--- title: 'SOC Operations' disqus: hackmd --- SOC Operations 101 === ## Table of Contents [TOC] ## Introduction A Security Operations Center (SOC) is a team of IT security professionals tasked with monitoring, preventing , detecting , investigating, and responding to threats within a company’s network and systems. SOC operations can combine several tools and techniques like: * EDR: This is an end point detection and response solution that contains the following key functionalities in a network end-points: 1. Detection 2. Response 3. Forensics 4. insights * XDR: Extended detection and Response * MDR: Managed detection and Response SOC operations combine people, processes, and technologies (tools) to monitor, manage, and respond to various security issues facing the organization or clients SOC Roles --- * Tier 1: Typically consists of analysts that monitor incoming alerts, verify them, respond to simple incidents and escalate tickets to tier 2 where necessary. They can also configure and manage security tools, develop and implement basic IDS signatures. * Tier 2: Consists of incident responders who are responsible for deep investigation of incidents and advise remediation. * Tier 3: Consists of threat hunters who have expert level skills in network, endpoint, threat intelligence, and malware reverse engineering. They trace the path of malware to determine its impact and how to remove it. They also hunt for zero day threats in the network. * SOC manager: This is the manager of the SOC resources and is the point of contact with other departments or customers SOC Metrics --- SOC metrics determine the performance of the SOC against security incidents and threats. They include: * Dwell Time: How long the threat actor was in the network before they were detected * Mean time to detect (MTTD): The average time that it takes for the SOC personnel to identify that valid security incidents have occurred in the network * Mean time to respond (MTTR): Average time it takes to stop and remediate a security incident * Mean time to contain (MTTC): the time required to stop the incident from causing further damage to systems or data. * Time to Control – the time required to stop the spread of malware in the network. Tools/ Technologies --- SIEM --- This is a technology that makes sense of all the data that all the nodes in a network generate. These include devices like firewalls, network appliances, workstations, IDS, IPS, etc. A security information and events management (SIEM) consists of SIM and SEM: * Security information management deals with historical events and data for further analysis of the cause of events * Security event management deals with real time events and data through automated reporting tools for real-time correlation A SIEM must be : * Aware of all nodes attached to the network * Able to collect event and log data from all relevant elements. Additionally, SIEMs collect and filter data to detect and classify threats and incidents. They can also manage resources that implement preventive measures and address future threats. These can be SOC technologies like: * Event collection, correlation, and analysis * Security monitoring * Security control * Log management * Vulnerability assessment * Vulnerability tracking * Threat intelligence SIEM and SOAR are often paired together as their functionalities often complement each other to optimize the SOC SOARs are similar to SIEMs in that they collect, correlate, and analyze alters. However they go a step further by integrating threat intelligence and automation of incident investigation and response based on playbooks that the security team create. ###### tags: `SOC` `SIEM` `SOAR`