SOC processes - the incident response model and how SIEMs power the basic operations of the SOC
What is a SOC?
An Information Security Operations Center (ISOC or SOC) is a facility where security staff monitor enterprise systems, defend against security breaches, and proactively identify and mitigate security risks.
In the past, the SOC was considered a heavyweight infrastructure which is only within the reach of very large or security-minded organizations. Today, with new collaboration tools and security technology, many smaller organizations are setting up virtual SOCs which do not require a dedicated facility, and can use part-time staff from security, operations and development groups. Many organizations are setting up managed SOCs or hybrid SOCs which combine in-house staff with tools and expertise from Managed Security Service Providers (MSSPs).
Motivation for Building a SOC
A SOC is an advanced stage in the security maturity of an organization. The following are drivers that typically push companies to take this step:
Requirements of standards such as the Payment Card Industry Data Security Standard (PCI DSS), government regulations, or client requirements
The business must defend very sensitive data
Past security breaches and/or public scrutiny
Type of organization—for example, a government agency or Fortune 500 company will almost always have the scale and threat profile that justifies a SOC, or even multiple SOCs
Focus Areas of a SOC
A SOC can have several different functions in an organization, which can be combined. Below are SOC focus areas with the level of importance assigned to each in the Exabeam State of the SOC survey.
SOC Focus Area
Level of Importance in USA SOCs
Control and Digital Forensics—enforcing compliance, penetration testing, vulnerability testing.
Monitoring and Risk Management—capturing events from logs and security systems, identifying incidents and responding.
Network and System Administration—administering security systems and processes such as identity and access management, key management, endpoint management, firewall administration, etc.
The classic Security Operations Center is a physical facility which is well protected in terms of cyber security and physical security. It is a large room, with security staff sitting at desks facing a wall with screens showing security stats, alerts and details of ongoing incidents. Nowadays, many SOCs look quite different. For example, a Virtual SOC (VSOC) is not a physical facility, but rather a group of security professionals working together in a coordinated manner to perform the duties of a SOC.
Challenges When Building a Security Operations Center
Security teams building a SOC face several common challenges:
Limited visibility—a centralized SOC does not always have access to all organizational systems. These could include endpoints, encrypted data, or systems controlled by third parties which have an impact on security.
White noise—a SOC receives immense volumes of data and much of it is insignificant for security. Security Information and Event Management (SIEM) and other tools used in the SOC are getting better at filtering out the noise, by leveraging machine learning and advanced analytics.
False positives and alert fatigue—SOC systems generate large quantities of alerts, many of which turn out not to be real security incidents. False positives can consume a large part of security analysts’ time, and make it more difficult to notice when real alerts occur.
All three of these challenges are addressed by a security information and event management (SIEM) system, which powers daily operations in modern SOCs. Read more about SIEMs below in Technologies Used in the SOC.
What is SecOps?
Security Operations (SecOps) is a collaboration between security and IT operations teams, where security and operations staff assume joint ownership and responsibility for security concerns. It is a set of SOC processes, practices and tools which can help organizations meet security goals more efficiently.
In the past, operations and security teams had conflicting goals. Operations was responsible for setting up systems to achieve uptime and performance goals. Security was responsible for verifying a checklist of regulatory or compliance requirements, closing security holes and putting defenses in place.
In this environment, security was a burden—perceived as something that slows down operations and creates overhead. But in reality, security is part of the requirements of every IT system, just like uptime, performance or basic functionality.
SecOps combines operations and security teams into one organization. Security is “shifting left”—instead of coming in at the end of the process, it is present at the beginning, when requirements are stated and systems are designed. Instead of having ops set up a system, then having security come in to secure it, systems are built from the get go with security in mind.
SecOps has additional implications in organizations which practice DevOps—joining development and operations teams into one group with shared responsibility for IT systems. In this environment, SecOps involves even broader cooperation—between security, ops and software development teams. This is known as DevSecOps. It shifts security even further left—baking security into systems from the first iteration of development.
