SOC
Events from Log Sources And lerts from monitoring tools
SIEM generate new case
Appears on the open case queue
L1 Analyst picks up the open case and evaluates it
L1 SOC Analysis (SOP)
false positive
close the case
valid > true positive
open an incident in ticketing tool and and assign it to appropriate SME Subject matter expert
SME remediates the issue as per recommandation made by SOC
SME closes the incident in the Ticketing tool
Incident resolved in Ticketing Tool and email notification sent
Cross check
Fixed
Not Fixed
reOpened incident and continue Followup
Close the SIEM case
if L1 Analyst dosent now wiether its false positive or true positive
L2 Soc Analysis
true positive
false positive
L1 Soc Analyst
- 24/7 Eye on Glass monitoring
- Analysis of Triggered alerts usually following a Runbook
- Raising tickets for validated incidents
- FollowUp with incident reponse team for remediation
- Drafting shift handOvers
- Assist L2/L3 reporting
L2 Soc Analyst
- Deep dive analysis of escalated alerts
- Assist in incident remdiation
- Assist L1 in alert analysis
- Maintaining and improving SOPs and proceseses
- Troubleshoot basic SIEM issues
SOC Lead/SIEM Admin
- Installing updating and upgrading SIEM Solution
- onBoarding log sources and working on log source issues
- Create and fine tune content in SIEM - Correlation Rules, Dashboards, Reports, Lists
- Interact with SIEM vendor TAC (Support) to fix any issues with SIEM
- Install Manage and build content in SIEM
- mentor L1 and L2 Security Analyst
- Assist in Analysis that requires invovment of multiple teams
- Evaluate new solutions for SOC team
- Create RunBooks for al alerts
- Schedule shift Rooster
SOc Models
MSSP
inHouse SOC
Hybrid SOC
organization runs its own SOC, pple processes and technology are all managed by pple withIn the organization.
Managed Sec Service Provider
Dedicated
Shared
team of pple with the service provider wirj for a client. here the client typically have their own technology, > SIEM and other tools will be hosted in client datacenters.
team of pple with the service provider monitor and anallyze logs coming from various clients. in this model the technology is hosted on service providers datacenter.
mix of both inHouse SOC and MSSP. typecally is done by outSourcing the L1 monitoring to a MSSP and the organization runs L2 and Incident responses Team in house.
MSSP
VPN Login
Client
Clients
Logs
MSSP
Incidents
shift handover
- shift start and end time
- any onGoing issues
- incident details
- task handover - reports to pull
3 types of reports
- technology report
Malware Summary
firewall Summary
account management summary
auth summary
proxy summary
email summary
Threat Intelligence Summary
- SIEM performance reports
EPS
New Log Sources
Silent log Sources
new Correlation Rules
- SOC performance report
related to the SOC alerts managemtns process
Number of alerts
Number of incident by severity
SLA adherance
number of escalation
click to edit
click to edit
click to edit
click to edit
click to edit
click to edit
SIEM Implementation Phases
- Asset management (List of all assets)
- Define the Scope for SOC monitoring And analysis
- Log sources onBoarding preparation
- Implementt SIEM
- Onboard log sources
- Use OOB OutOftheBox Content like DashBoards, Reports, Rules etc.
- Announce Go Live
- During that Analysits start getting comfortable with the tools
- Create Custom content as per requirment
SOC Implementation Phases
- Dfine Scope
- Implement technologies
- hire and build a team
- develop policies processes and procedures
take the SOC to CMM Level 3 > Defined State (1. Initial - 2. Managed - 3. Defined State) - Develop KPIs (Quantively managed
- Automate (Optimized)
KPIs
Number of devices being monitored
total number of events
number of events per device or host
number of events per location
number of false positive alerts
time to detection
time to resolution
escalation level
what to document in an incident
- incident name, desc
- priority p1-p4
- pcurrent time
- detected time
- reported by
- assigned to (team)
- affected to
- affected Host/IP/User/businessUnit
- information gathered
- Analysis
- Evidence
- severity
- status
- Recommandation
Documents we create in SOC
- Log sources onBoarding
- Log sources decomissioning
- threat intel gathering procedure
- threat hunting methodologies
- New use case dev procedure
- Staff onBoarding procedure
- PlayBook/RunBook (investigation procedures)
- Data/Config Backup Procedure
PlayBook/RunBook/SOP
step by step guide to handle alert in SOC which is usually followd by L1 sec Analyst
helps maintaning the quality of analysis and incident documentation and reduce the time to respond
CMM
capability Maturity Model
level at which SOC processes are running
- Initial
almost No SOC team at all
processes are upredictable/not defined pre-fighting mode ( whenver there is an incident team gets into reactive approach)
- Managed
Processes are defined but not being followed
learning and correcting
- Defined State
Processes are well defined and followed by everyone - Proactive mode
- Quantitavely managed
we start measuring what we are doing
Processes are well defined and followed by everyone - Implement KPIs
- Optimized
Automate Repetitive tasks and improve quality and performance
SLA
in SOC its the time taken for a SOC team to identify and report a suspecious activity.
SLAs are associated with priorities
- P1 incident > 30min
- P2 > 1 Hour
- P3 > 2 Hours
- P4 > 4 Hours
Hanfle P1 Incident
depends on the Organization
SLA -usually 30 min
internal process
- an internal process for example involving SOC lead within first 10 mins of a P1 alert
- Lead will take call of which other teams assistance could be required
- open bridge call and all the stake holders will be notified about the incident
- as L1 Sec Analyst i would continue to provide the assistance to the lead by pulling reports or checking the status of affected services