CHAPTER-4: SOC Functions
Shahab Al Yamin Chawdhury
Cybersecurity Consultant | Enterprise Architect | Mentor by Life
I am with you throughout the book as a friend and a technical advisor, as things gets complex, just try to understand the purpose of these processes, they are laid out for a reason, once you understand the ‘reason’, you can generate new reason as well.
The primary functions of a SOC solution are to aggregate, normalize, and correlate security events to provide a holistic view of all the activities that happen in an IT infrastructure. It ingests event data from a wide range of sources across an organization’s entire IT infrastructure, including on-premises and cloud environments. Event log data from users, endpoints, applications, data sources, cloud workloads (on-cloud or on-prem), and networks, data from security hardware and software such as firewalls or antivirus software—is collected, correlated, and analyzed in real-time in conjunction with threat intelligence mapping and provided a severity score. These scores also will be mapped to ISO/IEC 27001, MITRE, PCI-DSS?and other standards, if you have a mapping of event to standards, which can correlate with those.
Most of the functions are derived from CISO provided guidelines or can be combined from collected data from experienced SOC personnel, whichever works, a manual or following standards & frameworks (there is none!) on how to do it right at the first time and all the time.
It is of paramount importance that your perception is limited to your knowledge, not trying to achieve an insulting effect, but it’s true to the core, and when you realize this, I can guarantee you that you already know much, and knowledge can be grown, skills can be taught, but look for aptitude that makes us technical people, a highly effective personnel, because of their extreme competencies, and reason why I salute you, my peers. Collaboration is always the key, no matter what you say, how you present, or how many times you have documented, keep doing it, that’s the right way, and a peer who knows better, make sure you tag along with those folks, they came to peering as a blessing, not a threat. And ask for help!
That’s how a SOC manager should perform, keep learning from each other, fine tune all the processes, try making it shorter, and do share and give back, that’s how you grow. Set your ego aside, it’s doable.
Open Security Architecture (OSA) Architecture Patterns
OSA can provide benefits to IT service consumers, IT service suppliers and IT vendors, giving the entire IT community an interest in using and improving.
·??????? IT service consumers need to integrate diverse architectures from many suppliers in complex chains. They win using OSA because they can better specify or assess services or products they purchase and improve the quality of products they build. They can reduce knowledge risks from the architecture being in the supplier’s control. Additionally, they increase confidence in the ability to integrate services, improve conformance with GRC requirements and reduce audit costs.
·??????? IT service suppliers want to supply services to the maximum number of consumers, minimizing the cost to specify, implement and operate, while ensuring that the services meet the consumers’ requirements. They win using OSA as they can provide conformant solutions at the least cost to the largest market.
·??????? IT vendors want to supply products that meet market needs and have a low TCO?for the IT service supplier that will operate. They win using OSA as they can build systems with relevant and appropriate controls.
From the landscape you can derive or readily view your perspective on the provided landscapes, a screenshot follows for the “SP-011: Cloud Computing Pattern”. Each numbered item is clickable and lands you to the description (and now you have a gold mine for you to map out the business architecture mapping to your cybersecurity architecture and a complete mapping can be generated):
·??????? Total Control Catalogue: Control Catalogue (opensecurityarchitecture.org)
·??????? Patterns Landscape: Pattern Landscape (opensecurityarchitecture.org)
·??????? Threat Catalogue: Threat Catalogue (opensecurityarchitecture.org)
SOC Methodology
In summary, a functional SOC is central to curbing cybersecurity threats that can cost businesses significant amounts in lost revenue and data breaches
According to a report by Kaspersky (Cybersecurity in the AI era: How the threat landscape evolved in 2023 | Kaspersky), the use of AI by cybercriminals has become more prevalent in recent years, with AI tools being used to help them in their malicious activities. The report also highlights the potential defensive applications of AI technology. As technology continues to evolve, new vulnerabilities and exploits are discovered, and attackers change their tactics to exploit them.?The global threat landscape is in a constant state of flux, with geopolitical instability, newly discovered exploits and vulnerabilities, and constantly evolving tools and shifting targets all contributing to attackers changing their modus operandi.?As a result, it is essential for organizations to stay up to date with the latest security trends and technologies to protect themselves from emerging threats.
