Wake up SOC

MITRE ATT&CK, Sigma, Next-gen SIEM, SOAR, ELK, Machine Learning, EDR, UEBA, Deception Technology… If you haven’t heard of them, then you definitely need to wake up!

In my 15 years of information security experience, the last 7 of them was spent on recruiting people for SOC, training them, establishing processes around it and most importantly managing the whole operations. I had the privilege to interview (as well as learn) from at least 500+ of my fellow members in the SOC universe in India. I know it’s a small sample considering the population, but since my interviews happened in Bangalore, I had the opportunity to interact/interview with people from different sectors – finance, IT, consultancy, manufacturing and public sector companies. The SOC operations and processes might be different in these companies, and the roles and responsibilities too but generally the definition of a SOC remains the same. My article is focused more on the Level 1(L1) part of SOC, whose main responsibility is to monitor and forward alerts to L2 after conducting basic investigations on the alerts.

During my interviews, I generally look at what the SOC candidate has done and how well versed s/he is in the world of logs and packet analysis, use of SIEM, incident management, awareness of recent security incidents and to some extent the certifications s/he has done. The experiences were rather interesting! During one of them, I asked one of the candidates about proxy log analysis and he argued that you could see only the IP address and not the hostname in the proxy logs! In another one, the candidate couldn’t answer the flow of DNS traffic! In another one, the candidate couldn’t explain what a SMTP header looks like! There are many more instances. In fact, some approximate stats are below –

• Only 25% could explain all the main components in an IP and TCP header
• Only 50% could explain the use of specific logs for specific scenarios
• Only 15% could name more than 2 processes running in their own Windows machines
• Only 50% could list down more than 2 Windows event IDs and identify its importance
• Only 20% knew what happens to an alert/incident after they have forwarded to the next level
• Only 40% could name more than 2 security incidents that has happened till now ( 80% of them knew Wannacry and Petya/notPetya)
• Only 10% could answer everything confidently on most of the things written in their resume (this is not technical but an overall interesting statistic)

I could see a trend. It wasn’t pleasing and it needs to be changed. Most of the SOC member’s role was to forward the alerts they received, to the next level. Since their role was confined to this specific action, they didn’t take the initiative to understand what goes on after that. The main tasks that I have seen SOC members perform today are –

• Managing tickets for alerts – assigning tickets, attaching evidences, filling relevant details
• Doing basic investigation using the SIEM for the source, destination, IPs, ports, pre and post incident checks etc. as per the runbooks
• Validating against third party sources like whois, urlvoid, virustotal , etc.
• Informing the relevant teams to take appropriate security actions like blocking the IPs on the firewalls, blocking sites in proxies, performing scans on the systems, stopping a process etc. (in some cases, the SOC has the authorization to run these tasks)
• Forwarding tickets/alerts to next level (L2 or SME) after adding all relevant details
• Follow up on pending tickets with users

Does all the actions above sound familiar to you? If you guessed SOAR, you have been following the trends. In fact, SOAR has been there for the past few years, but it has gained momentum lately. SOAR should be able to perform all the processes above or if not, it still could be automated. I have to be careful with my words, because I know its not easy to automate all the tasks written above. However, if I could automate just 50% of them, imagine the cost savings for the company. But it’s not exactly about cost savings but more about doing things efficiently. If there is an opportunity to automate something, we must do it. This is the only way for us to move forward and to give opportunities for our people to learn new technologies. I see a trend of automations and machine learnings, which will definitely do most of the tasks that the L1 is currently doing. These tasks (or most of them) that we talked about in SOC will not be performed by humans anymore in the future. So basically, it’s time to upgrade. The Level 1 will need to do more research, learn more and adapt to new technologies before they can move to the Level 2.

But before that, the basics should be clear. So, if you are still interested in going back to basics or learning new things, here are my suggestions for a Level 1 SOC person –

Self-Study –

1. Packet Analysis – get into the basics of packets, understand the different headers, learn to work with packet analyzers like Wireshark.
2. Protocols – this is very important if you must do log analysis. First read about these protocols, understand how it works, where it works and why it’s important. Understand the different attacks, different ways hacker uses these protocols and ways to defend it. Then, it becomes very easy to get into log analysis. Some of the important protocols are – TCP/IP, HTTP/S, DNS, SMTP, FTP, SSH, POP, IMAP, SMB, SNMP, DHCP, RDP, LDAP, Kerberos.
3. Log Analysis – Once you have an understanding of packets and protocols, get into Log Analysis. You must go through each parameter in each log generated by network devices. Each one has an important role to play and its imperative that you know how it helps in an incident investigation process. Logs generated by the following network devices and operating systems are important – Proxy, Firewall, Switch, Router, Load Balancer, IDS/IPS, Malware analysis tools, Email Server. Windows and Unix logs from the end point devices. Relevant application logs are also important for analysis.
4. Experience in at least one SIEM tool – Arcsight, Splunk, QRadar, Logrythm, Securonix, Exabeam, Elastic SIEM and many more SIEM technologies are out there in the open.
5. Knowledge of the current Threat Landscape/Actors and Cloud Security.
6. Knowledge of frameworks like the MITRE ATT&CK , Cyber Kill Chain etc..
7. Basic Knowledge of Red Team tactics.

