Professional Documents
Culture Documents
Elements of Soc
Elements of Soc
Elements of Soc
OF SECURITY
OPERATIONS
2ND EDITION
An essential guide of capabilities,
best practices and innovative
techniques to power your
modern SOC Cn
Written by John Caimano and Austin Robertson
With Foreword by Niall Browne, CISO, Palo Alto Networks
Consistency
Fa Li
Layer 7
Facility Inspection
Br Nac Sase
G Breach
Response
Network
Access
Control
Secure
Access
Server
Edge
Soar Governance
I
Security Ct
Orchestration
Automation Cloud
Response
Threat
Analysis
Investigation
Ea Asm As
Et
M
Attack
Enterprise Surface
Architecture Management AppSec
Encrypted E
Traffic
Visibility Employee
Utilization
Hd
Ce
Help
Desk
Ia
Content
Engineering Interface Mission
Agreement
ELEMENTS
OF SECURITY
OPERATIONS
2ND EDITION
An essential guide of capabilities, best
practices and innovative techniques
to power your modern SOC
Written by John Caimano and Austin Robertson
With Foreword by Niall Browne, CISO, Palo Alto Networks
TABLE OF CONTENTS
Foreword 7
Introduction 10
Appendices 130
Table of Contents 5
FOREWORD
Today’s expanded enterprise attack surface generates much more security data, which
is both more complex and siloed, than only a few years ago. Network, endpoint, identity
and cloud data remain in separate systems. Endpoint telemetry is locked in an endpoint
detection and response (EDR) system, cloud data is in a separate cloud security tool and
more. As a result, SOC analysts must manually analyze data to triage alerts and take
effective action. Alerts overload analysts, so threats are missed, and dwell times remain
long. Security engineers struggle to integrate new data streams and create new detection
rules and playbooks, while security architects integrate the latest new point product.
The results are predictable: alert fatigue, slow investigations and attackers who hide in
networks for months.
The modern way to scale an effective SOC is with automation, leveraging AI and ML as
the foundation and with analysts working on a small set of high-risk incidents. Just as
operating a self-driving vehicle no longer requires constant, hands-on control by the
operator, an automation-led SOC handles the bulk of low-risk, repeated alerts, analysis
tasks and mitigations. This frees the analysts to work on urgent, high-impact incidents
while the underlying platform autopilots the SOC to safe outcomes, learning from each
activity and offering information and effective recommendations to the SOC manager.
This is our vision for the modern SOC.
A recent research report from ESG surveyed 376 IT and cybersecurity professionals in the
U.S. and Canada personally responsible for evaluating, purchasing and utilizing threat
detection and response security products and services. It found the following:
Foreword 7
At Palo Alto Networks, we believe that advanced
detection and response within the SOC requires
six pillars:
Processes
The steps a SOC must take to identify, investigate and mitigate
a suspected security incident
Affiliates
Individuals, teams or organizations that are involved in or provide
support to the SOC’s incident response activities
People
Enhancing a SOC staff with a skill development plan, optimized
utilization and professional growth plans
Business
Stakeholders and their business needs are always a factor in
our goals
Visibility
Real-time awareness to the SOC of activities and events generated
by an attacker within an organization’s IT infrastructure
Technology
The combined sensors and prevention capabilities a SOC needs for
real-time incident response
The information in this book should help any small or large organization with planning
a SOC, either to build it on-premises or plan for outsourcing services as a collaborative
effort. For businesses with an existing SOC, the information in this book will help you to
enhance and evolve into a world-class modern SOC. Planning for a SOC is a long-term
project requiring several moving parts: Process Development, Affiliate Alignment, Staffing,
Visibility and Technology Capabilities. You can use this book to learn the necessary building
blocks to plan for a SOC and reduce your chance of pitfalls from costly mistakes.
8 Foreword
Three wishes from every
operations engineer:
1. Fewer alerts in the SOC
With the expansion of attacker capabilities, adversaries have begun incorporating their
own ML and AI technologies to enhance their arsenal of attacks. This includes leveraging
ML algorithms for sophisticated phishing campaigns and employing AI-driven techniques
for effective end-user social engineering. As attackers continue to evolve and become
more sophisticated, defenders are compelled to adapt and counter these emerging threats.
