CHAPTER-8: Setting up a SOC

So how do you fit into any of the SOC roles? How best to outline your JD/skills/activities which can be mapped to SOC matrix? SOC operation relies on the effectiveness of your roles and responsibilities. Architecting, Integration is not the whole story, OPERATIONALIZE the SOC with your skills, not WEAPONIZING it.

Since we have discussed the requirements of developing a SOC including the standards, frameworks, enterprise architecture, attack surface management, models, processes, organogram and those were in context as required to understand the pre-requisites for developing a SOC. This is not the end of the discussion and as we progress and deep dive into the abyss, I will guide you with the right context every time its required from a different perspective.

This calls for a stakeholder engagement for you which involves several steps:

1.????? Identify Your Objectives and Capabilities: Understand your business objectives and the capabilities of your organization.?This will help you focus your SOC project and control costs.

2.????? Develop Your SOC Strategy: Define the scope of your SOC, including the types of threats you need to protect against and the assets you need to protect.

3.????? Design Your SOC Solution: This includes deciding whether to have an in-house SOC, outsource it, or use a hybrid model.?You also need to decide on the size of your team and the skills they need.

4.????? Create Processes, Procedures, and Training: Develop standard operating procedures for your SOC team.?This includes processes for incident response, threat hunting, and reporting.

5.????? Prepare Your Environment: This involves setting up the physical or virtual space for your SOC.?You also need to ensure you have the necessary hardware and software.

6.????? Implement Your Solution: Deploy the technologies you’ve chosen for your SOC.?This includes security information and event management (SIEM) systems, intrusion detection systems (IDS), and other security tools.

7.????? Deploy End-to-End Use Cases: Start deploying a few use cases that focus on end-to-end threat detection and response.

8.????? Maintain and Evolve Your Solution: Cyber threats are constantly evolving, so your SOC needs to evolve too.?Regularly review and update your processes, train your team on new threats, and update your tools.

Source: An OODA-driven SOC Strategy using: SIEM, SOAR?and EDR?(correlatedsecurity.com)

Remember, building a SOC is a major undertaking that requires careful planning and coordination of people, processes, and technologies (PPT, always comes down to PPT).?It’s well worth it when configured properly to provide adequate security for your enterprise.

How a Security Operations Center (SOC) Works in Practice

Source: What is a Security Operations Center (SOC)? (Ultimate Guide) - SOCRadar? Cyber Intelligence Inc.

1.????? Proactive Monitoring: The SOC team gathers information from various resources, including threat intelligence feeds and log files from systems all around the enterprise.?They carefully monitor the company’s assets, from on-premises servers in data centers to cloud resources.?Accurate monitoring is critical.

2.????? Incident Response and Recovery: When a potential threat is detected, the SOC coordinates the organization’s ability to take the necessary steps to mitigate damage and communicate properly to keep the organization running after an incident.?For example, recovery can include activities such as handling acute malware or ransomware incidents.

3.????? Remediation Activities: SOC team members provide data-driven analysis that helps an organization address vulnerability and adjust security monitoring and alerting tools.?For example, using information obtained from log files and other sources, a SOC member can recommend a better network segmentation strategy or a better system patching regimen.

4.????? Compliance: The SOC helps ensure that the organization is compliant with important security standards and best practices.?This includes conformity to a security policy, as well as external security standards, such as ISO 27001x, the NIST Cybersecurity Framework (CSF), and the General Data Protection Regulation (GDPR).

5.????? Coordination and Context: A SOC team member helps an organization coordinate disparate elements and services and provide visualized, useful information.?Part of this coordination is the ability to provide a helpful, useful set of narratives for activities on the network.

In addition to the above-mentioned points, the SOC performs preventative maintenance such as applying software patches and upgrades, and continually updating firewalls, whitelists and blacklists, and security policies and procedures.

This is a broad example and the specific workings can and may vary based on the organization’s needs and resource requirements.

