticsearch provides searchable, indexed log storage
- Retention: Configurable retention based on compliance requirements
- Protection: Log integrity verification and immutable storage options
- Access Control: Role-based access to audit logs
- Review: Automated analysis and manual review capabilities
Log Retention Requirements
| Framework | Minimum Retention | Recommended Retention | SOC Implementation |
|---|---|---|---|
| PCI DSS | 1 year (3 months online) | 2+ years | Elasticsearch with hot/warm/cold tiers |
| SOC 2 | 1 year | 2+ years | Configurable per index |
| HIPAA | 6 years | 7+ years | Archive to object storage |
| GDPR | As necessary | Based on purpose | Configurable with automated deletion |
| ISO 27001 | As defined in policy | 1-3 years | Configurable retention policies |
Evidence Collection and Retention
Forensic Evidence
TheHive provides incident case management with comprehensive evidence collection:Evidence Types
Evidence Types
- Log Evidence: Relevant logs automatically attached to incidents
- Network Captures: PCAP files from IDS/IPS systems
- File Artifacts: Suspicious files and malware samples
- Screenshots: Visual evidence of security events
- Third-party Data: Threat intelligence and external reports
- Timeline Data: Chronological event reconstruction
Chain of Custody
Chain of Custody
- All evidence tagged with collector, timestamp, and hash
- Evidence integrity verification via checksums
- Access logging for all evidence viewing and modification
- Immutable evidence storage options
- Evidence retention and disposal tracking
Evidence Storage
Evidence Storage
- Encrypted storage for sensitive evidence
- Access controls based on case sensitivity
- Long-term archival for legal retention
- Backup and disaster recovery for evidence
- Secure deletion after retention period
Compliance Reporting
Automated Reports
- Scheduled compliance reports from Wazuh
- Custom dashboards for each framework
- Metric tracking and trend analysis
- Export capabilities (PDF, CSV, JSON)
Manual Reports
- Ad-hoc queries in Elasticsearch
- Incident summaries from TheHive
- Custom analysis and investigations
- Executive summaries and briefings
Audit Preparation
Pre-Audit Checklist
- Verify all SOC components are operational and collecting logs
- Review and update compliance dashboard configurations
- Validate log retention meets requirements
- Test log search and retrieval capabilities
- Review and update security policies and procedures
- Prepare evidence of security testing (penetration tests, vulnerability scans)
- Document any exceptions or compensating controls
- Prepare access for auditors (read-only accounts)
- Generate sample compliance reports
- Review incident response documentation
Common Audit Queries
Prepare these common audit evidence queries in advance:Access Control Evidence
Access Control Evidence
Security Event Evidence
Security Event Evidence
System Change Evidence
System Change Evidence
Monitoring Evidence
Monitoring Evidence
Continuous Compliance
Compliance is not a one-time activity. Implement continuous compliance monitoring to maintain audit readiness year-round.
Continuous Monitoring Approach
- Automated Compliance Checks: Daily automated verification of compliance controls
- Dashboards: Real-time compliance status visibility
- Alerting: Immediate notification of compliance violations
- Regular Reviews: Monthly compliance review meetings
- Gap Remediation: Tracking and closure of identified gaps
- Documentation: Continuous documentation of controls and evidence
Compliance Metrics
Track these key compliance metrics:| Metric | Target | Description |
|---|---|---|
| Log Collection Rate | > 99.5% | Percentage of expected logs successfully collected |
| Detection Coverage | > 90% | Percentage of required controls with active monitoring |
| Incident Response Time | < 24 hours | Time from detection to initial response |
| Audit Finding Closure | 100% in 30 days | Percentage of audit findings remediated within SLA |
| Control Effectiveness | > 95% | Percentage of controls operating effectively |
| Compliance Assessment Score | > 85% | Overall compliance score from automated assessments |
Data Privacy Considerations
Privacy-by-Design
Implement privacy considerations in the SOC architecture:- Data Minimization: Only collect logs necessary for security purposes
- Pseudonymization: Replace PII with pseudonyms where possible
- Access Controls: Restrict access to logs containing PII
- Retention Limits: Automatically delete logs after retention period
- Purpose Limitation: Use logs only for security purposes
- Transparency: Document what data is collected and why
Sensitive Data Handling
Best practices:- Filter Sensitive Data: Remove/mask sensitive fields during log collection
- Encrypt in Transit: TLS for all log transmission
- Encrypt at Rest: Enable Elasticsearch encryption for indices with PII
- Access Logging: Audit all access to logs containing sensitive data
- Data Subject Rights: Implement processes for data subject access requests (DSAR)
Conclusion
The Enterprise SOC Architecture provides comprehensive technical controls to support compliance with major security and privacy frameworks. However, compliance also requires:- Documented policies and procedures
- Regular security awareness training
- Risk assessment and treatment processes
- Third-party vendor management
- Business continuity and disaster recovery planning
Work with your legal and compliance teams to ensure organizational policies and procedures complement the technical controls provided by the SOC architecture.