In response, the defender’s strategy is shifting toward leveraging generative AI, which
empowers SOCs to proactively detect, analyze and mitigate cyberthreats. By harnessing
the capabilities of generative AI, defenders can stay one step ahead of adversaries and
strengthen their overall cybersecurity posture.
10 Introduction
AI algorithms excel at analyzing large volumes of data in real time. By continuously
monitoring network logs, system activities and user behaviors, AI can swiftly identify
suspicious patterns and indicators of potential threats. This enables SOC analysts to
proactively detect and respond to emerging threats, minimizing the risk of security
breaches.
Generative AI will innovate the way cyberattack victims are supported by providing
personalized responses that assist them in navigating the remediation process and
gaining valuable lessons for future resilience. Imagine every end user having their own
cybersecurity expert to review suspicious emails and provide a customized response to
their concerns.
Introduction 11
SECURITY OPERATIONS DEFINITION
A SOC is a team focused on the identification and remediation of threats to the
organization. The SOC has evolved through the years as malware and threats continue to
emerge. In the dynamic landscape of security operations, AI will work alongside security
analysts in SOCs to alleviate their workload, enhance efficiency and improve the quality of
threat identification and remediation. However, as AI advances, attackers will also leverage
the technology to develop more sophisticated and automated techniques to breach security
defenses, posing new challenges for SOC teams.
Security operations can be defined more broadly as a function that identifies, investigates
and mitigates threats. For example, it includes staff who are responsible for looking at
security logs. Continuous improvement is also a key activity of a security operations
organization.
The majority of a security operations analyst’s time is spent in the identify phase due to
false positives and low-fidelity alerts they must sort through. Correctly implemented
prevention-based architecture and automated correlation help reduce analyst exhaustion
and the time needed for this phase. Analyst exhaustion is a phenomenon where an
analyst no longer trusts the system designed to alert them of incidents. This lack of trust
comes from too many false positives or a system that does not properly report incidents
for effective response and investigation. It’s critical that the SOC is equipped with
infrastructure that analysts trust to fully respond to every alert.
Much of an analyst’s time is also spent in the mitigate phase. This is caused by the lack of
automated remediation along with unavailable or slow-to-respond teams outside of the
security operations organization that need to be involved in halting the attack.
Event: While an incident indicates potential threats, an event is any tracked activity on the
network. An event is not necessarily malicious, but it might be something to consider while
investigating an incident.
Threat prevention: Technology and processes used to mitigate, contain or stop a threat
before it damages systems or compromises infrastructure.
Prioritization: A value assigned typically by a sensor to an alert that helps analysts decide
which alerts should be reviewed first.
An in-house, next-generation SOC keeps the knowledge and control of the environment
within the business, provides flexibility in alerting, automates repetitive tasks, utilizes AI
with ML to prioritize and generate high-value alerts, and applies continuous improvement.
It can require a considerable investment upfront and will require all 84 elements of security
to be implemented.
Many organizations choose a hybrid solution with some functions outsourced, such as
using level one analysts to identify priorities. This solution provides access to subject
matter experts that may not be present in-house and can provide both flexibility and
scalability. It requires stringent communication agreements and tight processes around
escalations so that external and internal staff have the flexibility and ability to quickly
respond to incidents.
Regardless of the security operations delivery option, for the purposes of this book, the
security operations function will also be referred to as SecOps.
Id Vt
Incident Visibility
Distribution Tuning
Cc F Ds
Co Change
Control Forensics DevSecOps
A Collaboration
Sa
Em
Security
Email
Alerting Security Automation
Rc Iiot Fw
T
I
Industrial
Risk & Internet of
Compliance Things Firewall
Dt
Training Deception
Techniques
Ti
Si
Threat
Intelligence
Ia
SOC
Infrastructure Interface Investigation
Agreement
The SOC’s elements of security operations are organized into six pillars, encompassing the
capabilities crucial for meeting the business’s requirements.
