Chapter 4: Security Operations Centers (SOC) - Detailed Summary

Security Management and Operations:

 Definition and Importance:

 Security management involves systematic, repetitive activities to maintain an

organization's security posture. This includes both physical safety and digital security of
assets.

 The main purpose is to protect the organization’s assets such as information, hardware,
and software from malicious activities, ensuring confidentiality, integrity, and availability
(CIA) of these assets and services.

 It involves implementing and maintaining policies, standards, procedures, and

guidelines to mitigate risks.

 (Security activities involved in Security Management) or (Key Components):

 Security Infrastructure: Protects perimeter, network, endpoint, application, and data

using preventive, detective, and corrective information security controls.

 Security Prevention: Services like vulnerability management and penetration testing to

scan, test, identify, and remediate threats.

 Compliance and Validation: Governance risk and compliance programs (e.g., ISO 27001
Readiness Assessment) to ensure business continuity without risks.

 Security Operations: Real-time security alerting, threat analysis and intelligence,

correlation, incident reporting, detection, and response performed by SOCs.(work based
on siem)

Security Operations Center (SOC):

 Definition and Function:

 A SOC is a centralized unit that continuously monitors, manages and analyzes activities
on an organization’s information systems (networks, servers, endpoints, databases,
applications, and websites).

 Its goal is to maintain business continuity by preventing, detecting, prioritizing, and

responding to intrusion events before they affect the business.

 A well-defined security operation should specialize in intelligence, incident

management, access control, loss control, risk management, and forensics.

 Provides a single viewpoint for monitoring, assessing, and defending an organization's

security and assets.
  It involves a predefined set of processes and services to be followed during the daily
security operation tasks based on the organization’s security baselines.

 SOC Functions (Tasks):

 Security Monitoring: Collecting and analyzing information to identify abnormal behavior

and unusual activities, escalating malicious activities to incident response systems.

 Security Incident Management: Detecting, managing, and monitoring security

vulnerabilities in real-time with minimal adverse impact.

 Vulnerability Management: Continuous monitoring, triaging, and mitigating system

vulnerabilities. (cyclical process)

 Security Device Management: Maintaining and managing security infrastructure and

devices, updating software.

 Network-flow Monitoring: Detecting and analyzing packet flows (inflow and outflow),
generating alerts for suspicious activities.

 SOC Responsibilities:

1. Proactively identify suspicious activities.

2. Perform vulnerability management.

3. Maintain awareness of hardware and software assets.

4. Manage logs for forensic analysis during security breaches.

5. Evaluate policies and procedures.

6. Ensure proper internal controls and processes.

SOC Capabilities:

1. Preventing Capability:

 Stopping attacks using fine-tuning and maintenance tools.

 Directing Incident Response Teams to perform security monitoring, detecting risks, and
designing solutions.

2. Detection Capability:

 Monitoring systems to identify suspicious activities and security breaches.

 Collecting, analyzing, and correlating security events to trigger alerts.

3. Responding Capability:

 Analyzing and handling alerts and security incidents instantly.

4. Reporting Capability:
  Providing reports and dashboards on security events, compliance levels, and alarms
generated.

SOC Operations or Processes:

1. Preparation, Planning, and Prevention:

 Asset Inventory: Maintaining an inventory of protected assets (for example,

applications, databases, servers, cloud services, endpoints, etc.).

 Routine Maintenance and preparation: Performing preventive maintenance like

applying patches and updates to maximize security effectiveness.

 Incident Response Planning: Developing incident response plans detailing activities,

roles, and responsibilities during threats or incidents.

 Regular Testing: Conducting vulnerability assessments to identify potential threats and

costs.

 Staying Current: Keeping up with the latest security solutions, technologies, and threat
intelligence.

2. Monitoring, Detection, and Response:

 Continuous Monitoring, around-the-clock: 24/7/365 security monitoring of the IT

infrastructure.

 Log Management: Collecting and analyzing log data to establish normal activity and
reveal anomalies.

 Threat Detection: Sorting through data to identify and triage threats by severity.

 Incident Response: Limiting damage from incidents. Action includes:

o Root cause investigation.

o Shutting down compromised endpoints or disconnecting them from the network.
o Isolating compromised areas of the network or rerouting network traffic.
o Pausing or stopping compromised applications or processes.
o Deleting damaged or infected files.
o Running antivirus or anti-malware software.
o Decommissioning passwords for internal and external users.

3. Recovery, Refinement, and Compliance:

 Recovery and Remediation: Eradicating threats and recovering impacted assets to their
pre-incident state.

 Post-Mortem and Refinement: Using incident insights to update processes, policies, and
tools. (using any new intelligence gained from the incident to better address
vulnerabilities)

 Compliance Management: Ensuring adherence to data privacy and security standards.