SecOps in the SOC
The classic Security Operations Center is not compatible with SecOps—security analysts sit in their own room and respond to incidents, while operations are in another room, or building, running IT systems, with little or no communications between them. However, the modern SOC can foster a SecOps mentality:
Analysts can continuously inform operations staff about threats to the organization’s systems, and actual incidents
Analysts can proactively seek out security gaps and work with operations to close them
Operations can come to the SOC for guidance about security implications of systems, components, vendors or changes
The Security Maturity Spectrum—are You Ready for a SOC?
Different organizations find themselves at different stages of developing their security presence. We define five stages of security maturity—in stages 4 and 5, an investment in a Security Operations Center becomes relevant and worthwhile.
“Security isn’t our top conern. We’ve got AV and FWs. We’re good!”
“We haven’t explored solutions and don’t belive we are at risk. We’ll deal with a breach if it happens.”
“We’re at risk, but budget is a problem. We’re overwhelemed by the alerts we’re facing. We need help prioritizing and addressing threats.”
“We have budget to invest in security. We have limited personnel and need to maximize them.”
“We’re knowledgable about security. We continuously innovate and improve our program.”
Basic FW at perimeter.
AV in use.
Patch management added.
Dedicated FW & DMZ.
Basic Identity and Access Management added.
Considering a SIEM or has basic SIEM deployment.
Multi-FW and Network segmentation added.
Data classification added.
Overhelemed by alerts and logs.
Needs to prioritize them.
Concerned with optimizing budget due to limited resources.
SIEM is integrated with most areas.
Considering analytics as a way to cut down on alert fatigue.
Starting to think about tools to optimize incident investigation.
Looking to increase operational efficiency and maximize personnel output.
Intrigued by the idea of threat hunting.
Very mature SIEM deployment.
Integrated with virtually all systems.
Performs threat hunting with senior analysts.
Has customized security capabilities that integrate into their workflows.
Capable of building their own DS algorithms.
Interested in cost efficiency and reduced risk from 3rd party solutions.
SOC Deployment Models
Following are common models for deploying a SOC within your organization:
Classic SOC with dedicated facility, dedicated full time staff, operated fully in house, 24×7 operations.
Some full time staff and some part-time, typically operates 8×5 in each region.
Multifunctional SOC / NOC
A dedicated facility with a dedicated team which performs both the functions of a Network Operations Center (NOC) and a SOC.
A traditional SOC combined with new functions such as threat intelligence, operational technology (OT).
Command SOC / Global SOC
Coordinates other SOCs in a global enterprise, provides threat intelligence, situational awareness and guidance.
No dedicated facility, part-time team members, usually reactive and activated by a high profile alert or security incident. The term Virtual SOC is also sometimes used for an MSSP or managed SOC (see below).
Managed SOC / MSSP / MDR
Many organizations are turning to Managed Security Service Providers (MSSP) to provide SOC services on an outsourced basis. Modern offerings are called Managed Detection and Response (MDR). Managed SOCs can be outsourced completely or co-managed with in-house security staff.
Who Works in a SOC?
A Security Operations Center has a hierarchy of roles with a clear escalation path. Day-to-day alerts are received and investigated by the Tier 1 Analyst; a real security incident is stepped up to a Tier 2 Analyst; and business critical incidents pull in the Tier 3 Analyst and if necessary, the SOC Manager.
Tier 1 Analyst
System administration skills, web programming languages such as Python, Ruby, PHP, scripting languages, security certifications such as CISSP or SANS SEC401
Monitors SIEM alerts, manages and configures security monitoring tools. Prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.
Tier 2 Analyst
Similar to Tier 1 analyst but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. White-hat hacker certification or training is a major advantage.
Receives incidents and performs deep analysis, correlates with threat intelligence to identify the threat actor, nature of the attack and systems or data affected. Decides on strategy for containment, remediation and recovery and acts on it.
Similar to Tier 2 analyst but with even more experience including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing responses to new threats and attack patterns.
