Understanding Security Operations Center (SOC)

Note: All views in this article are my personal and team structure differs upon organization size, infosec team size, and business priorities.

The SOC team is responsible for the day-to-day monitoring, detection, and response to security incidents. They work in shifts to ensure 24/7 coverage and act as the first line of defense against cyber threats.

SOC teams typically use a variety of tools and techniques to monitor network traffic, identify suspicious activity, and investigate incidents.

The size and composition of a SOC team will vary depending on the size and complexity of the organization it supports. However, most SOC teams will include a mix of security analysts, incident responders, and shift leads/managers.

SOC Team roles

Security Analysts: They are responsible for monitoring and analyzing security alerts and events generated by security tools. These events are monitored via a tool called Security Information and Event Management (SIEM). They investigate (or triage) these alerts, filter out potential security incidents, determine their severity and impact, and remediate or pass them to the rightful team. Security Analysts typically work in a 24/7 model and can be 1st party (employed and working for the company), or 3rd party (working for a client), or a mix of both.

Incident Responders: The Security Incident Response Team (SIRT) is responsible for investigating and responding to security incidents in a timely and effective manner. They work closely with other teams within the SOC and external stakeholders to contain and mitigate the impact of security incidents. They are usually responsible for handling any security incident affecting the company, regardless if it is reported from within the company or externally. SIRT works during business hours but is always on standby and available as on-call to respond to an incident 24/7. They can be internal to the company (1st Party) or can be 3rd party which is kept on standby and is contractually bound to respond within X hours.

Threat Intelligence Analysts: The Threat Intelligence Team is responsible for gathering, analyzing, and sharing information about potential or emerging cyber threats, attack techniques, and vulnerabilities. They provide actionable intelligence to other teams within the SOC to help improve the organization’s security posture. The team is responsible for enriching information and data that flow in the SIEM with more context (like relation to any threat actor) and making it more meaningful for Security Analysts and Incident Responders. This team generally works during business hours and is known to be outsourced to a third-party company that is working for one or more clients.

Threat Hunt Team: This team proactively search for threats and vulnerabilities that may have been missed by automated security tools. This team works on assume compromise scenario with hypothesis and scope while considering that attackers are already in the network or there is a vulnerability in the environment that's been exploited for an attack. They analyze large data sets commonly over a 90 days of window, to look for threats and outliers. Suspicious activities are then escalated to SIRT for deeper investigation. The outcome of a Threat Hunt exercise is visibility gaps, new detections, and security incidents, which weren't picked up by Security Tools. This team works during business hours and compromises of senior members from Security Analysts and/or SIRT.

Digital Forensics Team: This team is responsible for investigating security incidents by collecting and analyzing digital evidence. They use highly specialist forensic tools and techniques to determine the root cause of security incidents and provide recommendations for remediation. They work closely with the legal team and comply with local laws and regulations and work in accordance with those when handling digital investigations. The team members in this team are highly specialized and have deep knowledge of Operating System Internals. This team generally works in third-party model and is billed on an hourly basis for their clients when involved on an investigation.

The Malware Analysis and Reverse Engineering Team is responsible for analyzing and reverse-engineering malware. They use a variety of tools and techniques to disassemble, decompile, and debug malware in order to understand how it works and what it is designed to do. They also develop and maintain tools and techniques for malware analysis, and they provide recommendations for mitigating the impact of malware infections and preventing future attacks. Malware Analyst (or Researcher) role is commonly available in companies that sell anti-virus or other security tools, who are responsible for identifying new malware threats and developing new methods for analyzing malware. Some SOC teams also have 1–2 persons who have basic knowledge of malware analysis. These individuals use their knowledge to extract next-stage indicators of compromise (IOCs) from malware samples, for containment and hunting infected machines in the network.

SOC Team Toolsets

The following covers all the tools that the SOC team usually utilizes or monitors to protect the environment. All these tools have many vendors in the market and have their own USPs to offer.

InfoSec Overall

Overall whatever you heave learn’t from the series, this is how following roles interact with each other.

1. Security Analysts to other roles: They interact with Threat Intel team for consuming latest Indicators of Compromise (IoC) to match them against their alerts, or even create alerts based on them. Interaction with Incident Response team is more common and is around security escalations and investigations. Interaction with Threat Hunt team is around existing detections and the missing ones where threat hunt team can perform threat hunts. Similarly malware related opinions can be taken from malware analysis team, which are commonly obtained from phishing campaigns.
2. Incident Response: Apart from above interaction with security analysts, this team commonly interact with Threat Hunters for sharing Hunt ideas that can originate from an Incident. When interacting with forensics team, they share endpoint details and systems for investigation, and discovered malwares are shared with malware analysts team for deep dive and getting IOCs out of them.
3. Malware Analysts, Forensics team, and Threat Hunt Team exchange observed Techniques, file samples and IOCs to enhance the security posture.
4. SOC team also interacts with other stakeholders, where SOC provide logs to them, usually during IT issues (example access logs, firewall logs, or even operating system logs) for troubleshooting.

Conclusion:

In the above, I covered the role of SOC teams, their responsibilities, subteams, and toolsets. I explained how all of these elements come together to protect and defend against cyber threats. In my next article, I will discuss the role of security administrators and how they help SOC team to achieve security monitoring, detection, and response.

Link to Part 3: https://medium.com/@inishantgrover/role-of-security-administrators-15939914907c

Video Series Link: https://www.youtube.com/playlist?list=PLYvPOAFzOkSsGlrW74f-2351WW9Sh7S3u

Go back to previous part: https://medium.com/@inishantgrover/demystifying-information-security-team-part-1-26087ec7f294