SOC Workflow:

1. Collection: Gathering security logs and forwarding them to SIEM.

2. Ingestion: Processing log data, threat information, and asset inventory.

3. Validation: Identifying and validating indicators of compromise.

4. Reporting: Submitting validated incidents to incident response teams.

5. Response: Performing incident response activities.

6. Documentation: Documenting incidents for business audits.

Components of SOC:

1. People: Security talent responsible for executing functions, including security operators,
analysts, pen testers, internal or outsourced. Their roles include responding to incidents
immediately and communicating with security teams.

2. Processes: Planned specifically for security monitoring and administration, acting as a

connection between people and technology to track and identify suspicious incidents.

3. Technology: Tools that facilitate automatic incident analysis, threat detection and prevention,
event triage, and more. Examples include SIEM solutions, IDS, IPS, firewalls, database activity
monitoring, and automated assessment tools.

Component 1: People

 Responsibilities of SOC Analyst:

o Maintains email address and distribution lists, answers SOC phone lines, and updates required
o documentation.
o Performs security research and gathers information about identified threats and vulnerabilities.
o Documents initial investigation results and forwards it to a level-2 analyst for final investigation.
 Responsibilities of Incident Responder:
o Analyzes networks and systems for threats.
 o Detects security risks and vulnerabilities and suggests appropriate responses to them.
o Conducts malware analysis and reverse engineering.
o Prepares risk assessment reports for management, administrators, and end-users.
o Communicates with other threat analysis for defining correct security plans.
 Responsibilities of Threat Hunter:
o Proactively detects and neutralizes those advanced security incidents that automated
security solutions are not able to find.
o Collects various information about identified potential threats, like their behavior,
goals, and methods.
o Analyzes the collected information and provides appropriate countermeasures
 Responsibilities of SOC Manager:
o Tracks security operations.
o Examines policy compliances and regulatory compliances.
o Manages team members and communicates with other departments to minimize risks.
o Documents and defines a security incident response plan.
o Audits security policies and controls regularly.
o Evaluates and implements new tools and technology. o Keeps track on security tools
and technologies.

Component 2: Technology:

 Multidimensional and multilevel technology should participate in an efficient manner to protect

the systems, programs, and solutions from unauthorized access for a longer period of time.
 It may include SIEM solutions, Intrusion Detection System (IDS), Intrusion Prevention System
(IPS), Firewall, Database Activity Monitoring (DAM), Dashboard, Ticket System, and Automated
Assessment tools.
 The technology component of SOC comprises technical capabilities for monitoring system logs,
detecting security incidents, performing investigations, analyzing network traffic, and
monitoring threat intelligence inputs. It supports and increases the capabilities of SOC.

SOC Models:

1. Internal SOC:

 Description: Organization maintains its own SOC with a dedicated security team.

 Benefits: High control and customization over security operations.

 Drawbacks: Significant investment in personnel, technology, and infrastructure, and

Maintaining 24/7 operations.

 Example: A large financial institution with a complex IT environment and a high

tolerance for risk might choo

 se to invest in an internal SOC to maintain complete control over its security posture

2. Virtual SOC (vSOC):

 Description: SOC functions outsourced to an MSSP.

  Benefits: Cost-effective without building and maintaining own infrastructure.

 Drawbacks: Less control over security operations.

 Example: A medium-sized company with a growing IT environment might choose a vSOC

to gain access to advanced security expertise without the high cost of an internal SOC

3. Co-Managed SOC:

 Description: Shared responsibility between the organization and an MSSP.

 Benefits: Balance between control and cost-effectiveness.

 Drawbacks: Requires good communication and collaboration.

 Example: : A retail company with a security-conscious culture might choose a co-

managed SOC to benefit from the MSSP's expertise while keeping some security tasks
in-house for their security team

4. Global SOC:

 Description: Centralized SOC for multinational organizations.

 Benefits: Consistent and centralized security management.

 Drawbacks: Significant investment in infrastructure and personnel.

 Example: A large multinational corporation with offices worldwide might choose a

global SOC to ensure consistent security posture across all locations and leverage
economies of scale.

5. Outsourced External SOC:

 Description: All SOC functions outsourced to an MSSP.

 Benefits: Most cost-effective option.

 Drawbacks: Least control over security operations.

 Example: A small startup with limited IT resources might choose an outsourced external
SOC to gain access to essential security monitoring and response capabilities without
the overhead of building their own SOC.