Day-to-day, conducts vulnerability assessments and penetration tests, and reviews alerts, industry news, threat intelligence and security data. Actively hunts for threats that have found their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, joins the Tier 2 Analyst in responding and containing it.
Tier 4 SOC Manager
Similar to Tier 3 analyst, including project management skills, incident response management training, strong communication skills.
Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy, manages resources, priorities and projects, and manages the team directly when responding to business critical security incidents. Acts as point of contact for the business for security incidents, compliance and other security
Support and Infrastructure
Degree in computer science, computer engineering or information assurance, typically combined with certifications like CISSP.
A software or hardware specialist who focuses on security aspects in the design of information systems. Creates solutions and tools that help organizations deal robustly with disruption of operations or malicious attack. Sometimes employed within the SOC and sometimes supporting the SOC as part of development or operations teams.
A SOC cannot operate without technology. The table below summarizes traditional and next-generation tools used in today’s security operations center. Below we provide more details about a few of the most important.
Traditional Tools Used in the SOC
Next-Gen Tools Leveraged by Advanced SOCs
Security Information and Event Management (SIEM)
Governance, risk and compliance (GRC) systems
Vulnerability scanners and penetration testing tools
Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and wireless intrusion prevention
Firewalls, Next-Generation Firewalls (NGFW) which can function as an IPS, and Web Application Firewalls (WAF)
Log management systems (commonly as part of the SIEM)
Cyber threat intelligence feeds and databases
Next-generation SIEMs which is built on a big data platform and includes machine learning and advanced behavioral analytics, threat hunting, built-in incident response and SOC automation
Network Traffic Analysis (NTA) and Application Performance Monitoring (APM) tools
Endpoint Detection and Response (EDR), which helps detect and mitigate suspicious activities on hosts and user devices
User and Entity Behavior Analytics (UEBA), which uses machine learning to identify suspicious behavioral patterns
Security Information and Event Management (SIEM)
The foundational technology of a SOC is a SIEM system, which aggregates system logs and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.
Firewalls, Next-Generation Firewalls (NFGW) and Web Application Firewalls (WAF)
Firewalls are a standard part of any cybersecurity arsenal. Two new technologies are complementing or replacing the traditional firewall:
NGFW—extends the firewall by providing intrusion prevention and intrusion detection with deep packet inspection capabilities. NGFWs can block threats at the network edge using techniques like URL filtering, behavioral analysis and geolocation filtering. They use a reverse proxy to terminate connections and inspect content before it reaches a web server.
WAF—a WAF is deployed in front of web applications, inspects traffic and identifies traffic patterns that may represent malicious activity. A WAF can detect attacks while minimizing false positives, by learning acceptable URLs, parameters and user inputs, and uses this data to identify traffic or inputs that deviate from the norm.
These technologies are leveraged in the modern SOC to reduce the attack profile of websites and web applications, and gather higher quality data about legitimate and malicious traffic hitting critical web properties.
Endpoint Detection and Response (EDR)
EDR is a new category of tools that helps SOC teams respond to attacks on endpoints, like user workstations, mobile phones, servers or IoT devices. These tools are built around the assumption that attacks will happen, and that the SOC team usually has very limited visibility and control into what’s happening on a remote endpoint. EDR solutions are deployed on endpoints, provide instant, accurate data about malicious activity, and gives SOC teams remote control over endpoints to perform immediate mitigation.
For example, the SOC team can use EDR to identify 50 endpoints infected with Ransomware, isolate them from the network, wipe and re-image the machines. All this can be done in seconds to identify attacks as they happen, prevent them from spreading and support eradication.
SOC Monitoring Tools
Monitoring is a key function of tools used in the SOC. The SOC is responsible for enterprise-wide monitoring of IT systems and user accounts, and also monitoring of the security tools themselves—for example, ensuring antivirus is installed and updated on all organizational systems. The main tool that orchestrates monitoring is the SIEM. Organizations use many dedicated monitoring tools, such as network monitoring and Application Performance Monitoring (APM). However, for security purposes only the SIEM, with its cross-organizational view of IT and security data, can provide a complete monitoring solution.