All elements in this book work together to build an effective SOC. Removing just one
element will greatly affect the security and efficacy of a SOC, so the whole is greater than
the sum of its parts. The following is a brief overview of each pillar, but later sections will
expand on these definitions and explain each element in more detail.
2. Affiliates
External functions to help achieve security goals
3. People
Who will perform the work
4. Business
Goals and outcomes
5. Visibility
Information needed to accomplish goals
6. Technology
Infrastructure and architecture needed to provide visibility
and enable staff functions
The Elements of Security Operations
PROCESSES AFFILIATES
PEOPLE BUSINESS
VISIBILITY TECHNOLOGY
OPERATIONALIZATION
A Cd Sa
Case Security
Alerting Documentation Automation
In St Ce F
Initial Severity Content
Research Triage Engineering Forensics
Ep Id Si Th Ti
Escalation Incident SOC Threat Threat
Process Distribution Infrastructure Hunting Intelligence
I Ia Bl Grc Rp T B
Governance, Red &
Interface Business Risk & Purple
Investigation Agreement Liaison Compliance Teams Training B
Br Mi Ea Asm As Cn Me
Attack
Breach Enterprise Surface
Response Mitigation Architecture Management AppSec Consistency M
Pa Cc Hd Am Ds Tt C
Pre-approved
Mitigation Change Help Asset Tabletop
Scenarios Control Desk Management DevSecOps Exercise Con
Vt Pi It So Ots E S
Information Operational
Visibility
Visibility Process Technology Server Technology Employee
Tuning Improvement Operations Operations Security Utilization S
Ci Qr Ns Es Cs Cp G
Career
Capability Quality Network Endpoint Cloud Path
Improvement Review Security Security Security Progression Gove
Cr Ls Soar
Security
Orchestration
Log Automation
Correlation Storage Response
Cm Tm Da MI
Machine
Learning &
Case Threat Intelligence Data Artificial
Management Management Analytics Intelligence
M Vm At Ba Epp
Vulnerability Asset
Management Management Behavioral Endpoint
Mission Tools Tools Analysis Security
B P An Km Ips Em
Knowledge Intrusion
Analysis Management Prevention Email
Training Budget Planning Tools Tools Systems Security
n Me R Et Li Fw Waf
Encrypted Web
Traffic Layer 7 Application
Consistency Metrics Reporting Visibility Inspection Firewall Firewall
C Fa Va Ct Ms Dt
Virtual Cloud
Tabletop Asset Threat Malware Deception
Exercise Continuity Facility Protection Analysis Sandbox Techniques
S Co Dc Ot Iam Nac
Identity & Network
Employee Data Operational Access Access
Utilization Staffing Collaboration Capture Technology Management Control
The processes pillar defines the procedures executed by the SOC. Process elements are
broken up into four phases: identify, investigate, mitigate and continuous improvement.
These phases provide the foundations for an effective next-generation SOC.
This section explains the strategies necessary to implement SOC functions and facilitate
effective incident response.
SCOTT COLEMAN
Global Solution Architect,
Cortex XSIAM—Security Operations,
Palo Alto Networks
ALERTING
A Having the right alerts is paramount for the
SOC to be successful. Alerting defines the
Alerting importance of an event and indicates whether
or not it becomes an actionable incident.
Before an analyst starts processing alerts, security operations must benchmark standards
to determine when intervention for manual analysis is necessary.
Security operations should leverage alerting strategies to define what alerts analysts
should be looking at. Alerting strategies include the intended purpose of the alert,
prioritization, the types of technology and visibility that present alerts, technical context
provided, true positive validation and use cases for alerting analysts. Palo Alto Networks
uses the Alert Detection Strategy (ADS) framework. The ADS framework maps to the
MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) Framework.
The ATT&CK Framework will categorize an alert so that an engineer can quickly review
and prioritize incidents for review. Creating a well-defined alerting strategy ensures that
analysts can actively monitor meaningful alerts and begin performing initial research on
an incident. Incorporating automation improves accuracy of alerts and reduces the number
of false positives.