SOC Implementation Phases:

1. Planning: Setting goals and security management requirements.

2. Designing and Building: Selecting technology and building SOC infrastructure.

3. Operating: Running the SOC, overcoming initial challenges.

4. Reviewing and Reporting: Identifying areas for improvement and ensuring proper operation.
SOC Key Performance Indicators (KPI):

KPIs are a series of measurements that are used to analyze the performance of an activity. It should be
SMART: Specific, Measurable, Actionable, Relevant, Timely.

o Specific means it should evaluate the attribute of the system directly; it should not depend upon
the measurements of other systems as well as the integration of different systems.
o Measurable means, KPI's should provide accurate and complete information.
o Actionable means it should provide information which is easy to review on which appropriate
action can be taken.
o Relevant means it should be able to provide relevant data from the collected information.
o Timely means it should provide information at the requirement.

 Client Satisfaction: Time to answer and satisfy client inquiries.

 Transfer Rate: Incidents transferred due to improper handling.

 Operations Audit: Validating organizational efficiency and effectiveness.

 System Availability and Accessibility: Measuring system reliability.

 Incident Response Time: Speed of SOC response to incidents.

 False Positive Rate: Accuracy of threat detection.

 Mean Time to Detect (MTTD): Average time to identify threats.

 Mean Time to Resolve (MTTR): Average time to resolve incidents.

 Percentage of Incidents Resolved: Effectiveness of incident response.

 First Contact Resolution Rate: Incidents resolved on first contact.

 Incident Classification Accuracy: Correctness of incident classification.

 Compliance Score: Adherence to security standards.

 Security Tool Effectiveness: Efficiency of deployed security tools.

 Some efficiency measures:

o Number of security events inputted into SOC

o Number of data points gathered and analyzed
o Types of data collected and assessed
o Number of Incidents/events

SOC vs. NOC (Network Operations Center):

 NOC Responsibilities:

o 24/7 Network, Hardware & Software Health and Optimization

 o Monitors network activity for performance issues, outages, and potential
problems. Troubleshoots network connectivity problems.
o Performs routine maintenance tasks to ensure network efficiency.
o Manages network capacity and scaling.
o Responds to user inquiries related to network connectivity.
o Proactive & Consistent Monitoring
o Updates & Patch Management

 SOC Responsibilities:

o 24/7 Network Real-Time Vulnerability Endpoint Monitoring

o Comprehensive Investigations: Understanding how and why a breach occurred can
prevent future attacks. Monitors security events and logs for suspicious activity. Security
Policies & Processes: Ensure all requirements are updated and compliant with the latest
regulations.
o Detects and analyzes potential security threats. Responds to security incidents by
containing threats and minimizing damage.
o Implements and maintains security measures like firewalls and intrusion detection
systems.

 Differences:

o Different team Skillsets: The skillsets required for NOC and SOC personnel differ. NOC
technicians need expertise in network troubleshooting and performance optimization,
while SOC analysts need a strong understanding of cybersecurity threats and incident
response procedures.
o Different objective and Attention: Each function requires a dedicated focus. Merging
them could dilute the effectiveness of both teams in managing their core
responsibilities.

 Collaboration:

 Shared visibility into network events for effective threat management.

 NOC alerts SOC of suspicious activity; SOC provides security insights.

Log vs Event vs Log Incident

 Logs: Collection of information/data on events generated in the form of an audit trail by

components of an information system (network, applications, OS, service).

o Indicate potential issues, not necessarily faults; Separately, transaction logs or firewall
logs or intrusion prevention system (IPS)/intrusion detection system (IDS) logs do not
represent any fault.

o Simply store records of occurrences, which can be analyzed to generate meaningful

insights when aggregated.
Log Types

1. Security logging: Records security-related activities like threats, viruses, data loss, user login,
and unauthorized access.

2. Operational logging: Focuses on system-processing activities, informing administrators of

failures and actionable conditions.

3. Compliance logging: Ensures security regulations are followed, part of security logging.

4. Application debug logging: Records debugging logs for developers to detect issues, beneficial
for application/system developers.

Events

 Event: An observed change in the system, network, process, workflow, or person, , includes
potential security risk (day-to-day).

o Can indicate a potential security risk.

o Event examples include: user signed into the system, router Access Control Lists were
updated, firewall policy was pushed, CPU utilization exceeded 99%, updating a
database, etc. that may affect system security, indicating potential security risks

 Security events: Events that may affect the security of the system or network and indicate that
there may be a violation of security policy or failing of any security safeguard.

o Can be positive (successful login) or negative (failed login).

 These events are stored as logs and analyzed by the Security Operations Center (SOC).

Events Example

 Server Shutdown/Reboot or Windows Abnormal Shutdown

o Description: Generated when the system restarts or shuts down unexpectedly. It means
that the system cannot predict when the system is going to shut down.

o Consequences: Misuse can result in denial of service.

Incident

 Security incident: A confirmed event negatively impacting security, disrupting confidentiality,

integrity, or availability of IT systems.

o Examples: sensitive information disclosure, denial of service attacks, unauthorized

access.