Functions of the Sigma Rules in SOC

Sigma rules are textual signatures written in YAML (Yet Another Markup Language)?that are used in Security Operation Centers (SOCs) to detect anomalies and identify suspicious activity in log events. Here are some of their key functions:

1. Anomaly Detection: Sigma rules monitor log events for signs of suspicious activity and cyber threats.
2. Cross-Platform Compatibility: Sigma rules are cross-platform and work across different Security Information and Event Management (SIEM) products.?This allows defenders to share detection rules with each other, independent of their security arsenal.
3. Conversion to SIEM-Specific Language: Sigma rules can be converted by SIEM?products into their distinct, SIEM-specific language, while retaining the logic conveyed by the Sigma rule.
4. Incident Response: Incident response professionals can use Sigma rules to specify detection criteria.?Any log entries matching this rule will trigger an alarm.
5. Advanced Monitoring: Sigma rules allow for advanced monitoring of log events and entries.

Sigma rules standardize detection rule formats across all SIEM?and log management platforms, enabling more effective collaboration among security analysts.?They also provide flexibility, allowing companies to evolve their cybersecurity technology stack in a way that makes sense for them.

Released by?Florian Roth?in 2017, Sigma (The Generic Signature Format for SIEM?Systems) has paved the way for platform-agnostic search. With Sigma, defenders can harness the community's power to react promptly to critical threats and new adversary tradecraft. You get a fixed-language specification for the generic rule format, a tool for converting Sigma rules into various query formats and a repository of over one thousand rules for several attack techniques.

Like YARA, or Snort Rules, Sigma is a tool for the open sharing and crowdsourcing of threat intelligence, it focuses on SIEM?instead of files or network traffic. What Snort is to network traffic, and YARA is to files, Sigma is to logs.

Most attacks on IT systems and networks manifest themselves in event logs stored in the SIEM?systems or other log storage and analysis solutions. This makes SIEM?a crucial tool to detect and alert against intruders. SIEM?detection rulesets existed in the vendor or platform-specific databases in the earlier days. The growing demand for up-to-date detections and analytics to be secure today requires sharing detection intelligence between different stakeholders and vendors. Sigma solves this challenge to make the queries and rulesets platform-agnostic.

Sigma Allows Defenders to Share Detections in a Common Language

Sigma satisfies various use cases:

·??????? Sigma has become an agnostic way of sharing detections between Researchers and Intelligence who identify new adversary behaviors.

·??????? Security teams can avoid vendor-lock-in, i.e. by defining rules in Sigma; we can more easily move between platforms.

·??????? Sigma can be utilized to crowdsource detection methods and make them usable instantly for everyone.

·??????? Using Sigma to share the signature with other threat intel communities.

Sigma rules can be converted into a search query specific to your SIEM?solution and supports various solutions:

·??????? Splunk

·??????? ElasticSearch Query Strings and DSL

·??????? Kibana

·??????? Microsoft Defender Advanced Threat Protection (MDATP)

·??????? Azure Sentinel

·??????? IBM QRadar

·??????? LogPoint

·??????? Qualys

·??????? RSA NetWitness

·??????? LimaCharlie

·??????? ArcSight

·??????? PowerShell and Grep

Source: A deep dive into Sigma rules and how to write your own threat detection rules - FourCore

EQL Analytics Library

eqllib?is a library of event based analytics, written in?EQL?(Event Query Language)?to detect adversary behaviors identified in MITRE?ATT&CK?.

SOC Capabilities Matrix – Gartner

May now you can see that the garner’s capability matrix is what we have addressed throughout the book. Interestingly, they have “Data Science Model” included, but not AI.

SOC Roles & Responsibilities

Source: Next-Gen SOC - CyRadar

SOC analysts?are organized into four tiers. First, SIEM?alerts flow to?Tier 1 analysts?who monitor, prioritize, and investigate them. Real threats are passed to a?Tier 2 analyst?with deeper security experience, who conducts further analysis and decides on a strategy for containment.?

Critical breaches are moved up to a?Tier 3?senior analyst, who manages the incident and is responsible for actively hunting for threats continuously. The?Tier 4?analyst is the SOC manager, responsible for recruitment, strategy, priorities, and the direct management of SOC staff when major security incidents occur.?

Source: CISO Series: Lessons learned from the Microsoft SOC—Part 2a: Organizing people

The table below explains each SOC role in more detail.

