Continuous Monitoring & Security Operations Center (SOC)

What are the concepts and implementations for performing Continuous Monitoring of cybersecurity threats and the technologies or activities that enabled threat detection.

A Security Operations Center (SOC) is a central unit or team within an organization that is responsible for monitoring and analyzing an organization's security posture, identifying potential security threats and vulnerabilities, and responding to security incidents. A SOC typically operates on a 24/7/365 basis and uses a range of technologies and tools to monitor and analyze an organization's security posture, including network and endpoint security systems, security information and event management (SIEM) systems, and other specialized security tools.

The primary role of a SOC is to protect an organization's assets, including its data, systems, and networks, from cyber threats and vulnerabilities. This involves monitoring for potential security threats, such as malicious activity or unusual network traffic, and taking appropriate action to mitigate or respond to those threats. A SOC may also be responsible for managing and maintaining the organization's security infrastructure, including firewalls, intrusion detection and prevention systems, and other security controls.

Types of Security Operations Centers

There are several different types of SOCs, each with its own unique characteristics and benefits:

• Internal SOC: An internal SOC is a team of security professionals who are employed directly by the organization and work on-site at the organization's facilities. This type of SOC allows the organization to have full control over its security operations and can be beneficial for organizations with highly sensitive data or strict regulatory requirements.

• Managed SOC: A managed SOC is a team of security professionals who are employed by a third-party security provider and work remotely to monitor and manage the organization's security posture. This type of SOC can be beneficial for organizations that don't have the resources or expertise to operate their own SOC, or for organizations that want to outsource some or all of their security operations.

• Hybrid SOC: A hybrid SOC is a combination of an Internal and Managed SOC, where the organization has both an in-house team and a managed team working together to monitor and manage the organization's security posture. This type of SOC can be beneficial for organizations that want the benefits of both an in-house and managed SOC, or for organizations that want to scale their security operations up or down as needed. With the rise of security vendors offering Managed Detection and Response (MDR) services, these solutions are often used to boost the capabilities of Internal SOCs.

No matter what type of SOC an organization chooses, it is important for the organization to have a well-defined security strategy and well-trained security professionals in place to effectively monitor and manage its security posture. By investing in a strong SOC, organizations can protect their assets and ensure the security and resilience of their operations.

SOC Team Members

A Security Operations Center consists of teams of security professionals who are employed directly by the organization or are employed on a service or contractual basis. There are several core roles that team members may be responsible for, including:

Operational

• Security Analysts: Security Analysts are responsible for monitoring and analyzing the organization's security posture, identifying potential security threats and vulnerabilities, and taking appropriate action to mitigate or respond to those threats. They may use a range of technologies and tools, including security information and event management (SIEM) systems, network and endpoint security systems, and other specialized security tools, to monitor and analyze the organization's security posture.

• DFIR Analysts: A DFIR (Digital Forensics and Incident Response) analyst is a security professional who is trained in digital forensics and incident response and is responsible for investigating and responding to security incidents within an organization. Typically, an Incident is declared via initial triage of an event by a Security Analyst and escalated the DFIR team.

• Security Engineers: Security Engineers are responsible for designing, implementing, and maintaining the organization's security infrastructure, including firewalls, intrusion detection and prevention systems, and other security controls. Security Engineers are commonly responsible for vulnerability management, which is the process of identifying, prioritizing, and mitigating vulnerabilities in an organization's systems, networks, and applications. They may also be responsible for finetuning detection rules for the various security tools.

Strategic

• Penetration Testers: Penetration Testers are security professionals who are trained to identify and exploit vulnerabilities in an organization's systems, networks, and applications. Within a Security Operations Center (SOC), the role of penetration testers is to help the organization identify and address weaknesses in its defenses, and to improve its overall security posture. This role is not commonly seen in most organizations, apart from Very Large Enterprises (VLEs), instead it is typical to see this outsourced to third parties.

• Security Architects: Security Architects are responsible for designing and implementing the organization's overall security strategy, including the selection and deployment of security technologies and the development of security policies and procedures. They may also be responsible for evaluating the organization's security posture and identifying areas for improvement; however, this could also be carried out by separate GRC Officers.