SOC – Capability Maturity Model (SOC-CMM)
The SOC-CMM?model was initially created as a scientific research project to determine characteristics and features of SOCs, such as specific technologies or processes. From that research project, the SOC-CMM?has evolved to become the de-facto standard for measuring capability maturity in Security Operations Centers. At the core of the assessment tool lies the SOC-CMM?model. This model consists of 5 domains and 26 aspects, that are each evaluated using several questions. The domains 'Business', 'People' and 'Process' are evaluated for maturity only (blue color), the domains 'Technology' and 'Services' are evaluated for both maturity and capability (purple color). (Got really lazy here, cited from source SOC-CMM?directly)
You can download all the excel files from here, and its also provided in the job aids: SOC-CMM?- Downloads
Cybersecurity by Bill Ross
A handful of documents available for you to look into, as those guides are invaluable towards my understanding the domain of SOC from architecting to developing SoP, they can be found here:
Some of his very useful contributions are:
1.????? Cybersecurity Architecture Management System Design .... CSAMS
2.????? Cyber Security Frameworks Like the NIST Cyber Security Framework or CSF
3.????? Cyber Security Architecture Development
4.????? Security Operations Center (SOC) or Strategic Operating Procedure
5.????? Cybersecurity Tools
NOC amp; SOC Visibility Requirement
Every Hardware, Operating Systems, Virtual Machines, Applications must enable the enterprise grade compliance visibility & reporting services which aids for capacity planning & management as per ISO-20000, ISO-27001, ISO-22301, CISECURITY, ITIL, COBIT, Q4IT, PCI-DSS?report generation, which requires data collection from various HW & SW sources (IT Governance). Full Admin (root & admin) access for various agent installations for the following services both for Windows & Linux Systems: (this is not an exhaustive list):
Primary visibility requirements:
1.????? ?People
2.????? ?Processes
3.????? ?Technology
4.????? ?Affiliations
5.????? ?Business
6.????? ?Visibility
And the SOC visibility requirements (a 49 point visibility requirements, change as you see fit, copy the spreadsheet and paste into an excel file):
Integrated Intelligence for a Threat-informed Defense
A good blend of human intelligence and powerful automation provides real-time visibility into your organization’s ability to manage threat exposure. Offensive engagements are somewhat customized to meet your needs and security posture maturity level and can scale to address even the largest, most complex environment. I would not recommend this offensive approach differently, as the mentality that drives this type of operation always leads to increased incoming threats, as you would be testing hacker’s ability to penetrate your defense. But in a government or in a military installation it may be required to withstand and counter-attack your threat sources.
???????? IAM (Identity & Access Management): Please be mindful that in most cases Windows servers needs to be enrolled as a member server of an Active Directory or any popular LDAP?(Lightweight Directory Access Protocol)?providers, and Linux servers should have identical authentication systems like FreeIPA.
???????? HSM servers: Hardware security modules, where Thales has the most supported appliances which can be used to key or token generations for your applications, meet various FIPS requirements etc.
???????? Cloud security: Ensure a secure, efficient cloud infrastructure through comprehensive assessments.
???????? PLC, SCADA, IoT, ICS: Streamline your design or all the PLC devices, and do not put your devices into a standard networking device. Rather, use industry standard frameworks like IEC 62443‐2‐1 to reduce the vulnerabilities. Since we are talking about cyber security, it is good practice to have device’s configuration checked, once it is updated or reconfigured.
???????? Device configurations: In many ways, IT folks are not used to have benchmarked configurations, they simply configure what needs to be done to achieve a primary functionality leaving the device prone to attacks. You should consult with a practitioner on the benchmark configurations or take professional services, or you can go to the CISECURITY site and download the benchmarked configuration files freely available.
???????? Real-IP usage: In any case, the lower usage also reduces your footprint in the internet. Properly designed secured gateways coupled with WAF?or CASB?(Cloud Access Security Broker) would provide significant protection. Do remember that every vendor’s device can come with infiltration chips that cannot be detected by your firewalls, therefore, it is of paramount importance that the circuit level understanding is a must trait before a solution is derived.
An offensive security team performs a variety of functions (not attacking the attackers) to enhance an organization’s cybersecurity posture.?Here are some key functions:
1.????? Security Reviews and Threat Modeling Support: The team gets involved early in the design phase of a system to provide feedback before code is deployed or operational processes are established.
2.????? Security Assessments: The team conducts hands-on offensive security testing and finds and exploits vulnerabilities for defensive purposes.
3.????? Red Team Operations: The team simulates attacks on the organization’s systems to identify vulnerabilities and assess the effectiveness of existing security measures, and in offensive cases, they attack the adversaries as well, either to check their strength or track them if they make any mistake retrying to attack, but the unknown scenario always emerges, as the attacker might start weaponizing with robust and more sophisticated attacks.
4.????? Purple Team Operations: The team works with the defensive security team (Blue Team) to improve the organization’s overall security.
5.????? Tabletop Exercises: The team conducts simulated incident response exercises to test the organization’s readiness to handle security incidents.
6.????? Research and Development: The team stays updated with the latest threats and vulnerabilities and develops new strategies to counter them.
7.????? Predictive Attack Analysis and Incident Response Support: The team predicts potential attack vectors and provides support during actual security incidents.
8.????? Collaboration with the defensive team: Working closely with the defensive (blue team) and IT teams to ensure that identified vulnerabilities are promptly addressed and security controls are continuously improved.
9.????? Security Education and Training: The team helps improve the organization’s security culture and overall security posture.
领英推荐
10.?? Gathering Threat Intelligence: The team collects information about emerging threats and threat actors.
11.?? Informing Risk Management Groups and Leadership: The team provides valuable input to risk management groups and leadership about the organization’s security posture.