Note: Please download the pdf for the fully extended table

A Cyber Security Analyst Maturity Curve

Source: Cyber Security Analyst Maturity Curve (correlatedsecurity.com)

CMMC Maturity Model 2.0

The CMMC levels and associated sets of practices across domains are cumulative. More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. For the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.

Full documentation can be downloaded from this link: CMMC Documentation (defense.gov)

Deriving Your Job Description or Resume

Source: Cyber Career Pathways Tool | NICCS (cisa.gov)

Source: Career Pathway Roadmap | NICCS (cisa.gov)

Here is a git repo for you to find out how the cybersecurity JD’s are formulated: GitHub - rezaduty/cybersecurity-career-path: Cybersecurity Career Path

Source: Workforce Framework for Cybersecurity (NICE Framework) | NICCS (cisa.gov)

And here is another one to map your career which is supported and designed by SFIA v8.0 which is mapped to their KB requirements (this is particularly developed for Australian technology people):

Source: Career Pathfinder (digitalprofession.gov.au)

Security Triage in Cybersecurity

Triage is a critical incident response process that allows security teams to sort through a torrent of alerts and potential threats to identify the most pressing issues. It involves immediately analyzing and prioritizing security events based on severity so that resources can be allocated accordingly.

The purpose of cybersecurity triage is to speed up the response to detected or actively unfolding IT incidents. Triage enables security analysts to jump on the most dangerous threats right away before they get out of control.

Analysts can initiate containment and mitigation steps on severe incidents while addressing less serious issues to the back of the queue for later handling.

Importance of Triage in Incident Response

Triage is essential for managing the overflow of security alerts faced by modern SOCs. Without triage, analysts could easily become overwhelmed and fail to identify and escalate critical incidents quickly enough. Triage allows them to cut through the noise faster and efficiently.

Security Triage Analysis Process

When a security alert or event comes in, the triage process kicks off with some initial detection and validation steps. Analysts will look to confirm whether a real incident has taken place or if an alert is just a false positive. Here are the triage analysis process steps:

???????? Detection – Validate security alert or event as a real incident vs. false positive

???????? Scoping – Quickly investigate incident to surface attack details, affected assets, related indicators, etc.

???????? Severity Classification – Assign severity level (low/medium/high) based on potential impact and damage.

???????? Escalation – Report the incident to appropriate parties based on the severity threshold.

???????? Containment – Initiate containment of high/critical incidents to isolate and limit damage.

???????? Queuing – Add lower severity incidents to the queue for future response based on resources.

???????? Eradication – For severe events, execute steps to eliminate threats from the environment.

???????? Recovery – For severe events, start restoration of impacted systems and data

???????? Circle Back – Continuously analyze and Triage new security alerts as they come in.

DevSecOps At A Glance

Since the folks who would be responsible for operationalizing the SOC as a whole, are the people often misunderstood for their role, its time that’s changed. Their deployments are the SOC outcome, and these folks are integrating every component what makes a SOC. In most cases, they are experts in integration on both Windows and Linux platforms, write the queries and perfected it over time, and provides actionable outcomes to the analysts, or they gradually train the analysts on how to efficiently do these tasks and activities.

SecOps consists of six elements including: Business (goals and outcomes) People (who will perform the work) Interfaces (external functions to help achieve goals) Visibility (information needed to accomplish goals) Technology (capabilities needed to provide visibility and enable people) Processes (tactical steps needed to execute on goals).

Security Operations Center processes used to be completely isolated from other parts of the organization. Developers would build systems, IT operations would run them, and security were responsible for securing them. Today it is understood that joining these three functions into one organization—with joint responsibility over security—can improve security and create major operational efficiencies.

Application security is a reactive process after deployment, where DevSecOps is proactive and controls security before deployments. The team is responsible for notifying security operations of any potential false positives and then making the appropriate exceptions so they are not inundated with false positive alerts when the application is launched. DevSecOps also notifies security operations of any data loss prevention (DLP) concerns.

