Attacks are continuously developing and expanding; thus, protecting your organization from threats, cyber-attacks, and data breaches must be a top priority. Other than technology, organizations will also need qualified security experts who can proficiently manage security-based alerts and scenarios.
The main goals and responsibilities of a SOC team are continuously monitoring security, detecting, analyzing, and responding to security incidents in the best way possible using processes and technology. The SOC team is also in charge of proactively investigating abnormal activity and correctly identifying and defending threats to maintain the safety of the infrastructure.
Other than specialized expertise, security analysts need to think outside the box when it comes to threat response and also learn progressively.
In part 1 of our “Stay Ahead of Threats” article series, we discussed why organizations, regardless of size or purpose, require a security operations center; we also elaborated on the functions and purposes of a SOC. In this part, we focus on the human aspect of a security operations center.
Choosing the technology to run your SOC relies on defining the SOC analysts’ roles and responsibilities; based on the organization’s structure and the nature of the compromise or threat, some incidents must be referred to other units and teams such as the computer emergency response team (CERT) or the IT team. Responsibilities ― such as managing low-fidelity alerts, handling high-fidelity alerts, escalating alerts, hunting threats, etc. ― must also be divided among SOC analysts. A tiered framework for the SOC team is a good strategy to create a clear understanding of the responsibilities. The common roles in a SOC team include:
The SOC Manager is the bridge between the SOC team and other parts of the business. SOC managers oversee staff and budgeting to keep the security operations center up and running. They also make policies and create strategies.
Security Analyst/ SOC Analyst
SOC analysts are the first responders to cyber threats. They report threats to the second line of defense and then implement security strategies to protect the organization. Security analysts’ primary responsibility is to monitor and analyze activity and identify potential threats; they then determine the severity of the threats and decide whether they should be escalated and passed on to next level analysts. The salary of a SOC analyst ranges from $65,000 to $104,000 based on their level and background.
The main responsibilities of a SOC analyst
- Monitor and analyze security and report suspicious/malicious activity to a higher level or team members.
- Conduct proactive research on rising trends and alarming cyber threats, and come up with innovative measures and strategies to improve security.
- Assess security regularly to identify vulnerabilities.
- Generate reports of the events and incidents in order to evaluate the efficacy of the security measures and improve incident response.
- Keep the security systems up-to-date.
- Perform internal and external security audits and incident analysis.
Other than having a strong understanding of basic computer science, IT operations, and security operations concepts, a SOC analyst requires to possess 5 main skills according to EC-Council.
|Understanding basic computer science includes the understanding of||Understanding IT operations includes the understanding of||Understanding security operations concepts includes the understanding of|
databases operating systems
data loss protection
kill chain analysis
EC-Council lists 5 skills as the top skills a SOC analyst needs to possess
1. Network Defense
Networks are the easy targets for cyber attackers as they are actively connected to the internet. Network defense helps SOC analysts in monitoring, detecting, and analyzing the network threats that oftentimes infiltrate the networks via the internet.
2. Ethical Hacking
A SOC analyst needs to possess knowledge of ethical hacking; ethical hacking is hacking in a professional manner to discover potential threats, risks, and vulnerabilities and come up with approaches to improve them. Ethical hacking also includes knowledge of penetration testing where the analyst tests network, systems, web applications, etc. to detect vulnerabilities and report them.
3. Incident Response
A security analyst has to know how to minimize the impact of the incident on the business process as much as possible, and produce a range of responses to solidify the system.
4. Computer Forensics
Knowledge of digital forensics will help SOC analysts to prevent attacks and better collect, analyze, and report data.
5. Reverse Engineering
Reverse engineering gives analysts insight in having better analyses of alerts; it also provides a more solid understanding of the execution of a software program resulting in better vulnerability management.
SOC analyst vs Threat hunter
Threat hunters deal with proactive threat detection and incident response activities. Threat hunting may be assigned as an additional task to security analysts within a SOC, or a SOC may designate security experts to conduct full-time threat hunting.
SOC analysts implement technology and tools to triage and investigate alerts, whereas threat hunters focus on applying human knowledge and skills. This classic model of triaging alerts could come with a lot of false positives; threat hunters work towards reducing the false positives and proactively looking for known and unknown threats based on bad actors’ behavior and techniques.
Other roles in a SOC team include:
Threat Hunter (SOC analyst Tier 3): Threat hunters proactively look for, isolate, and neutralize advanced threats using SIEM tools.
Incident Responder: Incident responders use the tools at their disposal to restrain and repel attacks and fix the affected systems.
Forensic Specialist: In the aftermath of an attack, forensic specialists investigate the nature of the attack using digital evidence and intelligence. The goal here is to prevent future attacks.
The elements and aspects of a security operations center vary based on the level of sophistication, the complexity of the infrastructure, and the amount of investment that has gone into the environment; however, the essence of the procedure that takes place in a SOC remains the same.
In the first step, as we have mentioned in part 1, the activities, logs and events from users, networks, servers and workloads, endpoints, databases, and other systems (known as Logs), are monitored and collected in a Security Information and Event Management (SIEM) software. They are then run through a real-time correlation engine. The real-time correlation engine is the main component of a SIEM architecture used to normalize, reduce, filter, and aggregate the events previously collected and generates response immediately.
The alerts generated by the real-time correlation engine are then passed along to security analysts level 1.
Security analysts Level 1 or Tier 1 triage and correlate data from thousands of raw alerts generated by firewalls, IDS/IPS, SIEM, and endpoint protection tools. Through triaging and correlating of the alerts, security analysts level 1 make sense of large volumes of data and distinguish a false positive from an actual threat. They prioritize the alerts from the most important ones being potential actual threats to alerts of less importance and pass along the important ones for further investigation.
The important security incidents do not necessarily mean that they are genuine threats; it means that they require further investigation; thus they are handed out to security analysts level 2. Security analyst Tier 1 is responsible for creating trouble tickets for alerting security analyst Tier 2.
Security analysts Level 2 or Tier 2 are responsible for conducting active in-depth research on the trouble ticket — which includes alerts and unusual pattern — given to them by security analysts level 1. They conduct comparative analyses to draw a line between what is a normal activity what is considered an abnormality. The goal here is to create a context to understand the behaviors and determine the importance, relevance, and impact of the potential threat alert. Tier 2 uses Threat Intelligence to identify infected/affected systems and determines the scope of the attack. Security analysts level 2 are also responsible for keeping the detection rules database on track. (BTW we have a whole category of Free detection rules. Don’t miss out!)
Security analysts Level 3 or Tier 3 or Threat Hunters are given the data compiled by security analysts level 2 to carry out in-depth, proactive threat intelligence investigations. Threat hunter’s mission is to move from known to unknown, meaning that they acquire analytics to uncover the unknown aspect of an incident.
A Successful threat detection and response is able to answer questions like who did what, when and where it happened, how and why it happened.
Secure Your Organization’s Mind with Securemind.se