Related Elements:
Related Elements:
STUART SAVAGE
Global Solutions Architect,
Security Operations & Endpoint Security Services,
Palo Alto Networks
Results from the initial research provide context around an incident to help gather
information to triage, escalate and determine if further investigation is needed or if the
alert is malicious or benign.
When an alert is triggered, the security operations team needs an easy way to gather
the information required to determine its severity and build the foundation for an
investigation. Initial research helps new and experienced analysts align to a set of common
tools to collect artifacts required for severity triage.
In legacy security operations teams, research was manually performed, often taking
the bulk of an analyst’s time to resolve an incident. With the development of SOAR
technologies, analysts now have the ability to document and automate initial research,
significantly reducing the effort required to process an alert. Automation plays a crucial
role in gathering and merging context from different technologies, simplifying access
to information related to an alert so analysts can conduct preliminary research more
conveniently.
Related Elements:
Severity triage allows analysts to easily communicate an incident’s risk and ensure
the appropriate response. The alert’s severity will also help guide an analyst’s actions
throughout the incident response lifecycle.
Every organization must determine its own risk tolerance and severity classifications. The
exact descriptions and business impact will vary from business to business. A 1–5 severity
level is recommended. The severity triage labels are critical, high, medium, low and
informational. A critical alert, or severity 1, calls for immediate attention and is indicative
of a breach. Some companies add a severity 0 to indicate an ongoing breach where the
attacker is attempting to exfiltrate, encrypt or corrupt data.
Incident risk and severity should be agreed upon between the business and the security
operations team, ensuring the appropriate responses occur when an incident arises.
Automation can also play a role in assigning severity.
Related Elements:
Governance, Risk Threat
A Alerting Grc
& Compliance Co Collaboration R Reporting Tm
Intelligence
Management
Case Red & Purple Risk & Data
Cd
Documentation Rp
Teams Fa Facility Rc
Compliance Da
Analytics
Threat Log
I Investigation Ti G Governance S Staffing Ls
Intelligence Storage
Initial Tabletop
In Tt M Mission R Reporting
Research Exercise
Asset Analysis
Am B Budget Me Metrics An
Management Tools
Knowledge
F Forensics C Continuity P Planning Km
Management
Tools
Inside security operations, escalation may occur within staff tiers when an alert is outside
the scope of something an analyst has the ability to handle. These escalations serve as
learning opportunities for analysts. As organizations continue to automate security
operations, the need to escalate decreases, allowing tier 3 analysts more time to focus on
projects that work toward generating higher-fidelity alerts.
Related Elements:
Empowering analysts with the responsibility to address a diverse range of alerts not only
expands their knowledge and expertise but also fosters a comprehensive understanding
of different use cases. By encountering unfamiliar alert types, analysts are constantly
challenged to broaden their skill set and become well-rounded in their field. Distributing
incidents across analysts ensures that they become acquainted with available resources
and mitigates the inclination to solely focus on familiar alerts. This approach cultivates
a proactive mindset, enabling analysts to handle any alert that comes their way with
improved speed, efficiency and effectiveness.
Furthermore, working with diversified alert types helps prepare analysts. By regularly
engaging with a wide range of alerts, analysts develop the capacity to quickly assess the
severity and significance of each situation, then prioritize and allocate resources effectively.
This exposure to diverse alert types hones their ability to identify patterns, recognize
anomalies and discern critical indicators, enabling them to respond promptly and make
informed decisions.
Overall, the intentional allocation of diverse alerts to analysts fosters continuous growth,
allowing them to expand their skill set, stay adaptable and remain agile in the face of
evolving threats. It creates a dynamic environment that encourages constant learning,
enhances problem-solving capabilities and strengthens the overall effectiveness of the
security operations team.
Related Elements:
While initial research is where analysts gather contextual data, an investigation seeks to
uncover the facts to more clearly understand the incident. An analyst should play the role
of a detective in the investigation phase. It’s a manual process that showcases the who,
what, when, where, why and how of an incident.