When new vulnerabilities are found, application security (AppSec) validates that systems are updated and patched. Otherwise, the security team is notified that changes are required, and SecOps will need to be notified of vulnerabilities and IoCs in order to monitor systems.

Application security teams communicate frequently with the content engineering team to create new alerts, advise threat intelligence of new IoCs and gather feedback from the threat hunting team about hunts conducted on new use cases.

The Transition from a Siloed SOC to DevSecOps

Key Components of a DevSecOps Approach

• Analysis of code: deliver code in small pieces so the team can quickly identify vulnerabilities.
• Submitting changes: permit anyone to submit changes, this can increase efficiency and speed. Afterward, obsers if the change is successful or not or make changes to the provided system.
• Monitor compliance: be prepared for an audit at all times, which means always being in a state of compliance. They are the one’s normally assigned to generate the ISMS, GDPR, Privacy policy enforcements, change management and so on.
• Investigate threats: identify possible threats each time the team updates code so they can respond quickly.
• Assess vulnerability: identify vulnerabilities with code analysis and ensure the team quickly attends to them.
• Train security: train software and IT engineers and provide them with instructions for set procedures.
• Development: deploys and maintains the CI/CD pipelines as well as the
• Computational storage: if CEPH or Kubernetes based applications are in use.
• Develop a distributed SOC with DevOps: members of a department familiar with DevOps can assist with incident response as they have an in-depth understanding of IT systems and can gain knowledge of vulnerabilities and threats from security staff.
• Partner threat hunters with DevOps team: threat hunters can communicate directly with dev or ops teams to address security gaps at their core, rather than isolating a threat and reporting it to management.
• Creating superior security centers: the SOC can work with specific dev and operation groups to put in place security best practices. They can convey these positive results to the entire organization to encourage DevSecOps practices.
• Make the SOC available for advice and guidance: everyone working with security should be able to easily contact the SOC and liaise with the top security experts of the organization.

Lastly, the DevOps and the SecOps both performs overlapping functions, and usually they are combined in a form to perform as a DevSecFinOps, and these personnel are the ones who are supporting and keeping the SOC infrastructure alive.

Functions of a SOC Analyst (L1, L2, L3)

?Security Operations Center (SOC) analysts play a crucial role in maintaining an organization’s cybersecurity. Here are some of their key responsibilities:

1.????? Monitoring and Protecting: SOC analysts monitor and protect the organization’s assets, including personnel data, brand integrity, intellectual property, and operation systems.

2.????? Triage Specialist (Tier 1 Analyst): Tier 1 analysts collect raw data, review alarms and alerts, confirm or adjust the criticality of alerts, and enrich them with relevant data.?They also manage and configure the monitoring tools.

3.????? Incident Responder (Tier 2 Analyst): Tier 2 analysts review higher-priority security incidents escalated by Tier 1 analysts and perform a more in-depth assessment using threat intelligence.?They design and implement strategies to contain and recover from an incident.

4.????? Threat Hunter (Tier 3 Analyst): Tier 3 analysts handle major incidents escalated by Tier 2 analysts.?They proactively identify possible threats, security gaps, and vulnerabilities.

Source: SOC Analyst Career Path: Certification, Role, Salary, and More - KINGSLAND UNIVERSITY

5.????? Collaboration: SOC analysts work with other departments of the company, such as human resources or sales, to ensure that their systems are secure.

6.????? Tool Management: SOC analysts use various tools to monitor and analyze network traffic.?They monitor firewall, email, web, and DNS logs to identify and mitigate intrusion attempts.

7.????? Reporting: SOC analysts are responsible for documenting cyber incidents and implementing incident response plans.

These roles and responsibilities may vary depending on the organization’s size, industry, and cybersecurity maturity.

