Wednesday, January 23, 2019

What is a SOC?

In a recent conversation I said that I have SOC experience, and then I had to explain what a SOC is. So what is a SOC and what do they do?

In many large companies a SOC ("Security Operations Center") is a team of people that are like firefighters for security threats. Their job is to detect and respond to incidents (aka "Incident Response"), and ideally to contain or mitigate the threat as quickly as possible. Detection of threats can be done through a SIEM (Security Information and Event Management), IDS (Intrusion Detection System), or simply via word of mouth. It is important that the SOC is easy to contact in the event that someone notices something strange they can report it to the SOC for a closer look.

It is a common misunderstanding that a SOC is able to prevent a company from being hacked. In reality no one is hack proof, and any attacker with enough time, energy, motivation, and money can succeed. The job of a SOC and the Information Security team is to reduce the company's risk level and to "raise the bar" for attackers so that a compromise is less likely.

How do they raise the bar for attackers? They build defenses in layers so that if any one of them fails, another is there to back it up. For example, phishing is a common method of attack hackers use every day. Because of this, user awareness training is vital to the security of any organization. In the event that a phishing email succeeds in compromising a computer, ideally that computer will have an isolated network so that the hacker cannot use that computer as a launching point to jump to other computers.

When a SOC analyst isn't reacting to incidents, they can be proactive by doing things like verifying systems are being patched regularly, running internal and external vulnerability scans to identify and resolve issues before attackers can find them, building and revising a threat model for the companies most sensitive assets, and constantly improving the detection tools they rely on.

Another key piece is Threat Intelligence (aka "intel"). Intel is a report of Tactics Techniques and Procedures ("TTPs") used by attackers that have been known to target your industry or even your company specifically. If you don't know what kind of attackers are targeting you, and how they do it, you can't effectively mitigate that threat.

Me (right) working in a SOC
What does a SOC look like? The image here features me and my colleagues working in a SOC. The screens on the wall feature many different dashboards that provide useful metrics on everything we deemed important. For example we had a dashboard that showed us which user accounts had the most failed login attempts. This allowed us to see what might be a brute force attack, but was often just someone's script using an old password. Another dashboard would show us recent alerts from our IDS and AV systems. so we could easily identify and follow up on potential issues.

No comments:

Post a Comment