During the investigation phase, all relevant information is gathered and any remaining
gaps from the initial research are addressed. This includes identifying the affected IT assets
and business services and evaluating the effectiveness of available containment measures,
which inform the subsequent mitigation procedures. The primary goal is to gain a holistic
understanding of the security incident, including its potential impact, the objectives of the
adversary and the potential effectiveness of various containment measures. Armed with
this critical information, the analysts can make an informed decision on the appropriate
containment and mitigation strategy.
The investigation process plays a crucial role in confirming the validity of an incident,
allowing analysts to confidently distinguish between true incidents and false positives.
In the case of a false positive, providing feedback to content engineers or the security
engineering team becomes essential for fine-tuning alerts or updating controls,
respectively. This feedback loop ensures ongoing improvement and optimization of the
SOC’s detection and response capabilities.
Related Elements:
These communication agreements outline the teams involved, scope of work, agreed-upon
expectations, communication paths and tools that will be utilized. Change request and
escalation processes must be defined within an interface agreement as a reference point.
It’s imperative the security operations team understand the minimum information
required to remediate an incident.. Given the ever-changing nature of business,
agreements need to be reviewed regularly to ensure contacts and information are
accurately updated.
Related Elements:
A successful breach response requires a plan separate from standard mitigation. The
breach response process defines an effective response during a business-disrupting
security incident in which IT infrastructure is adversely impacted. First, the cross-
functional stakeholders, including corporate communications, public relations and legal,
are identified. A timeline is established to identify how each stakeholder will be involved
and how they will be notified. Second, a SecOps lead responsible for providing information
to stakeholders must be identified, and necessary details on collected information need to
be defined. The frequency of updates, methods of updates and communication processes
should be included in the plan.
Predefined plans for disclosing company information and making public announcements
are likely in place. However, policies and proper training may need to be created to
prevent disclosure of breach details beyond the breach response team. There needs to be
an understanding of privileged information and non-disclosure policies. Breach response
plans require periodic testing throughout the year, at least once without the security
operations team’s prior knowledge.
Related Elements:
Case Business Red & Purple Knowledge
Cd
Documentation Bl
Liaison F Forensics Rp
Teams Km
Management
Tools
Severity Cloud Governance, Risk Tabletop Data
St Cs Grc Tt Da
Triage Security & Compliance Exercise Analytics
The mitigation process is not an isolated event but a crucial component of the continuous
improvement cycle within security operations. As incidents are addressed and analyzed,
proactive controls are identified based on the lessons learned from past experiences.
These proactive controls aim to enhance the organization’s overall security posture and
prevent similar incidents from occurring in the future. Insights and recommendations
for capabilities improvement are further discussed and incorporated into the continuous
improvement process. By iteratively enhancing its capabilities and refining its mitigation
strategies, the organization can better defend against evolving threats and strengthen its
overall security resilience.
Related Elements:
A pre-approved mitigation scenario involves parameters and guidelines that allow security
analysts to take immediate action without the need for additional approvals. This approach
prioritizes speed and agility in responding to security incidents while still considering the
potential impact on the organization’s overall risk posture. By empowering analysts to
make timely decisions within established parameters, pre-approved mitigation enhances
the organization’s ability to effectively contain and mitigate cyberthreats.
The incident response team should have a documented list of pre-approved scenarios the
analysts can use to mitigate incidents. Examples of pre-approved mitigation scenarios may
include freezing a process, locking a system or quarantining a device. Another example
is to create a dynamic process to block against a specific Indicator of Compromise (IoC),
such as known bad URLs, domains or IP addresses, without requiring a security commit
invoking a change request.
Related Elements:
Effective change control processes ensure alterations to the environment have minimal
impact on business productivity, and any changes are documented for rollbacks.
Administrators must identify information required for documentation and create a process
with formalized templates to ensure requests for changes are consistent. Timelines are
essential for review and rollback procedures, as these will need to be part of the change
control process. It will also be necessary to document specific details around individuals
authorized to request changes, change request processes, prerequisites and change
windows available for the modification.