Source: Security Operations Center (SOC) Roles and Responsibilities - Palo Alto Networks

Functions of a Triage Specialist (Tier 1 Analyst), in a SOC

A Triage Specialist, also known as a Tier 1 Analyst, in a Security Operations Center (SOC) has several key responsibilities:

Source: An introduction to SOC (Security Operation Center) | PPT (slideshare.net) by Ahmad Haghighi

Some of the components that a SOC has visibility and alerts on

1. Reviewing Alerts and Incident Reports: They review alarms, alerts, and incident reports.
2. Triage and Prioritize Alerts: They confirm, determine, or adjust the criticality of alerts and enrich them with relevant data.
3. Conducting Initial Research: They conduct initial research to gather more information about the incident.
4. Documenting Activities: They document all activities, including initial assessments, steps taken, and recommendations for further action.
5. Identifying High-Risk Events: They identify other high-risk events and potential incidents.
6. Managing Monitoring Tools: They often manage and configure the monitoring tools.
7. Escalation: If problems occurring cannot be solved at this level, they have to be escalated to tier 2 analysts.

These responsibilities are crucial for maintaining the security posture of an organization.?They provide the first line of defense against cyber threats.

Functions of an Incident Responder (Tier 2 Analyst), in a SOC

Tier 2 Analyst in a SOC is an Incident Responder, also known as a Tier 2 Analyst, in a Security Operations Center (SOC) has several key responsibilities:

1. Reviewing Incidents: They review the higher-priority security incidents escalated by Tier 1 analysts.
2. In-Depth Assessment: They perform a more in-depth assessment using threat intelligence, such as indicators of compromise and updated rules.
3. Understanding the Scope: They need to understand the scope of an attack and be aware of the affected systems.
4. Transforming Data: The raw attack telemetry data collected at Tier 1 is transformed into actionable threat intelligence at this second tier.
5. Incident Response: Incident responders are responsible for designing and implementing strategies to contain and recover from an incident.
6. Escalation: If a Tier 2 analyst faces major issues with identifying or mitigating an attack, additional Tier 2 analysts are consulted, or the incident is escalated to Tier 3.
7. Investigating Security Incidents: They investigate security incidents and determine the root cause of the incident.
8. Detailed Incident Reports: They provide detailed incident reports and recommendations for remediation.
9. Responding to Escalated Alerts: They respond to escalated alerts, notifications, communications, and provide incident response activities such as tracking the incident, communication with stakeholders, remediation and recovery actions, and reporting.

These responsibilities are crucial for maintaining the security posture of an organization.?They provide the second line of defense against cyber threats.

Functions of A Threat Hunter (Tier 3 Analyst) in a SOC

In a Security Operations Center (SOC) has several key responsibilities:

1. Handling Major Incidents: They handle major incidents escalated to them by the incident responders.
2. Vulnerability Assessments and Penetration Tests: They perform or at least supervise vulnerability assessments and penetration tests to identify possible attack vectors.
3. Proactive Threat Identification: Their most important responsibility is to proactively identify possible threats, security gaps, and vulnerabilities that might be unknown.
4. Advanced Asset Protection: They use internal and external threat intelligence to search for anomalous behavior, test security controls, and perform advanced asset protection.
5. Regular Reviews of Security Controls: They perform regular reviews of security controls.
6. Closing Security Gaps: They review industry news and threat intelligence to identify new vulnerabilities, close security gaps, and make the SOC team more efficient in general.

These responsibilities are crucial for maintaining the security posture of an organization.?They provide the third line of defense against cyber threats.

Functions of a Cyber Threat Intelligence Manager

Cyber Threat Intelligence (CTI) Manager plays a crucial role in an organization’s cybersecurity framework. Here are some of their key responsibilities:

Source: Security Operations Center (SOC) Roles and Responsibilities - Palo Alto Networks

Planning: They plan the collection, processing, analysis, and dissemination of information about threats against applications, systems, or industries.

1. Collecting and Analyzing Threat Data: CTI?Managers collect and analyze current and potential threat data.
2. Understanding Attack Behavior and Motives: They understand a cyber attacker’s attack behavior and motives, and predict the attackers’ next attack targets.
3. Risk Mitigation: They use the intelligence to prioritize the SOC team’s day-to-day response and remediation activities, helping to mitigate the risks of new cyber threats.
4. Promoting Proactive Cybersecurity Measures: They promote proactive cybersecurity measures for fighting cyberattacks rather than reactive cybersecurity, where security mechanisms trigger only after an incident is identified.
5. Informing Practices and Use Cases: Threat intel informs practices and use cases like vulnerability management, risk management, incident response and incident management, and overall security operations.
6. Empowering Organizations: They empower organizations to make better informed, faster, and data-driven decisions on cybersecurity.
7. Supporting Threat Detection and Incident Response: They feed the detection, prevention, response cycle, and support threat detection and incident response.