• GRC Officers: A Governance, Risk and Compliance (GRC) officer is a security professional who is responsible for ensuring that an organization's security operations are in compliance with relevant laws, regulations, and industry standards, and that the organization's security posture is aligned with its risk appetite and business objectives.

Management and Leadership

• Team Leads: Within the SOC, there may be several team leads who are responsible for overseeing the work of specific teams or functions within the SOC. For example, there may be a team lead for the incident response team, a team lead for the vulnerability management team, and so on. Team leads are responsible for setting goals and priorities for their teams, and for ensuring that the team is meeting its objectives.

• Security Managers: Security Managers are responsible for overseeing the overall operation of the SOC and ensuring that the team is meeting the organization's security needs. They may also be responsible for hiring and training team members, managing budgets and resources, and coordinating with other departments within the organization to ensure that security is integrated into all aspects of the organization's operations.

• Security Leadership: Typically represented by The Chief Information Security Officer (CISO), is the senior executive responsible for the organization's overall security posture. The CISO is typically responsible for developing and implementing the organization's security strategy, and for overseeing the operation of the SOC.

Common SOC Methodologies

Event Vs. Incident Differentiation

It is important for organizations to understand fundamental terminology and to be able to correctly categorize events, incidents, and efficacy in order to effectively respond to security threats. Establishing clear definitions and methodologies for these concepts can help organizations to better understand and manage potential threats, as well as to develop effective strategies for responding to and mitigating them.

Here are some basic definitions and examples:

• Events: Events are any activities or occurrences that are recorded by a system or network. These may include normal system activities, such as logins and file access, as well as unusual or suspicious activities that may indicate a potential threat.

• Incidents: Incidents are events that have the potential to compromise the security of an organization's systems or networks. These may include cyber-attacks, malware infections, or other security breaches.

• Efficacy: Efficacy refers to the ability of a security measure or control to effectively prevent or mitigate a particular threat. This may be evaluated based on the effectiveness of the measure or control in practice, as well as its cost and any other factors that may impact its use.

Event and Incident Categorization

As a security analyst, it is important to carefully analyze data ingested into a SIEM platform or ticketing system in order to accurately determine the categorization of events and identify potential incidents. This can be a challenging task, as it requires a thorough understanding of security protocols, incident response procedures, and the various types of threats that an organization may face.

Here are some steps that a security analyst might take when performing analysis of events:

1. Review and assess the data: The first step in analyzing events is to review and assess the data that has been ingested into the SIEM platform or ticketing system. This may involve reviewing logs, network traffic, or other data sources to identify any unusual or suspicious activities.

2. Determine the nature and scope of the event: Once the data has been reviewed and assessed, the next step is to determine the nature and scope of the event. This may involve identifying the type of event, such as a cyber-attack, malware infection, or other security breach, and determining the extent to which the event has impacted the organization's systems and networks.

3. Assess the risk potential: After the nature and scope of the event has been determined, the security analyst should assess the risk potential of the event. This may involve evaluating the likelihood that the event will result in harm or damage to the organization, as well as the potential impact if it does occur.

4. Determine the appropriate response: Once the nature, scope, and risk potential of the event have been determined, the security analyst should determine the appropriate response. This may involve activating the organization's incident response plan and activating the appropriate response team, depending on the nature and severity of the event.

SOC Technologies

SOC technologies generally focus on the monitoring, detection and prevention of cybersecurity threats, referring to the tools and systems used by SOC teams to perform these tasks. Some common SOC technologies include:

1. Security information and event management (SIEM) systems: These consolidate and analyze log data from various sources, such as network devices, servers, and applications, to identify potential threats and alert the SOC.

2. Network intrusion detection and prevention systems (IDS/IPS): These monitor network traffic in real-time and detect and block malicious activity, such as attempted cyber attacks.

3. Vulnerability assessment and management tools: These scan networks and systems to identify and prioritize vulnerabilities that need to be addressed.

4. Endpoint security solutions: These protect individual devices, such as computers and servers, from threats such as malware.

5. Threat intelligence platforms: These provide the SOC with information about the latest threats, including indicators of compromise and tactics, techniques, and procedures (TTPs) used by attackers.