SOCJuly 20, 2024 SOC Security Operations Centers A centralized team and facility responsible for monitoring, detecting, analyzing, and responding to security incidents within an organization. SOC Primary Functions Incident Response (NIST 800-61) Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity Preparation (loop) Vulnerability Management Discover Vulnerabilities on Systems Prioritize Systems Assess (baed on asset criticality, vulnerability threat, and asset classification) Report (measure risk) Remediate (fix/patch/remove/etc.) Verify Remediation (make sure the fix you performed worked) Discover (loop) Common SOC Tools SIEM - Security Information and Event Management (Azure Sentinel) Threat Intelligence platform (Azure Sentinel: Threat Intelligence Data Connectors) Endpoint Detection and Response (EDR) tools: Microsoft Defender for Endpoint Network traffic analysis tools (Network Security Group Flow Logs with Azure) Vulnerability scanners (Microsoft Defender for Cloud: Vulnerability Management) Identity and Access Management (IAM) tools (Azure IAM) Incident Response Platforms (NIST 800-61 and some capabilities within Sentinel and Azure) SOC Roles SOC Analyst Incident Responder Threat Intelligence SOC Manager Security Engineer Compliance Analyst Forensic Analyst SIEM Security Information and Event Management Solution that helps organizations detect, analyze, and respond to security threats Combines security information management (SIM) and security event management (SEM) into one security management system. SIEMs collect event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action. SIEM Components Data Collection Log Management Correlation Engine Alerting and Notification Reporting and Dashboards Incident Management Integration with other security tools and services SIEM Correlation Engine The correlation engine finds relationship between different logs Indicators of Compromise (IOCs) Signs of a security breach Logs can show IOCs