Motivation for Using Next-Generation SOC Tooling
Next-generation SIEM&mdashhelps lower alert fatigue, lets analysts focus on the alerts that matter. New analytics capabilities, combined with a huge breadth of security data, allow next-gen SIEMs to discover incidents that no individual security tool can see.
NTA&mdasheasy to implement, great at detecting abnormal network behaviors. Useful when the SOC has access to the traffic under investigation and is interested in investigating lateral movement by attackers already inside the perimeter.
UEBA&mdashuses machine learning and data science techniques to detect malicious insiders, or bypass of security controls. Makes it much easier to identify account compromise, whether by outside attackers or insiders.
EDR&mdashprovides a strong defense against compromise of workstations or servers, helps manage the mobile workforce. Provides the data needed to carry out historic investigations and track root causes.
Established SOC→Add automated threat intelligence sandboxing, NTA and EDR.
Forward Leaning→Add UEBA and a full in-house Threat Intelligence Platform—provided as a part of next-generation SIEMs
SOC Processes Facilitated by a SIEM: Key Examples
The SIEM can help security staff combine data about malware detected across the organization, correlate it with threat intelligence and help understand the systems and data affected. Next-gen SIEMs provide security orchestration capabilities, a visualization of incident timelines, and can even automatically “detonate” malware in a threat intelligence sandbox.
Phishing prevention and detection
The SIEM can use correlations and behavioral analysis to determine that a user clicked a phishing link, distributed via email or other means. When an alert is raised, analysts can search for similar patterns across the organization and across timelines to identify the full scope of the attack.
When an employee is suspected of direct involvement in a security incident, a SIEM can help by drawing in all data about the employee’s interaction with IT systems, over long periods of time. A SIEM can uncover anomalies like logins into corporate systems at unusual hours, escalation of privileges, or moving large quantities of data.
Departed employees risk mitigation
According to an Intermedia study, 89% of employees who leave their jobs retain access to at least some corporate systems, and use those credentials to log in. A SIEM can map out the problem in a large organization, identifying which systems have unused credentials, which former employees are accessing systems, and which sensitive data is affected.
How SecOps and DevSecOps are Transforming the SOC
Security Operations Center processes used to be completely isolated from other parts of the organization. Developers would build systems, IT operations would run them, and security were responsible for securing them. Today it is understood that joining these three functions into one organization—with joint responsibility over security—can improve security and create major operational efficiencies.
Here are a few ways in which a SOC can integrate its processes with dev and IT:
Creating a distributed SOC with DevOps members—DevOps teams can help with incident response due to their deep knowledge of IT systems, and can learn from security staff about threats and critical vulnerabilities.
Pairing threat hunters with DevOps team leaders—instead of discovering a threat and reporting it upwards, threat hunters can work directly with dev or ops teams to close the security gap at its source.
Opening the SOC for guidance and advice—anyone doing work that has a security impact should have an easy path to reach the SOC and consult with the organization’s top security experts.
Creating security centers of excellence—the SOC can work with selected dev and operations groups to implement security best practices, and then showcase these successes to the entire organization to promote SecOps practices.
A Basic Incident Response Model
While SOCs are undergoing transformation and assuming additional roles, their core activity remains incident response. The SOC is the organizational unit that is expected to detect, contain, and mitigate cyber attacks against the organization. The people responsible for incident response are Tier 1, Tier 2 and Tier 3 analysts, and the software they primarily rely on is the SOC’s Security Information and Event Management (SIEM) system.
Tier 1 Analysts monitor user activity, network events, and signals from security tools to identify events that merit attention.
Tier 1 Analysts prioritize, select the most important alerts, and investigate them further. Real security incidents are passed to Tier 2 Analysts.
Containment and Recovery
Once a security incident has been identified, the race is on to gather more data, identify the source of the attack, contain it, recover data and restore system operations.
Remediation and Mitigation
SOC staff work to identify broad security gaps related to the attack and plan mitigation steps to prevent additional attacks.
