Introduction to SOC

What is SOC?

SOC is an abbreviation for Security Operations Center, a SOC improves any organization’s threat detection, incident response, threat prevention by unifying and coordinating all cybersecurity technologies and operations. A SOC is a team of IT security professionals who monitors 24×7 organization’s IT infrastructure to detect cybersecurity events in real time and respond to them effectively within a shortest period of time possible.

SOC Activities and Responsibilities

  1. Preparation, planning and prevention
  2. Monitoring, detection and response
  3. Recovery, refinement and compliance

1. Preparation, planning and prevention

Asset Inventory – SOC has a responsibility to maintain an inventory of the assets to identify which of them needs to be protected, assets can be inside or outside of datacenter. They can be databases, cloud services, applications, endpoints, servers or they can be tools used to protect the assets like firewalls, antivirus, antimalware, monitoring applications etc.

Routine maintenance and preparation – SOC performs preventative maintenance like applying software patches and upgrades, updating firewalls, security policies, procedures, whitelists and blacklist to maximize the effectiveness of security tools and measures. SOC may also create system backups of policies or procedures to ensure continuous business without any interruptions in the event of a data breach, ransomware attack or other cybersecurity incident.

Incident Response planning – An organization’s incident response plan development relies on SOC team. In the event of a threat or incident, a incident response plan defines activities, roles, responsibilities. It also defines the metrics by which the success of any incident response will be measured.

Prevention – Vulnerability and comprehensive assessments are preformed by SOC team to identify each asset’s vulnerability to potential threats. It also performs pentests that can simulate attacks on one or more systems. SOC team remediates or tweak applications, incident response plans, security policies and other security measures based on the results of these assessments and tests.

SOC team need to keep track on the latest security solutions and technologies along with latest threat intelligence related news. Information about cyberattacks and their hacker groups can be gathered from sources from industry, dark web and social media.

2. Monitoring, detection and response

Security Monitoring – SOC team is responsible to monitor the whole IT infrastructure of the organization 24x7x365 whether it may be servers, system software, computing devices, applications, computing devices, cloud workloads for signs of known exploits and any suspicious activity. Usually SIEM (Security Information and Event Management), is the core technology in SOC which can monitor, detect and respond to alerts.

SIEM identifies potential threats by monitoring and aggregating alerts, it also has capability for real time telemetry from both software & hardware in network to analyze the data to detect potential threats. Latest SOC technologies also adopting XDR (Extended Detection and Response) technology which can provide telemetry and monitoring in more detail, also have the ability to automate the incident detection and response.

Log Management – A subset of monitoring. It is collecting log data generated by every single network event and then analyzing that log data to establish a base-line activity. Log data analysis can reveal anomalies that points to any suspicious activity. Most of the SIEM solutions have this log management capability.

Threat Detection – SOC team must sort out the actual threats and exploits from the false positives, then triages the threats by their severity level. Modern SIEM solutions also include AI (artificial intelligence) which can automate these processes where it can learn from the previous data and gradually improve itself in identifying the suspicious activities.

Incident response – SOC team performs various actions to limit the damage received by organization, at the time of an actual incident occurring due a threat. These actions can include:

  • Root cause investigation determining the vulnerabilities that gave system access to hackers along with other determinantal factors like bad passwords, poor policy enforcement and other which may have contributed to the incident
  • Shutting down compromised devices and endpoints
  • disconnecting impacted devices from the network
  • isolating the compromised network areas
  • rerouting network traffic
  • halting all compromised applications and process
  • deleting all infected and damaged files
  • running antivirus and other protection tools
  • decommissioning passwords for internal and external users

XDR solutions can enable SOCs to automate and accelerate the above mentioned actions and other incident responses.

3. Recovery, refinement and compliance

Recovery and Remediation – SOC teams moves to eradicate the threats, reverts the impacted assets to their previous stable states before the incident occurred after containing the incident . They may perform a series of actions like wiping, restoring, reverting, reconnecting endpoints, restarting applications and processes, restoring network traffic. If attack is related to data breach or ransomware, recovery may involve resetting passwords and authentication credentials etc.

Refinement – SOC team to prevent such attacks in future uses the intelligence from the incident to update policies and processes, address newly found vulnerabilities and may go for a proactive threat hunting to find any other undetected vulnerability. SOC team may choose new cybersecurity tools depending on the requirements and Revises the incident response plans.

Compliance Management – SOC team ensures all the systems, applications, processes, tools in the organization comply with data privacy regulations such as GDPR, CCPA, PCI DSS, HIPAA. SOC team also ensures all the parties in accordance with regulations like users, law enforcement, regulators are notified about the incident and incident data is retained for evidence and auditing.






Comments

Post a Comment

Popular posts from this blog

SOC Types and Roles

Image
  Types of SOC Models Each organization has its own requirements and budget allocated to SOC. So, there are several types of SOC based on those requirements and budget: In-House SOC – Organization builds their own cybersecurity team. But such organization should have a budget to support the survival of the SOC team. Virtual SOC – SOC team does not have their own facility and works often from remote locations. Co-Managed SOC – Organization’s internal SOC team works with an external Managed Security Service Provider (MSSP). In this model, communication and coordination between internal and external teams is important. Command SOC – Senior and experienced SOC team overseeing the smaller SOCs in a large region. Major telecom providers and defense agencies operate on this model. SOC – People, Processes, and Technology A strong coordination between people, processes, and technologies is required to build a strong, capable and successful SOC. People – SOC needs highly trained employees who
Read more

SOC L1, L2 & L3 Analyst Responsibilities

Image
 What is SOC? - Go to Introduction to SOC SOC L1 Analyst Responsibilities: Monitoring SIEM tool and detecting incidents. Monitoring resources and assets, analyzing log data to identify any anomalies. Identifying true positives and false positives. Report incident to SOC and any other relevant teams. Escalating the incidents when SLA's are not met. Assisting SOC L2 & L3 Analysts in incident detection, workflow, remediations and resolutions. Communicate with the external teams for proper incident resolution. Monitoring SIEM health status. Follow up on escalated incidents. SOC L2 Analyst Responsibilities: Validating the incidents escalated by L1 Analysts. In depth investigation on the incidents. Recommending mitigation strategies to resolve the incident. Manage SIEM tool and updating the log baselines. Generating and delivering daily, weekly, and monthly reports on time. Incident knowledge base. Communicating with external entities to resolve any queries on the raised incidents. O
Read more