Security Operations Center

A security operations center (SOC) is an organizational unit dedicated to monitoring networks, systems, and devices for security events, threats or attacks.
Some of the main areas of interest for a SOC are:

• Vulnerabilities
• Policy violations
• Unauthorized activity
• Network intrusions
  Structurally, a SOC (usually pronounced “sock”) often exists as its own separate unit or within a CSIRT. You may be familiar with the term blue team, which refers to the security professionals who are responsible for defending against all security threats and attacks at an organization.
  A SOC is involved in various types of blue team activities, such as network monitoring, analysis, and response to incidents.

There are three pillars of a SOC. These pillars are People, Process, and Technology, and coexist in a SOC environment. A team of professional individuals working on state-of-the-art security tools in the presence of proper processes is what makes a mature SOC environment.

SOC Team#

A SOC is composed of SOC analysts, SOC leads, and SOC managers. Each role has its own respective responsibilities. SOC analysts are grouped into three different tiers.
Tier 1 SOC analyst
The first tier is composed of the least experienced SOC analysts who are known as level 1s (L1s). They are responsible for:

• Monitoring, reviewing, and prioritizing alerts based on criticality or severity
• Creating and closing alerts using ticketing systems
• Escalating alert tickets to Tier 2 or Tier 3
  Tier 2 SOC analyst
  The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are responsible for: 
• Receiving escalated tickets from L1 and conducting deeper investigations
• Configuring and refining security tools
• Reporting to the SOC Lead
  Tier 3 SOC lead
  The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly experienced professionals are responsible for:
• Managing the operations of their team
• Exploring methods of detection by performing advanced detection techniques, such as malware and forensics analysis
• Reporting to the SOC manager
  Security Engineer 
• All analysts work on security solutions. These solutions need deployment and configuration. Security Engineers deploy and configure these security solutions to ensure their smooth operation.
  Detection Engineer 
• Security rules are the logic built behind security solutions to detect harmful activities. Level 2 and 3 Analysts often create these rules, while the SOC team can sometimes also utilize the detection engineer role independently for this responsibility.
  SOC manager 
  The SOC manager is at the top of the pyramid and is responsible for: 
• Hiring, training, and evaluating the SOC team members
• Creating performance metrics and managing the performance of the SOC team
• Developing reports related to incidents, compliance, and auditing
• Communicating findings to stakeholders such as executive management   
  The SOC Manager also remains in contact with the organization’s CISO (Chief Information Security Officer) to provide him with updates on the SOC team’s current security posture and efforts.
  Other roles
  SOCs can also contain other specialized roles such as: 
• Forensic investigators: Forensic investigators are commonly L2s and L3s who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.
• Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.

Note: Just like CSIRTs, the organizational structure of a SOC can differ depending on the organization.

Processes#

Alert Triage#

The alert triage is the basis of the SOC team. The first response to any alert is to perform the triage. The triage is focused on analyzing the specific alert. This determines the severity of the alert and helps us prioritize it.
The alert triage is all about answering the 5 Ws: Who, What, Where, When, Why

Reporting#

The detected harmful alerts need to be escalated to higher-level analysts for a timely response and resolution. These alerts are escalated as tickets and assigned to the relevant people. The report should discuss all the 5 Ws along with a thorough analysis, and screenshots should be used as evidence of the activity.

Technologies#

The Technologies in SOC refers to the security solutions which efficiently minimize the SOC team’s manual effort to detect and respond to threats.

• SIEM: Security Information and Event Management (SIEM) is a popular tool used in almost every SOC environment. This tool collects logs from various network devices, referred to as log sources. Detection rules are configured in the SIEM solution, which contains logic to identify suspicious activity. The SIEM solution provides us with the detections after correlating them with multiple log sources and alerts us in case of a match with any of the rules. Modern SIEM solutions surpass this rule based detection analysis, providing us with user behavior analytics and threat intelligence capability. Machine learning algorithms support this to enhance the detection capabilities.
• EDR: Endpoint Detection and Response (EDR) provides the SOC team with detailed real-time and historical visibility of the devices’ activities. It operates on the endpoint level and can carry out automated responses. EDR has extensive detection capabilities for endpoints, allowing you to investigate them in detail and respond with a few clicks.
• Firewall: A firewall functions purely for network security and acts as a barrier between your internal and external networks (such as the Internet). It monitors incoming and outgoing network traffic and filters any unauthorized traffic. The firewall also has some detection rules deployed, which help us identify and block suspicious traffic before it reaches the internal network.

Resources#

• The security operations ecosystem ↗
• Cyber career pathways tool ↗
• Detection and Response ↗ at Google: Episode 2 of the Hacking Google ↗ series of videos