Power of Security Operation Center
Cyber Threat

Power of Security Operation Center

Project Name: Power of Security Operation Center

Description: – Power of Security Operation Center is a concept of a highly skilled expert team working towards continuously monitoring and improving organizations security in the process of prevention, careful planning, detection and responding with a well-defined process. In order to keep the organization secured continuous effort and team communication and improvement is required in the process. The information regarding these critical activities, data, tools should be prepared in hand so that there wouldn’t arise any need to hunt for resolution information while the attacker is already entered in the system.

Author: Rohit D Sadgune / Amruta Sadgune

FAQ:-

  1. Security Operation Center components
  2. What is Power of Security Operation Center

    PROCESSES

    Adoption to a process has become a necessity to be successful, more efficient and effective. It acts like a connection between people and the technology. At multiple instances, people need to take proactive decisions, as it’s not a simple task to make the machine run 24 hours a day and 7 days a week. Setting up the right team and getting them to follow the right tasks is achieved through a well-defined process.

    Incident Triage

    Can be said as a first post –detection Incident response process, it can be a false positive as well. Here the respondent need to acknowledge the incidents and also determine the relevance and urgency. Triage Specialist are responsible for configuring security monitoring tools.

    Incident Reporting

    Reporting is an essential component in order for an incremental understanding of risks and opportunities. Team members are responsible for reviewing the attacks forwarded from Incident triage. Determine the appropriate response for the incidents and also to determine the potential impact of the incidents.

    Incident Analysis

    SOC incidents are based on the alerts, SIEM (Security Information Event Management) alerts could be false positive or false negative. For validating the results SOC Analyst needs to have a detailed knowledge about the source of the alerts. Identifying the affected system and scope of the attacks. Digging into to find out the root cause of the issue.

    Incident Closure

    Once the incident is being identified and the SOC analyst has validated the result as true positive. The remediation process needs to be considered as a top priority. In an incident closure the primary objective of SOC analyst is to co-relate all the different devices and form a context from it. Once the context is clear the SOC Analyst will give proper recommendation for the respective indicator of compromise or indicator of attack.

    Post incident

    Once an incident is being closed different teams which includes the infrastructure team, DEVOPS team and DB operations team etc. Would share all their inputs to the Security Operation Center and based on all these inputs the SOC Analyst will be creating new use cases and would keep a separate eye for all the use cases for a specific period of time. This monitoring will be done to track back for any backdoor or residue that has been left by an adversary.

    Vulnerability Discovery

    We can imagine this model to be the similar to the process of finding the defects in a software during the testing phase. Vulnerabilities can re-present a very high risk for any organizations. Vulnerability Discovery is divided into 4 phases

    1. Discovery of Device or Application.
    2. Service Enumeration
    3. Scanning.
    4. Verification

    Vulnerability Remediation

    Each organization needs to work on the remediation process before attackers take benefit from the organization weakness. This process involves

    1. The implementation of threat modelling and monitoring which allows the security operations team to constantly gather intelligence about the past, current and the upcoming threats that may affect the enterprise posture.
    2. Enforcing standard baselines and configuration for each device which comes under critical enterprise posture.
    3. Continuous Vulnerability Assessment of all the critical devices as well as application once they have been changed even on the a small modification in the configuration or code.
    4. The system developers need to release the patches on priority once the vulnerability is discovered. Before applying the patch, one needs to verify the effects of patches in a separate network environment.

     

    SOC Process
    SOC Process

     

    PEOPLE

    A SOC team may comprise of different skilled people operating at different levels. We can figure out few titles as below

    Alert Analyst:  This member is responsible for continuously monitoring alert queue for security alerts. Collect and document data for Suspicious Activity, account and transaction data and to provide it as an input to the next level for investigation.

    Required Skills of People

    • Governance
    • Structure
    • Experience
    • Training and Certification

     TECHNOLOGY

    In Security operations Center technology places a very important role. Multi-dimensional and multilevel technology needs to collaborate in effective way so that they can secure enterprise posture for a longer period of time. The technology involves Next generation SIEM Solutions, End point protections, threat hunting technologies, vulnerability assessment technologies. APT (Advance Persistence Technologies), Deception Technologies.