Integration into Engineering Processes: The team works closely with the engineering team to integrate security into the development process.
The Importance of Having a Data Scientist Team in Cyber Security Operation Center
Cyber security is one of the most critical and challenging domains in the modern world. With the increasing volume and complexity of data, cyber threats, and attacks, it is essential to have a robust and proactive defense system that can protect the systems and data from internal or external risks. Data science, the branch of AI that involves studying and analyzing large volumes of data using various tools and techniques, can play a vital role in enhancing cyber security. In this blog post, we will explore how data science can help cyber security and why having a data scientist team in a cyber security operation center (CSOC) is important.
How Data Science Can Help Cyber Security
Data science can help cyber security in different ways:
Why Having a Data Scientist Team in SOC is Important
A SOC is a centralized unit that monitors, analyzes, and responds to cyber security incidents. A SOC typically consists of various roles and functions, such as analysts, engineers, managers, or coordinators. However, having a data scientist team in a SOC can add significant value and benefits, such as:
Data science and cyber security are two interrelated and complementary disciplines that can benefit from each other. Data science can help cyber security in various ways, such as detecting, predicting, preventing, or responding to cyber-attacks. Having a data scientist team in a SOC can help enhance the capabilities and performance of the SOC, provide insights and solutions for complex problems, and innovate and experiment with new ideas and technologies. Therefore, having a data scientist team in a SOC is important and valuable for any organization that wants to protect its systems and data from cyber risks.
Challenges of Having a Data Scientist Team in CSOC
Data Scientists Data Requirements From a SOC
The data scientist’s data requirements from a SOC may vary depending on the specific tasks and goals of the data science team. However, some general data requirements are:
Common Data Science Methods and Techniques Used in SOC
Limitations of Using Data Science in SOC
Ethical Considerations When Using Data Science in Cyber Security
Examples of Unethical Use of Data Science in Cyber Security
In summary, while AI has the potential to bring significant benefits, it also comes with risks and challenges. It’s crucial for organizations to implement robust security measures, ensure proper use of AI, and stay updated with the legal implications of AI use.
Does Offensive Security Mean to Attack the Attacker?
No, offensive security does not mean attacking the attacker. Offensive security, also known as penetration testing or red teaming, involves authorized professionals simulating cyber-attacks on an organization's systems, networks, and applications. The primary goal is to identify vulnerabilities and weaknesses before malicious attackers can exploit them. The offensive security team works to understand potential entry points, security flaws, and areas where improvements can be made in an organization's cybersecurity defenses.
In offensive security, the activities are conducted ethically and with explicit permission from the organization being tested. The focus is on improving security by identifying and addressing weaknesses, not on attacking external threat actors. The offensive security team operates within legal and ethical boundaries, adhering to a predefined scope and rules of engagement.
In contrast, when we talk about defending against attackers, it falls under the domain of defensive security. Defensive security involves implementing measures to protect systems, networks, and data from unauthorized access, attacks, and other security threats. Defensive security measures include firewalls, intrusion detection systems, antivirus software, access controls, and other safeguards to prevent, detect, and respond to security incidents.
Overall, offensive security and defensive security work hand-in-hand to create a comprehensive and resilient cybersecurity strategy for organizations. The offensive side helps identify weaknesses, while the defensive side focuses on implementing safeguards and responding to potential threats.
______________________________________________________________________________________
?? FREE eBook - 476 Pages
?? Complete Guide to Cyber Security Operation Center??
I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC.
This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.
A big shout out to Brad Voris for his review of the book, his insights made this book even richer.
Knowledge Areas Covered
? Enterprise architecture strategy to better formulate your SOC.
? Visibility & data ingress requirements for your SOC
? SOC functions, KPI’s, processes, frameworks, and automation requirements
? Derive your Analyst-JD aligned to international frameworks
? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities
? SIEM & SOAR architecture design guidelines to achieve more from these integrations.
? Detection engineering with OSINT, CTEM.
? Incident response with CSIRT, DFIR.
? Tabletop exercises explained and operationalized
? Artificial Intelligence & Data Science in SOC
? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided
? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.
?? Download the eBook
?? Download this eBook (pdf): https://lnkd.in/gTRnhmPp
?? DM me for the DOCX version of the book.
?? Join Discord: Please DM me on LinkedIn, I will Send you the link to join.
?? 1000+ Job aids – download extra documentation.
?? 60 Body of Knowledge (BoK) links.
?? 1500+ curated list of VA/PT tools as job aids.
?? 200+ References to support your SOC operations even further.
?? Download all the available documents from here: https://lnkd.in/eNNUm9XW
?? Download Job Aids: https://lnkd.in/gCKq6R-D
If you find it useful and informative, please share/repost the book with your network.
?
Capitaine chez C.E.S.A.R. | E-volve !
11 个月Understanding the purpose behind SOC functions is key to unleashing their full potential. ??? #infosec Shahab Al Yamin Chawdhury