Assessment and Audit
SOC staff assess the attack and mitigation steps, gather additional forensic data, draw final conclusions and recommendations, and finalize auditing and documentation.
A SIEM is a foundational technology in a SOC—here is how a SIEM can help with each incident response stage:
Alert generation and ticketing
A SIEM collects security data from organizational systems and security tools, correlates it with other events or threat data, and generates alerts for suspicious or anomalous events.
Searching and exploring data
A SIEM can help Tier 1 and Tier 2 analysts search, filter, slice and dice, and visualize years of security data. Analysts can easily pull and compare relevant data to better understand an incident.
Context on incidents and security orchestration
When a real security incident is identified, a SIEM provides context around the incident—for example, which other systems were accessed by the same IPs or user credentials.
Reporting and dashboarding
Remediation and mitigation are an ongoing activity, and they require visibility of the status and activity of critical security and IT systems. SIEMs have a cross-organization view which can provide this visibility.
One of the core functions of a SIEM is to produce reports and audits for regulatory requirements and standards like PCI DSS, HIPAA and SOX—both on an ongoing basis and following an incident or breach.
Next Gen SIEM
Next-generation SIEMs leverage machine learning and behavioral analytics to reduce false positives and alert fatigue, and discover hard-to-detect complex events like lateral movement, insider threats and data exfiltration.
Next Gen SIEM
Next-generation SIEMs are based on data lake technology that allows organizations to store unlimited data at low cost. They also leverage machine learning and User Event Behavioral Analytics (UEBA) to easily identify high risk events and surface them to analysts.
Next Gen SIEM
Next-generation SIEMs provide Security Orchestration and Automation (SOAR) capabilities. They integrate with other security systems and can automatically perform containment actions. For example, quarantine an email infected by Malware, download and test the Malware in a threat intel sandbox.
Next Gen SIEM
Next-generation SIEMs leverage machine learning and data science capabilities that establish smart baselines for groups of users and devices. This allows faster and more accurate detection of insecure systems or suspicious activity.
Measuring the SOC
Here are a few important metrics that can help understand the scale of activity in the SOC, and how effectively analysts are handling the workload.
Modern SOCs require cooperation and collaboration between development, operations and security teams. Increasingly complex infrastructures and the speed of agile processes require capabilities that security teams cannot achieve on their own.
Effective security tools should support all steps of the incident response process. Centralizing information, providing fast analyses, and supporting in-depth investigations are key.
Metrics can help you evaluate the effectiveness of your SOC processes when used carefully. Make sure to incorporate metrics results into evaluation and refinement processes.
What it Measures
Mean Time to Detection (MTTD)
Average time the SOC takes to detect an incident
How effective the SOC is at processing important alerts and identifying real incidents
Mean Time to Resolution (MTTR)
Average time that transpires until the SOC takes action and neutralizes the threat
How effective the SOC is at gathering relevant data, coordinating a response and taking action
Total cases per month
Number of security incidents detected and processed by the SOC
How busy the security environment is and the scale of action the SOC is managing
Types of cases
Number of incidents by type—web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc.
The main types of activity managed by the SOC and where security preventative measures should be focused
Number of units processed per analyst—alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3
How effective analysts are at covering maximum possible alerts and threats
Case escalation breakdown
Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents
The effective capacity of the SOC at each level and the workload expected for different analyst groups
The Future of the SOC
The Security Operations Center is undergoing an exciting transformation. It is integrating with ops and development departments, and is empowered by powerful new technologies, while retaining its traditional command structure and roles—to identify and respond to critical security incidents.
We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning and SOC automation, open up new possibilities for security analysts.
The impact of a next-gen SIEM on the SOC can be significant:
Reduce alert fatigue—via User Entity Behavioral Analytics (UEBA) that goes beyond correlation rules, helps reduce false positives and discover hidden threats.
Improve MTTD—by helping analysts discover incidents faster and gather all relevant data.
Improve MTTR—by integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology.
Enable threat hunting—by giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.
Exabeam is an example of a next-generation SIEM which combines data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder and a threat hunting module with powerful data querying and visualization.