Courses/Books – There are hundreds of courses and thousands of articles on the above which you can find on the net. If I had to recommend some books, I would go for the following –

1. Blue Team Handbooks from Don Murdoch
2. The Practice of Network Security Monitoring: Understanding Incident Detection and Response – Richard Bejtlich
3. Blue Team Field Manual – Alan White and Ben Clark

You can also find amazing courses on Udemy, Cybrary (specific to cyber security), Coursera, etc.

Online sites – There are these amazing sites like Immersivelabs.online, that provides ‘interactive, gamified and on-demand cyber skills platform’. They will customize your course based on your requirements and provide the platform to learn them, both theoretically and practically. It’s a great platform and some of my friends have vouched for it.

Certifications – Apart from the various topics/courses available online, there are some good certifications for SOC/Incident Response people – 

1. SANS certifications – I have taken 4 of them and undoubtedly this is the best. The challenge is the cost. These courses are relatively expensive (around 3-5Lakhs depending on the course) and sometimes it is difficult to gauge the benefits vs cost for these courses. However, they cover both theory and practicals, with hands on approach. For a beginner in cyber security, I would recommend SEC401. Then after some experience in SOC and good understanding of basics, I would recommend the SEC504, SEC503 and SEC511. There is a new certification they have introduced – SEC450, and the content looks pretty neat for a SOC analyst. Visit this site https://www.sans.org/cyber-security-skills-roadmap/ for more information on all the certifications. Just keep in mind that most of the tools that are introduced in SANS are open source tools, so if your company gives you the leverage to work with it, these courses are very useful.
2. CompTIA’s CySA+ certification – I haven’t taken this, but from what I have read, it seems to be pretty neat with good topics and practicals that are covered. For more details – https://www.comptia.org/certifications/cybersecurity-analyst
3. EC-Council’s Certified SOC Analyst (CSA) certification – Again, don’t have much exposure to this, but I have heard from my colleagues that this is a good certification for SOC Analysts. For more information, refer to – https://www.eccouncil.org/programs/certified-soc-analyst-csa/
4. Then there are product related certifications or courses that you can take. If your company has relationship with a security vendor, there is a high probability that the vendor will provide training on their products (mostly for free, as per the contract). Make sure you utilize the opportunity to get more knowledge of the product that you are using as well as establish a good relationship with the vendor.

Sites/Blogs –

You can subscribe to the following and many more sites to stay updated in the world of cyber security –

• https://threatpost.com/
• https://packetstormsecurity.com/
• https://thehackernews.com/
• https://krebsonsecurity.com/
• https://www.darkreading.com/
• https://www.darknet.org.uk/

Companies to work for –

There is no perfect company to work for to get a good understanding and become a fully equipped SOC professional. It depends on your profile, the projects you are working on, company budget and your manager! However, there are some general observations that I would like to list down based on my interactions with SOC people from different organizations –

• People from consultancy companies like KPMG, E&Y, Accenture, etc. had good exposure to different tools and were updated with the latest security developments. They also had good experience in working with different clients and their communication skills were excellent. Although they had defined roles, they were asked to wear different hats, that of a penetration tester or a vulnerability tester, which also means sometimes they wouldn’t be a SME for a particular role.
• People from captive units were well versed with the SOC processes and procedures, but worked on very few use cases. They had well defined roles and cross collaboration was limited. Some of the well established captive units has the best of the commercial tools and there weren’t (relatively) any budget constraints on the trainings.
• People from Indian IT services companies had good exposure to various SIEM and open source tools and also had good technical skills. However, their exposure to the latest security news were limited.
• People who worked in the government sector and cyber security forces had the best technical skills especially when it came to investigations. They are pros with the well established open source tools but exposure to commercial tools were limited.

One last word of advice before I end this article. Many candidates complain that they don’t get the required exposure or the experience from their companies during their course of work. They tell me that the company doesn’t reimburse for their certifications and therefore they couldn’t learn more in the security field. I think that’s wrong. Barring the political reasons on a person missing out on any trainings, you must remember that your company is there to guide/train you to do the work that you are supposed to do for them and not the work/learning that you gain for yourself ( except a very few companies). If you want to learn, you need to do self-study and research, which is THE most important criteria to be an effective cyber security professional.

So, Wake Up SOC….. (taken from my site cybersachin.com)