Related Elements:
GARETH BARUCH
Global Solution Architect,
Cloud Security,
Palo Alto Networks
This crucial step helps minimize false positives and low-fidelity alerts within the SOC.
During a security incident, an analyst might identify opportunities to enhance incident
detection and increase visibility through centralized log monitoring. In response, the
analyst will optimize the tuning process to improve visibility for future incidents. The
tuning process is guided by metrics collected from SOC systems and involves retiring alerts
that are outdated or ineffective.
It’s recommended that security staff review alerts quarterly, with a monthly review of
alert metrics.
Related Elements:
They make adjustments based on the results from previous security incidents and new
threats. When done correctly, process improvement helps security operations receive
better qualified alerts and reduce the number of false positives.
New technologies introduced to SecOps and the business may require incident response
process updates. Process improvement includes information about the individuals
responsible for updating incident process who have a foundational knowledge of incident
response. Changes are not always made on a daily basis, so process improvement needs
to define how often each process is reviewed. All improvements need to be reviewed for
accuracy and clarity and communicated with affected staff.
Related Elements:
Related Elements:
A quality review confirms consistency between the analyst on the SecOps team. During
quality review, the analyst must verify that the appropriate information is documented
at the time the incident is closed so it can be used for future training. Peer reviews are
encouraged during a quality review.
The SOC will need to document who is responsible for reviewing changes and closed cases,
and security operations staff will determine the next time processes will be reviewed.
SecOps staff create processes to define the severity of cases that require review, the
items for review, feedback that will be provided and training opportunities after reviews.
Training must be delivered to the security operations organization and stakeholders to
improve the overall efficiency and efficacy of preventing breaches.
Related Elements:
Security operations are not a silo and require several teams to function properly. The
affiliates pillar defines the people who support a SOC and perform manual functions that
cannot be done with automation. Interactions between teams must be defined so that
expectations are clearly stated. Identifying the scope of responsibility and separation of
duties will also reduce friction within an organization.
Palo Alto Networks has several teams that work directly with customer stakeholders and
operations staff, including global solutions architects, professional services consultants,
extended expertise consultants, customer success managers, service account managers
and designated engineers.
To determine teams and affiliates that are right for your business, ask the following
questions:
• What other functions of the business impact security operations?
• What other functions of the business do security operations impact?
• How will security operations work alongside these other teams?
• Who has ownership of responsibilities and what SLAs need to be documented?
• At what interval will team agreements be reviewed and updated?
TANNER KOOISTRA
Global Solution Architect,
Security Operations,
Palo Alto Networks
SECURITY AUTOMATION
Sa Automation is critical for security success.
Security
Automation The security automation team is responsible for owning and
maintaining automation tools, identifying automation opportunities,
and implementing them within the incident response process. The
security automation function should have a good understanding of the incident response
process and ability to determine where automation can increase accuracy and reduce time
to respond holistically.
50% of
improvement. When done correctly, security
automation can result in cost and workforce Automate
efficiencies. SOC work.
This is a good three-year goal for an
By year five, most SOC
established organization: automate 50%
teams can automate
75%
of SOC work. By year five, most SOC teams
can automate upwards of 75% of activities, upwards of of
freeing up engineers to perform threat activities
hunting.
Related Elements:
A content engineer will analyze available tools, infrastructure capabilities and current
alerts to identify opportunities for new triggers to send to analysts for further review.
At least one content engineer must understand the visibility needed for incident response,
but they also need to be independent from the incident response team to ensure self-
interest does not interfere with a review. Additionally, there must be a standardized rollout
process for each alert created.
An interface agreement between SecOps and the content engineering team needs to define
frequency of updates, the vetting process and feedback. It will identify ways staff members
request new or modified alerts. Properly configured alerts allow for prioritization of events
based on severity.