Log Advantages

 System monitoring: Provides detailed information on transactions across the environment.

 Troubleshooting: Uses log files to identify and resolve problems.

  Forensics and analysis: Permanent, unalterable records aiding in investigations.

 Incident response: Correlation of log events to respond to incidents.

 Compliance: Ensures adherence to laws, rules, and regulations.

Log Content

 User identification, date and time, event type, success or failure, event origination point,
description, severity, service name, protocol, and user information.

Logging Approaches

 Local Logging

 Definition: Logs user activities in the host machine, writing logs into files on local disks.

 Challenges: Managing and analyzing logs across multiple hosts can be difficult.

 Solution: Centralized logging can address the difficulty of managing logs from multiple hosts.

 Examples of Local Logging:

o System crash, shutdown, restart, or startup.

o Failed and successful modification of user credentials and access rights (e.g., account
updates, creation, deletion).

o Alteration of user access privileges in both successful and failed cases.

 Centralized Logging

 Definition: Collecting and aggregating logs generated by network devices in a central server.

 Process: Involves four parts – logs collection, transport, storage, and analysis.

 Examples of Centralized Logging:

o Addition/Deletion of network devices.

o Changes to network settings.

o Changes to user access to the network.

o Failed and successful user access to the network initiated to/from the computer.

Linux Logs

 Linux logs: Records of activities or events in Linux OS, including messages about the system,
kernel, package managers, boot processes, Xorg, Apache, and MySQL.

 Location: Most logs are in the /var/log directory in plain ASCII text format.
  Production: Logs are generated by the system log daemon (syslogd) on behalf of the system and
application, whereas some applications produce logs directly into /var/log directory.

 Categories: Linux logs, Application logs, event logs, service logs, and system logs.

Directory Examples

1. /var/log/messages or /var/log/syslog

o General messages and system-related information.

o Stores all informational and non-critical messages like error messages, startups,
shutdowns, and network configuration changes.(global system)

2. /var/log/auth.log or /var/log/secure

o Authentication logs, including successful and unsuccessful login attempts and

authentication methods.

3. /var/log/kern.log

o Kernel-related information, useful for solving kernel errors and warnings, as well as
hardware and connectivity issues.

4. /var/log/cron.log

o Information about cron jobs, including successful or failed execution details.

5. /var/log/qmail/

o Information related to qmail logs, helpful for tracking email transmissions.

6. /var/log/httpd/

o Apache web server logs, with access_log and error_log files.

7. /var/log/boot.log

o Information related to system booting.

8. /var/log/mysqld.log

o Debug, failure, and success messages about [mysqld] and [mysqld_safe] daemon.

9. /var/log/yum.log

o Information on package installations using the yum command, useful for verifying
package installations and troubleshooting software issues.
Linux Log Samples from /var/log

1. sshd[12345]: Indicates a successful SSH login session.

o Example: pam_unix(sshd:session): session opened for user johndoe by (uid=0) [remote

ip 192.168.1.100]

2. sshd[54321]: Records a failed SSH login attempt.

o Example: Failed password for invalid user root from 10.0.0.1 port 53555 ssh2

o Description:

✓ sshd[12345]: pam_unix(sshd:session): session opened for user johndoe by (uid=0)

[remote ip 192.168.1.100]: This indicates a successful SSH login for user "johndoe" from
the IP address 192.168.1.100. "sshd" refers to the SSH daemon, "pam_unix" is a part of
the Pluggable Authentication Modules (PAM) used for authentication, "(uid=0)" signifies
the user logged in with root privileges, and the bracketed information shows the remote
IP address.

✓ sshd[54321]: Failed password for invalid user root from 10.0.0.1 port 53555 ssh2: This
records a failed login attempt for a non-existent user "root" from the IP address
10.0.0.1. The port used was 53555, which is not the standard SSH port (22), suggesting a
potential port scanning attempt.

3. sshd[7890]: Successful SSH login using a public key.

o Example: Accepted public key for user alice from 172.16.0.2 port 22 ssh2

4. CRON <user owning cron job>: Indicates a cron job execution.

o Example: pam_unix(session): session opened for user root by (uid=0)

o Description:

✓ sshd[7890]: Accepted public key for user alice from 172.16.0.2 port 22 ssh2: This
indicates a successful SSH login for user "alice" using a public key for authentication. The
login originated from IP address 172.16.0.2, and the standard SSH port (22) was used.

✓ CRON : (pam_unix:session): session opened for user root by (uid=0): This log entry is
related to a cron job execution. The specific user who owns the cron job is mentioned,
followed by details similar to a user login, indicating the system created a temporary
session to run the cron job with root privileges.