Please enable JavaScript.
Coggle requires JavaScript to display documents.
SOC, SOc Models, 3 types of reports, SOC Implementation Phases
Dfine…
-
SOc Models
-
inHouse SOC
organization runs its own SOC, pple processes and technology are all managed by pple withIn the organization.
Hybrid SOC
mix of both inHouse SOC and MSSP. typecally is done by outSourcing the L1 monitoring to a MSSP and the organization runs L2 and Incident responses Team in house.
3 types of reports
- technology report
Malware Summary
firewall Summary
account management summary
auth summary
proxy summary
email summary
Threat Intelligence Summary
-
-
-
-
-
-
- SIEM performance reports
EPS
New Log Sources
Silent log Sources
new Correlation Rules
- SOC performance report
related to the SOC alerts managemtns process
Number of alerts
Number of incident by severity
SLA adherance
number of escalation
SOC Implementation Phases
- Dfine Scope
- Implement technologies
- hire and build a team
- develop policies processes and procedures
take the SOC to CMM Level 3 > Defined State (1. Initial - 2. Managed - 3. Defined State)
- Develop KPIs (Quantively managed
- Automate (Optimized)
KPIs
Number of devices being monitored
total number of events
number of events per device or host
number of events per location
number of false positive alerts
time to detection
time to resolution
escalation level
Documents we create in SOC
- Log sources onBoarding
- Log sources decomissioning
- threat intel gathering procedure
- threat hunting methodologies
- New use case dev procedure
- Staff onBoarding procedure
- PlayBook/RunBook (investigation procedures)
- Data/Config Backup Procedure
PlayBook/RunBook/SOP
step by step guide to handle alert in SOC which is usually followd by L1 sec Analyst
helps maintaning the quality of analysis and incident documentation and reduce the time to respond
-
Incidents
Hanfle P1 Incident
depends on the Organization
SLA -usually 30 min
internal process
- an internal process for example involving SOC lead within first 10 mins of a P1 alert
- Lead will take call of which other teams assistance could be required
- open bridge call and all the stake holders will be notified about the incident
- as L1 Sec Analyst i would continue to provide the assistance to the lead by pulling reports or checking the status of affected services
SLA
in SOC its the time taken for a SOC team to identify and report a suspecious activity.
SLAs are associated with priorities
- P1 incident > 30min
- P2 > 1 Hour
- P3 > 2 Hours
- P4 > 4 Hours
-
L1 Soc Analyst
- 24/7 Eye on Glass monitoring
- Analysis of Triggered alerts usually following a Runbook
- Raising tickets for validated incidents
- FollowUp with incident reponse team for remediation
- Drafting shift handOvers
- Assist L2/L3 reporting
shift handover
- shift start and end time
- any onGoing issues
- incident details
- task handover - reports to pull
what to document in an incident
- incident name, desc
- priority p1-p4
- pcurrent time
- detected time
- reported by
- assigned to (team)
- affected to
- affected Host/IP/User/businessUnit
- information gathered
- Analysis
- Evidence
- severity
- status
- Recommandation
L2 Soc Analyst
- Deep dive analysis of escalated alerts
- Assist in incident remdiation
- Assist L1 in alert analysis
- Maintaining and improving SOPs and proceseses
- Troubleshoot basic SIEM issues
SOC Lead/SIEM Admin
- Installing updating and upgrading SIEM Solution
- onBoarding log sources and working on log source issues
- Create and fine tune content in SIEM - Correlation Rules, Dashboards, Reports, Lists
- Interact with SIEM vendor TAC (Support) to fix any issues with SIEM
- Install Manage and build content in SIEM
- mentor L1 and L2 Security Analyst
- Assist in Analysis that requires invovment of multiple teams
- Evaluate new solutions for SOC team
- Create RunBooks for al alerts
- Schedule shift Rooster
SIEM Implementation Phases
- Asset management (List of all assets)
- Define the Scope for SOC monitoring And analysis
- Log sources onBoarding preparation
- Implementt SIEM
- Onboard log sources
- Use OOB OutOftheBox Content like DashBoards, Reports, Rules etc.
- Announce Go Live
- During that Analysits start getting comfortable with the tools
- Create Custom content as per requirment