Related Elements:
Related Elements:
The SOC infrastructure team maintains redundancy, availability and visibility within
security infrastructure.. The infrastructure team must be prepared for unforeseen
circumstances, such as a rapid rollout of an at-home workforce during a pandemic.
Security operations staff must define an infrastructure team’s job function. Will they
be responsible for licensing, maintaining and updating tools? Will they manage the
underlying architecture (e.g., CPU, RAM, storage, cloud implementation) or will that be
handled by another team? SLAs with the team are defined to cut down on friction between
teams and to establish clear interface agreement. It is important that each member of the
team can identify their job responsibilities to ensure the correct tools and procedures are
always implemented and up-to-date.
Related Elements:
Business Security
A Alerting Bl Ds DevSecOps Sa Co Collaboration
Liaison Automation
Threat hunting is a structured, agile sprint with a definitive beginning and end to gather
information for the benefit of the SecOps team. A threat hunt investigates strings known to
deliver malicious payloads. If a string is determined to be benign, it is retired or revisited at
another time.
There are three types of threat hunting: structured, tool and unstructured. Structured
threat hunting happens when analysts actively search for incidents that did not result in
an alert. Tool hunting uses machines to hunt based on algorithms and machine learning
to find anomalies that trigger an alert. Unstructured threat hunting generates data that
analysts can search to identify anomalies and is often replaced by tool hunting.
A threat hunting outcome provides feedback for capability improvements and visibility
tuning to refine alerts and reduce false positives. Analysts use threat hunting to better
detect and mitigate future threats that might not be seen yet in the wild.
Related Elements:
PETER WLODARCZYK
Senior Consultant,
Endpoint & Security Operations Services,
Palo Alto Networks
A team of threat intelligence staff utilizes real-time information feeds from human and
automated sources for background details, specifics and consequences of present and
future cyber risks, threats, vulnerabilities and attack vectors. They also provide threat
landscape reports to security teams responsible for updating the organization’s security
stack. Threat intelligence notifies threat hunters and security operations teams when new
alerts and IoCs have been identified and validated.
Using data from threat intelligence, threat hunters use the collected information to
prioritize and search for active IoCs. The content engineering team builds new alerts based
on new IoCs provided by threat intelligence. Threat intelligence increases security staff’s
ability to improve their identification and investigations of critical alerts, but it also helps
reduce console burnout.
Related Elements:
ALEX KREPELKA
Lead Security Engineer,
Palo Alto Networks
The business liaison understands the business and helps identify and explain the impact
of security. This includes keeping up-to-date with new product launches and development
schedules, onboarding new branch offices and handling mergers and acquisitions where
legacy networks and applications need to be brought into the main security program.
A business liaison can also be responsible for partner, vendor and team communication
management. For example, if an organization were to switch from Google Workspace™ to
Microsoft 365™, new vulnerabilities and access points need monitoring. Additionally, new
use cases for Microsoft 365 must be implemented and other use cases that pertained to
Google Workspace could be retired.
Related Elements:
Enterprise SOC
As AppSec Ea It IT Operations Si Co Collaboration
Architecture Infrastructure
The GRC group governs risks and runs audits against the environment to discover non-
compliance. They notify security staff if any assets are found to be non-compliant, so that
adjustments can be made to ensure the organization meets compliance standards.
Related Elements:
The Red Team attempts to ethically obfuscate their actions to exploit the security
operations team, finding vulnerabilities in their current practices. During this process, the
Red Team will perform penetration testing, probe for vulnerabilities that may not have
been patched or run exploits on newly found vulnerabilities. Actively attempting to exploit
vulnerabilities is one way they help improve incident response.
Blue Teams make up the staff responsible for detecting and mitigating Red Team activity.
The Blue Team determines the efficacy of currently installed security infrastructure.
Composed of members from both the Red and Blue Teams, the Purple Team has a neutral
interest in security operations success. For example, if one team is noticeably winning,
the Purple Team will help steer both the Red and Blue Teams back on course. For example,
if the Red Team is not finding an opportunity to penetrate the network, the Purple Team
provides additional guidance on targets to move the exercise forward. Conversely, if the
Red Team is gaining a significant foothold, the Purple Team may step in to recommend
detection and mitigation measures to the Blue Team, ensuring the engagement results in
an active learning experience and helps the security team build necessary skills.
