Have you been looking into understanding a buzz word called SOC? Well it is combination of many thing that we are going to explore
Threat groups like apt39 apt41 etc are highly active over internet continuously looking to exploit their target. Threats also arise form vulnerabilities in products that go unpatched. Information on such Vulnerabilities and sometimes , their exploits ,go public as soon as they are discovered. Apart from this, cyber incidents do not always happen because of exploitation from outside. Sometimes, data that is flowing out of company can also be the cause. Employees can innocently send something outside that is highly confidential. All these factors can lead to a cyber incident if proper measures are not taken. In this case, there should exist a proper team that can respond to the incidents , continuously monitor for exploitation and look for fixing threats that are wandering openly.
Security operations covers all these into one umbrella. Its aim is to identify threats, monitor and respond to threats. Simply kept, security operations is a centralized unit that deals with security issues on both organizational and technical level. That's why it is called security operations center. Different organizations give varied definitions for SOC.
According to Splunk
“A security operations center (SOC) acts as the hub for an organization’s security operations. Also called an information security operations center (ISOC), a SOC is a centralized location where information security professionals use technologies to build and maintain the security architecture that monitors, detects, analyzes and responds to cybersecurity incidents, typically around the clock.”
According to IBM
“A security operations center (SOC) — sometimes called an information security operations center, or ISOC — is an in-house or outsourced team of IT security professionals that monitors an organization’s entire IT infrastructure, 24/7, to detect cybersecurity events in real time and address them as quickly and effectively as possible.”
Both these definitions gives us idea that soc is all about monitoring for threats 24*7. But what all things really make up a SOC, we are going to see it now.
Security operations can be divided into 4 parts as given in the image above. Lets us look at them individually.
Threat Intelligence
While booking a cab, we are shown exact location of the nearest cab and its estimated time to reach our pickup point so that we can get ready accordingly once we book it. Had we been not given these details, then it would have been really hard to predict when our cab is reaching. Similar is the situation with threats. While implementing measures against threats, we need information about threat actors move, target and attack behaviors. This is achieved using threat intelligence. In this, meaningful insights about threats is generated using tools and techniques that helps to mitigate against potential risks. Threat intel is all about gathering evidences about adversaries, including their technique, tactic, procedures. motivations and actionable advice against them. Now you might be wondering how to gather intel about a threat and how to implement it. Following is the lifecycle for obtaining threat intel.
- Planning and Direction:- It involves identifying assets in organization that are vulnerable to threats to narrow down the scope of intel research. Once this is done, a reputable source of data and intel is identified for gathering information. After this, tools and resources are identified to defend assets.
- Collection:- Commercial, private or open source resources are used to gather required data about threat
- Processing:- Intel data from varied sources is of different formats and may be disconnected when used to investigate an incident. This phase ensures that data used is uniform and consistent.
- Analysis:- Involves making decision about action plan , and implementing controls to defend infrastructure.
- Dissemination:- Informing every member about threats such that they understand it.
Tools and Frameworks:-
Standards and frameworks help in structuring and rationalizing use of threat intel across industries. They also help in collaboration and communication. Some prominent framework are
- MITRE ATT&CK
- TAXII (Trusted automated exchange of indicator information)
- STIX (Structured Threat Information Expression)
- Cyber Kill Chain
Some Threat Intelligence tools are
- UrlScan.io
- Abuse.ch
- Phishtool
- cisco talos intel
- OpenCTI
Vulnerability management
Vulnerability management feels easy but is often overlooked because of lack of proper plan, team and resources. Famous security incidents like wannacry happened because of targeting known vulnerabilities that already had available patches but lack of timely implementation led to its widespread exploitation. Vulnerability management can be as simple as starting with running scanners that scans devices for known vulnerabilities. However they can not always be perfect. Comprehensive vulnerability management requires understanding missing processes that can lead to compromise, analysis of threats etc. Tools used for vulnerability scanning are
- Tenable/Nessus
- Qualys
- Retina
- OpenVas
Security monitoring
After successful gathering of threat intel and management of vulnerabilities, network needs to be continuously monitored for unwanted activity. This is where security operations center (SOC) comes into picture. It involves tasks such as malware detection, data loss prevention, detection and response etc. Alerts are investigated, escalated if necessary and its resolution is documented. Some tools used for monitoring are
- IBM Qradar
- Splunk
Incident Response
When events from previous stage are escalated to incident status, they need to be acted upon on as quickly as possible. When an evidence of malware or malicious intel is found, it is responded to in incident response phase. There are various phases involved in incident response
- Preparation
- Identification
- Containment
- Eradication
- Recovery
SOC team is directly involved in some aspects of incident response and may assist in the process.
This was top level overview of what security operations is clearing basic understandings. In depth study of each topic individually can be taken on to get better understanding.