    Vulnerability Tracking

    Vulnerability tracking can be identified using different vulnerability feeds, Vulnerability Databases,

    Mitre common vulnerabilities and exposure (CVE), CERT Vulnerability Databases, Defense Information System Agency (DISA) Databases, Information Assurance vulnerability Alerts (IAVA) Database, securitytracker.com, Open Vulnerability and assessment language (OVAL), Security Technical Implementation Guides (STIG) which are common vulnerability assessment sources.

     Vulnerability Assessment

    The technologies in this area needs to support the following aspect of vulnerability assessment.

    Vulnerability Assessment is majorly dived into 6 parts

    1. External Assessment : Identifying weakness from on outside network
    2. Internal Assessment: Identify vulnerabilities for the internal posture of the network.
    3. Social Engineering : Explore gaps of human interactions in the enterprise in training’s.
    4. Wireless Assessment : Identifying weakness from inside/outside wireless network.
    5. Physical Security Assessment : Identifying weakness from inside/outside network.
    6. Application and Database Assessment : Identifying weakness from inside/outside network.

    The SOC analyst will ensure following things using vulnerability assessment technology

    1. Continuously scan and monitor vulnerabilities of enterprise posture.
    2. Run automatic scan after specific duration
    3. Validate all the vulnerabilities or the weakness for the devices, applications, database or the infrastructure which is public facing
    4. Create custom policies. Identify new threats and add those threats for regular scan.
    5. Monitor Network infrastructure passively.
    6. Identify the sectors, zones of the network infrastructure where it is the most vulnerable.
    7. Mark intrusion threats as critical ones and keep a separate eye on them.
    8. Create custom dashboards which should be categorized as critical assets, top vulnerabilities and compliance.

    Log management

    Collecting the aggregation of right data for analysis considering all the log sources that is, events of your complete enterprise posture of in centralized repository. Converting log data in usable, searchable and understandable format which is nothing but normalization.

    Which logs needs to be considered for the security operation process?

    1. End point protection logs
    2. Home grown application logs
    3. IDS/ IPS Logs
    4. Firewall
    5. Identity and Access management logs
    6. Network devices like Routers and Switches
    7. All Operating System Logs
    8. Vulnerability Management and Proxy Logs

    Control

    For more information please follow the below

    Link: Cyber Security Controls

    Cyber Visibility

    In Security Operation Center visibility is a very crucial factor to play. SOC analyst need to have visibility on following point

    1. Critical Assets
    2. Network Devices and how they are functioning
    3. Systems (Servers / Workstations)
    4. Network Flow (Packet Analytics)
    5. Digital Forensics & Incident Response

    Events Collection, Correlation and Analysis

    Security Operation Center analyst will spend more time on event collection which is about aggregation, correlating different data sources back to IP, system(host) or entity(account/user).

    Log Analysis is the process of inspecting logs for monitoring security aspects. Log analysis covers following point.

    1. Collection of Log Data
    2. Clearing unwanted data (Filter Data it is required)
    3. Normalization of Data
    4. Analysis of Data
Log Analytics
Log Analytics
Benefits of Log Analysis
  • Proactive Log Processing
  • Integration of Different Data Sources
  • Log Monitoring
  • Use Cases Alerts and Incident Notifications
  • Compliance Management
  • Creating Complex use cases
  • Threat discovery and hunting

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Cyber Threat
Indicator of Attack vs Indicator of Compromises

Indicator of Attack vs Indicator of Compromises Project Name: Indicator of Attack vs Indicator of Compromises (IOA vs IOC) Description: –  Cyber Threats are nothing but system to system attack that creates adversary’s efforts on the confidentiality, integrity, or availability of a digital information resident on system. Cyber-attacks are increasing in …

How to keep your cell phones secure
Cyber Threat
How to keep your cell phones secure

How to keep your cell phones secure Project Name: How to keep your cell phones secure Description: Mobile malware is spreading exponentially today, stealing personal and professional information which may ruin one’s financial, professional and mental health. This blog shares all simple tips to understand how one’s cell phone can be …

Cyber Security Lifecycle
Cyber Threat
1
Cyber Security Lifecycle

Cyber Security Lifecycle Project Name: Cyber Security Lifecycle Description: Without applying a Lifecycle mechanism to a cyber security in any organization there arises an increased risk of cyber threats affecting the system. A systematic approach in any organization delivers and resist the cyber-attacks, persistent threats to a great extent. The cyber …

%d bloggers like this: