Building a Security

Operations Center (SOC)

By:
Engr. Marlon Ceniza
“Research is what I’m doing when I don’t
know what I’m doing.”
- Wernher von Braun
 Current Information Security
Challenges
Onslaught of security data from disparate systems, platforms and
applications
Numerous point solutions (AV, Firewalls, IDS/IPS, ERP, Access
Control, IdM, SSO, etc.)
Millions / Billions of messages daily
Attacks becoming More Frequent & Sophisticated
Regulatory Compliance issues place increasing burden on systems
and network administrators
 Current Information Security
Challenges
Most organizations inadequately prepared to deal with intrusions
and security incidents
Address issue only after a serious breach occurs
When incident occurs, decisions made in haste, which reduces ability
to:
Understand extent and source of incident
Protect sensitive data contained on systems
Protect systems/networks and their ability to continue operating as intended and recover
systems
Collect information to understand what happened. Without such information, you may
inadvertently take actions that can further damage your systems
Support legal investigations and forensics
 Current SOC Landscape

In recent years, the complexity of managing a SOC has increased

exponentially
Security operations is not just about perimeter threats anymore
Array of hundreds of event sources – firewalls, IPS, IDS, proxy information applications,
identity management, database, router, switch merchant/PCI, physical security sevices and
more
SOC’s are aggregation points of tens of millions of daily events that
must be monitored, logged, analyzed and correlated.
 What is SOC?

 A Security Operations Center (SOC) is a facility that house an information

security team responsible for monitoring and analyzing an organization’s
security posture on an ongoing basis.
 What is SOC?

The SOC teams goal is to

detect, analyze and
respond to cyber
security incidents using
a combination of
technology solutions and
a strong set of
processes.
 What is SOC?

Escalation

TECHNOLOGY
PEOPLE 5 Customers
2
1
Incident
Handler
Level 1 Level 2

6 Case closed
4
Engineer
3

PROCESS
 What is SOC?

Security operations centers are

typically staffed with security
analysts and engineers as well
as managers who oversee
security operations.
 Why do you need an SOC?
 Because a Firewall and IPS are not enough
 Nucleus of all information Security Operations
 Provides
Continuous Prevention
Protection
Detection
Response capabilities against threats, remotely exploitable vulnerabilities and real-time
incidents on your networks

 Works with Cyber Incident Response Team (CIRT) to create comprehensive

infrastructure for managing security operations
 SOC Benefits

Speed of response time

 Malware can spread throughout the Internet in minutes or even seconds,
potentially knocking out your network or slowing traffic to a crawl
Subsequently, every second counts in identifying these attacks and
negating them before they can cause damage
Ability to recover from a DDoS attack in a reasonable amount of time
 Components of SOC

 To build the SOC with simple acceptance and execution model

 Maximize the use of technology
 To build security intelligence and visibility that was previously unknown build
effective coordination and response unit and to introduce automation of security
process
 Develop SOC processes that are inline to industry best practices and accepted
standard – ISO27001:2013, PCI-DSS3.2.1, IEC-62443, NIST
REAL-TIME MONITORING REPORTING SECURITY INCIDENT MANAGEMENT

▪ Data Aggregation ▪ Executive Summary ▪ Pre and Post Incident Analysis

▪ Data Correlation ▪ Audit and Assessment ▪ Forensics Analysis
▪ Aggregated Logs ▪ Security Metric Reporting ▪ Root Cause Analysis
▪ Coordinated Response ▪ KPI Compliance ▪ Incident Handling
▪ Automated Remediation ▪ SLA Reporting ▪ aeCERT Integration
 Key Success of SOC

The Goal – Keep Things Simple ☺

 SOC Core Components
 OSS – Operational Support System
 SIEM – Security Information and Event Management
 Proactive Monitoring - Network and Security and Server
Infrastructure
 Alert and Notification – Security Incident Reporting
 Events Correlation and Heuristics / Behavioural / Anomaly

PROACTIVE MONITORING ALERT & NOTIFICATION EVENT CORRELATION

OSS/SIEM

Automated Monitoring – SNMP
Categorization of Monitored Objects
Automated Monitored Object Reporting
Integrated to Business Process
Automated Assignment of Risk Level
Automated Alert and Notification – SNMP Traf / IF- Contextual correlation of events
MAP event Situational awareness
Alerts categorized based on Risk Level Maped to business process
Notification to Business Process Owner
 SOC Core Components
 Information and Network Security $$ Automation $$
 To natively built-in compliance and audit functions
 To manage control process through integrated ITILv3 CM and SD
 Configuration Management of Infrastructure Components

COMPLIANCE & AUDIT CHANGE MANAGEMENT CONFIGURATION MANAGEMENT

AUTOMATION

Compliance templates created Device change management process Configuration Archival

Compliance enforcement
Compliance reporting
Compliance violation reporting
Auto-Archival
Auto-remediate
Auto-validate
Automated approval process Configuration change mapped to change control
Linked to compliance template Configuration Management Database
Change Control Validation Complete history of archived configuration
Change Management History Log Configuration Rollback
 SOC Core Components
 Alignment of Risk Management with Business Needs
 Qualified Risk Ranking
 Risks are ranked based on business impact analysis (BIA)
 Risk framework is built into the SIEM solution;
Incident = Risk Severity = Appropriate remediation and isolation action

 SOC is integrated with Vulnerability and Patch Management

INCIDENT RESPONSE BEHAVIOURAL ANALYSIS REPORTING

INCIDENT HANDLING

Network Forensics Network Behavioural Analysis Detection

Investigration and Analysis
Evidence Gathering
Escalation Management
Reporting based on incident
Anomaly Detection
Feedback and Review Process
Predictive Analysis
Prosecution / Disciplinary / Litigation
Business Process Profiling
 SOC Core Components
 IRH – Incident Response Handling
How effective the SOC is measured by how many incidents are managed, handled,
administered, remediated and isolated
Continuous cyclic feedback mechanism drives IRH

 Critical functions include Network Forensics and Surveillance Technologies

 Reconstruct the incident … Evidence Gathering ... Effective investigation
 Escalation Management – know who to communicate during an incident
INCIDENT RESPONSE BEHAVIOURAL ANALYSIS REPORTING
INCIDENT HANDLING

Network Forensics Network Behavioural Analysis Detection

Investigration and Analysis
Evidence Gathering
Escalation Management
Reporting based on incident
Anomaly Detection
Feedback and Review Process
Predictive Analysis
Prosecution / Disciplinary / Litigation
Business Process Profiling
Integration of Core Components
 SOC Technologies
SIEM 2.0 Solutions (NOT just Log Management)
 Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources
 Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX
 Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner)
 Event and Flow Correlation – Advanced Threat Analytics
 Centralized Management Console for Security Dashboard and Reporting
 Integration with service desk for automated ticket creation > Offense Management

Compliance Management and Policy Conformance

 Configuration Audit across Infrastructure Systems and Devices
 ISO27001 / PCI-DSS3.2.1 / IEC-62443 Security Policy Compliance
 Risk Management – Identification and Mitigation
 Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring)
 Network Topology Mapping and Visualization
 Vulnerability Assessment and Management
 SOC Technologies
Network and Security Monitoring (Traditionally owned by the Networking Team) >
Integrate with Security Requirements
 Network Performance Monitor - SNMP
 Network Monitoring
 Link Utilization
 Availability Monitoring
 SLA reporting
 Integration with service desk for automated ticket creation

Security Analysis and Threat Intelligence

 Network Forensics (Raw Packet Capture > Session Reconstruction)
 Situation Awareness
 Artifacts and Packet Reconstruction (Chain of Custody)
 Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs)
 Record metadata for recursive analysis during incident response
 Integration with Incident Response Handling (IRH)
 Threat Intelligence and Global Landscape
SOC Technology Integration (Silos)
Technology Integration …. Old Practice

Vulnerability Network
SIEM
Assessment Monitoring
 SOC Technology Integration (Automation)
Technology Integration … the new … WORKFLOW
Networks Forensics and
Incident Response
Vulnerability
NMS Assessment

Reporting Security
Dashboard
Ticket Generation

Ticket Generation

Service Desk
Compliance and Vulnerabilities and Scanned Data
Ticketing
SIEM 2.0
Monitoring
Ticket Generation

Network Monitoring - SNMP

Log Management
Microsoft Cisco
Configuration Management Solaris Load Routers Malware ERP
Firewall IPS
Redhat Balancer and Antivirus APPS
Unix Switches (Endpoint
Policy Compliance Security)

Security Incident

SYSLOG, LOG FILES, ALE, Netflow

 Defining the SOC Requirements
Define specific needs for the SOC within the organization
What specific tasks will be assign to the SOC?
detecting external attacks, compliance monitoring, checking for
insider abuse, incident management, etc.
Who will use the data collected and analyzed by the SOC?
What are their requirements?
Who will own and manage the SOC?
Types of security events will be fed into the SOC
In-House vs Outsourced SOC

Advantages
✓ Dedicated Staff
✓ Knows environment better than a third-party
✓ Solutions are generally easier to customize
✓ Potential to be most efficient
✓ Most likely to notice correlations between
internal groups
✓ Logs stored locally
In-house SOC
Disadvantages
❖ Larger up-front investment
❖ Higher pressure to show ROI quickly
❖ Higher potential for collusion between analyst and
attacker
❖ Less likely to recognize large-scale, subtle patterns that
include multiple groups
❖ Can be hard to find competent SOC analysts
 Internal SOC Success Factors

 Trained Staff
 Good SOC Management
 Adequate Budget
 Good Processes
 Integration into incident response
If you organization can’t commit to these five factors, do not build an internal SOC – it will fail
Will waste money and time and create false sense of security
If you need a SOC but can’t commit to these factors, strongly consider outsourcing
 Outsourced SOC

ADVANTAGES DISADVANTAGES
✓ Avoid capital expenses – it’s their hardware & software ❖ Contractors will never know your environment like internal
✓ Exposure to multiple customers in similar industry employees
segment ❖ Sending jobs outside the organization can lower
✓ Often cheaper than in‐house morale
✓ Less potential for collusion between monitoring team and ❖ Lack of dedicated staff to a single client
attacker ❖ Lack of capital retention
✓ Good security people are difficult to find ❖ Risk of external data mishandling
✓ Unbiased ❖ Log data not always archived
✓ Potential to be very scalable & flexible ❖ Log data stored off‐premises
✓ Expertise in monitoring and SIM tools ❖ Lack of customization
✓ SLA  MSSP standardize services to gain economies of scale
in providing security services to myriad clients
 SOC Roles
Security Intelligence
Manager
Level-1 Analyst
Level-2 Analyst
SIEM Content Specialist
Key Organizations
Incident Management
Forensic Analyst
SIEM Engineer
 SOC Analysts

Good SOC analysts hard to find, hard to keep

Have combination of technical knowlede and technical aptitude
Hire experienced SOC analysts
Pay them well
You get what you pay for
 SOC Analysts Skill Sets
✓ O/S Proficiency
✓ Network Protocols
✓ Chain of custody issues
✓ Ethics
✓ Corporate Policy
✓ Services
✓ Multiple Hardware Platforms
✓ Attacks
✓ Directories
✓ Routers/Switches/Firewall
✓ Programming
✓ Forensics
✓ Databases
✓ IDS/IPS
✓ Investigative Processes
✓ Applications
✓ and much more
 SOC Analysts Qualities
 Extremely Curious
Ability to find answers to difficult problems / situations

 Abstract Thinker
Can correlate IDS incidents and alerts in real-time

 Ethical
 Deals with low-level details while keeping big-picture view of situation
 Can communicate to various groups that have very different requirements
 Responds well to frustrating situations
 SOC Analysts Burnout
SOC analysts can burnout
Have a plan to address this
Extensive training
Bonuses
Promotions
Management Opportunities
Job Rotation
 SOC Management

Management and supervision of an SOC is a key factor to ensure its

efficiency
While analysts, other staff, hardware and software are key elements,
an SOC’s ultimate success is dependent on a competent SOC
manager
Inadequate/poor management has significant consequences
From process performance decrements, to incidents being missed or
incorrectly handled
 SOC Processes and Procedures

SOC heavily process-driven

Processes work best when documented in advance
Usability and workflow criticality
Documentation
Adequate time must be given to properly document many different SOC
functions
Corporate networks and SOC are far too complex to be supported in an ad-
hoc manner
Documentation makes all the difference
 SOC Metrics

Measured by how quickly incidents are:

Identified
Address
Handled
Must be used judiciously
Don’t measure base performance of an analyst simply on the number
of events analyzed or recommendations written

Use Case
Botnet activity
Virus outbreak
Successful attack / malicious
code
SQL injection
Phishing
Unauthorized remote access
New vulnerability on DMZ host
Suspicious activity
Statistical anomaly
New pattern of activity
Primary Data Sources
Firewall, IDS, Proxy, Mail, Threat
Intelligence
Antivirus
IDS/IPS, Vulnerability
Web Server, DAM, IDS/IPS
Threat Intelligence, Firewall,
IDS, Proxy, Mail
VPN, Applications
Vulnerability
Firewall, IDS, Mail, Proxy, VPN
IDS, Firewall, Proxy, Mail, VPN,
Web Server
IDS, Firewall, Proxy, Mail, VPN,
Web Server
Alert Criteria
Connection to or from known
malicious host or domain
3 viruses detected with same name
in 10 minutes
Targeted asset exhibits vulnerability,
relevance=10
5 injection attempts within
specified time frame
Connection to or from known
malicious host or domain
Successful VPN authentication from
a non domain member
New vulnerability identified on
publicly accessible host
Escalating watch lists (recon,
exploit, brute force, etc.)
Moving average variation of X
magnitude in specified time frame
Previously unseen pattern detected
Use Cases
Action
Display in analyst active channel
Page desktop team / display in
dashboard
Page server team / display in active
channel / display in dashboard
Display in analyst active channel
Display in analyst active channel
Display in analyst active channel
/ Page network team
Email daily report to
vulnerability team
Email daily suspicious user
activity report to level 1
Display alerts in situational
awareness dashboard
Display in analyst active channel
 Event Funnel

750 events = 31.25 EPAH

The Cyber Kill
Chain
A: ADVANCED
Targeted, Coordinated, Purposeful
P: PERSISTENT
Month after Month, Year after Year
T: THREAT
Person(s) with Intent, Opportunity, and
Capability
Monthly Executive Brief
Security Capability Maturity Level

2
Target Maturity Level

1
Current Maturity Level
Security Capability Maturity Assessment
SOMM Level Name Description

Level 0 Incomplete Operational elements do not exist

Level 1 Performed Reliant on people and relationships, not standardized nor repeatable

Business goals are met and operational tasks are repeatable

Level 2 Managed
Many SOCs run successfully for some period of time at this maturity level. Missing aspects often include
continual improvement and demonstrated ROI.

Operations are well-defined, subjectively evaluated, and flexible.

Level 3 Defined Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet
business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and
changing threat landscape without excessive overhead in processes.

Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and
proactively improved.
Level 4 Measured Appropriate for a managed service provider environment where financial penalties result from
inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging
threats and requires dedicated staff to sustain the maturity level.

All processes are tightly constrained and continually measured for deficiencies, variation, and are
continually improved.
Level 5 Optimizing
Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and
static environment.
Security Capability Maturity Assessment
People 1.57

General 1.75 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as
criteria for member evaluation.

Training 1.55 The opportunity exists to develop an overall training program that includes a defined structure for analyst on
boarding and continual growth through the career of the analyst.
Certifications 1.00 Lack of overall industry certifications possessed by the team.

Experience 1.70 The feeder pool to hire analysts is reasonable, yet the experience and background of some of the analysts is
questionable.
Skill Assessments 1.69 A skills assessment program should be adopted and leveraged to improve training plans and the
overall skills composition of the group.

Career Path 1.69 There is an opportunity to develop career progression plans and to help guide analysts into senior positions
within the SOC or internally within the company.
Leadership 1.77 Conducting an organizational climate survey is encouraged in order to collect feedback and incorporate it
into the leadership function.
Process 1.26

Mission 1.27 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC and to internal
groups within the organization.
Operational Process 1.66 There are several opportunities to further develop operational processes and metrics to measure operational
efficiencies.
Analytical Process 1.15 Efforts to centralize a knowledge management solution for security analysts are currently
underway.

Business Process 0.89 SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture metrics and
track operational efficiencies
Technology 2.38

SIEM Monitoring 2.45 SIEM meets current business needs. A Test environment does exist, which means that content and data feed
on boarding does/can go through a proper testing cycle.
Architecture 1.95 Document data flow diagrams for troubleshooting purposes.
Correlation 2.56 Event management metrics are captured and used to track events monitored.

Monitored Technologies 2.22 A wide range of technologies are monitored, giving the SOC wider visibility against attack vectors.

ILM 2.61 Data retention and protection policies adhere to company policies.
Overall SOMM Level 1.74
 Best Practices for Running a
Security Operations Center
 Many security leaders are shifting their focus more on the human element than the
technology element to “assess and mitigate threats directly rather than rely on a script”.
 SOC operatives continuously managed known and existing threats while working to identify
emerging risks.
 While technology systems such as firewalls
or IPS may prevent basic attacks, human
analysis is required to put major incidents
to rest.
 Best Practices for Running a
Security Operations Center

 For best results, the SOC must keep up with the latest threat intelligence and leverage this
information to improve detection and defense mechanisms.
 SOC consumes data from within the organization and correlates it with information from a
number of external sources that deliver insight into threats and vulnerabilities.

 This external cyber intelligence includes news

feeds, signature updates, incident reports, threat
briefs and vulnerability alerts that aid the SOC in
keeping up with evolving cyber threats.
 Best Practices for Running a
Security Operations Center
 SOC staff must constantly feed threat intelligence into SOC monitoring tools to keep up to date
with threats
 SOC must have processes in place to discriminate between real threats and non-threats.
 Truly successful SOCs utilize security automation to become effective and efficient.
 By combining highly-skilled security analysts with security automation, organizations increase
their analytics power to enhance security measures and better defend against data breaches
and cyber attacks.
 Best Practices for Running a
Security Operations Center

Many organizations that don’t have the in-house resources to accomplish

this turn to managed security service provides that offer SOC services.
 How to Apply
Obtain Management Commitment to an SOC
Ensuring adequate staffing and budget
Define your SOC Requirements
Decide to have SOC in-house or outsourced
In-House – create detailed and customized processes
Outsourced – ensure their process meets your requirements
Create process to ensure SOC is effective and providing security
benefits to the organization
Thank You!