These responsibilities help organizations avoid financial losses and reputational damages due to data breaches.?They also enable organizations to cut down unnecessary costs.

Functions of a ‘SOC Manager’ in a SOC

A SOC (Security Operations Center) Manager plays a crucial role in an organization’s cybersecurity framework. Here are some of their key responsibilities:

• Team Management: They direct SOC operations and are responsible for syncing between analysts and engineers.?They oversee the SOC team, ensuring everyone is trained, motivated, and effectively working together.
• Hiring and Training: They are responsible for hiring new staff members and providing regular training sessions and mentorship opportunities to facilitate knowledge-sharing within the team.
• Developing and Implementing Security Policies: SOC Managers play a key role in creating and enforcing security policies.?They develop security policies by reviewing industry standards and working closely with other departments to understand their security needs.
• Establishing SOC Performance Goals and Priorities: They establish performance goals and priorities for the SOC.
• Reporting: They provide regular updates on the SOC’s activities and performance and any notable incidents or threats that have been detected.?They also report to the Chief Information Security Officer (CISO) about security operations.
• Cybersecurity Strategy: They are responsible for creating and executing the organization’s cybersecurity strategy.
• Responding to Major Security Threats: They direct and orchestrate the company’s response to major security threats.

These responsibilities help organizations avoid financial losses and reputational damage due to data breaches.?They also enable organizations to cut down unnecessary costs.

Functions of a Security Architect in a SOC

A Security Architect in a Security Operations Center (SOC) plays a crucial role in maintaining an organization’s cybersecurity. Here are some of their key responsibilities:

Source: Microsoft Cybersecurity Reference Architectures (MCRA) - Security documentation | Microsoft Learn

1. Designing and Tuning Security Detections: They work directly with customers and security tools to design and tune security detections.
2. Planning: They plan, research, and design a robust security infrastructure within the company. Architects develop standards, and frameworks for blueprints that engineers and analysts use to deploy secure systems.
3. Conducting Regular System and Vulnerability Tests: They conduct regular system and vulnerability tests. Vulnerability Management teams (engineers and analysts) conducts these tests.
4. Implementing Enhancements: They implement or supervise the implementation of enhancements.
5. Collaborating with SOC Analysts: They collaborate with SOC analysts to investigate security incidents raised by security tools.

These responsibilities help organizations avoid financial losses and reputational damage due to data breaches.?They also enable organizations to cut down unnecessary costs.

______________________________________________________________________________________

?? FREE eBook - 476 Pages

?? Complete Guide to Cyber Security Operation Center??

I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC.

This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.

A big shout out to Brad Voris for his review of the book, his insights made this book even richer.

Knowledge Areas Covered

? Enterprise architecture strategy to better formulate your SOC.

? Visibility & data ingress requirements for your SOC

? SOC functions, KPI’s, processes, frameworks, and automation requirements

? Derive your Analyst-JD aligned to international frameworks

? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities

? SIEM & SOAR architecture design guidelines to achieve more from these integrations.

? Detection engineering with OSINT, CTEM.

? Incident response with CSIRT, DFIR.

? Tabletop exercises explained and operationalized

? Artificial Intelligence & Data Science in SOC

? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided

? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.

?? Download the eBook

?? Download this eBook (pdf): https://lnkd.in/gTRnhmPp

?? DM me for the DOCX version of the book.

?? Join Discord: Please DM me on LinkedIn, I will Send you the link to join.

?? 1000+ Job aids – download extra documentation.

?? 60 Body of Knowledge (BoK) links.

?? 1500+ curated list of VA/PT tools as job aids.

?? 200+ References to support your SOC operations even further.

?? Download all the available documents from here: https://lnkd.in/eNNUm9XW

?? Download Job Aids: https://lnkd.in/gCKq6R-D

If you find it useful and informative, please share/repost the book with your network.