Adversarial emulation is critical for effective Red and Blue teaming. The Purple Team
assists with cyberthreat intelligence, offering tactics, techniques and procedures while
improving overall cyber resilience. Replaying steps of an attacker helps security operations
better prepare and respond to current threats.
PURPLE TEAM
RED TEAM BLUE TEAM
• Facilitates Collaboration
Among Red & Blue Team
• Offensive Security • Defensive Security
• Improve Organizational
• Penetration Testing • Incident Response
Security Posture
• Vulnerability Assessment • Threat Hunting
• Test Skills of Both
• Social Engineering Red and Blue Teams • Operational Security
• Threat Intelligence
Enterprise architecture designs cover the type of workstations, type of workstations and
device portals used to connect to the network, along with workstation limitations. They
do not necessarily cover network configurations, but do include infrastructure that must
offer security and productivity, as well as the processes for creating and maintaining
architecture flowcharts and diagrams. As new networks are deployed, the enterprise
architecture team notifies the security operations team of the expanded attack surface.
Related Elements:
ASM scans assets to find public-facing Internet Protocol (IP) addresses, detect unpatched
infrastructure and retire systems no longer in use.
The ASM team notifies the security operations team of any vulnerabilities so they can work
with either enterprise affiliates to decommission servers or security affiliates to retire
legacy systems that expose vulnerabilities.
Related Elements:
Attack surface management “is an emerging category of solutions that aims to help
organizations address this challenge by providing an external perspective of an
organization’s attack surface. An organization’s attack surface is made up of all internet-
accessible hardware, software, SaaS and cloud assets that are discoverable by an attacker.
In short, your attack surface is any external asset that an adversary could discover, attack
and use to gain a foothold into your environment.”
SANS lists some common use cases for adoption of an ASM solution, including:
• Identification of external gaps in visibility
• Discovery of unknown assets and shadow IT
• Attack surface risk management
• Risk-based vulnerability prioritization
• Assessment of mergers and acquisitions (M&A) and subsidiary risk
When new vulnerabilities are found, application security (AppSec) validates that systems
are updated and patched. Otherwise, the security team is notified that changes are
required, and SecOps will need to be notified of vulnerabilities and IoCs in order to monitor
systems.
Application security teams communicate frequently with the content engineering team
to create new alerts, advise threat intelligence of new IoCs and gather feedback from the
threat hunting team about hunts conducted on new use cases.
Related Elements:
The help desk is usually a department within the organization, but it can also be an
outsourced service. Staff for the help desk provide end-user support for corporate IT
assets.
If an end user experiences bugs in applications on their system, there may be malicious
content on their machine. If a review determines that a machine is compromised, it’s
then quarantined. Conversely, when a device is quarantined with automated mitigation or
security teams cannot access it, security operations notify the help desk, which performs
mitigation on the infected device at a limited capacity to alleviate work for security staff.
Security operations frequently open tickets with the help desk to re-image machines,
request system patching or reject unauthorized assets from joining the network. The help
desk organization communicates often with the vulnerability management team about
patches, outdated operating systems, newly authorized operating systems and supported
platforms. Interactions with the help desk provide opportunities for automation, and
having a closed-loop process between the teams ensures IT requests are handled to reduce
noise in the SOC.
Related Elements:
Interface Pre-approved Information Server
Ia Pa It So Co Collaboration
Agreement Mitigation Technology Operations
Operations
Business Red & Purple Tabletop
Mi Mitigation Bl
Liaison Rp
Team Tt
Exercise
If security operations discover an issue with an asset, they work with the asset
management team to understand the asset, the asset responsibility and ownership. An
asset management database stores information, allowing the security operations team to
identify assets.
The asset management team is responsible for recording assets within a corporation,
helping investigate and communicating results to owners once the SecOps team performs
an investigation.
Related Elements:
Breach Business
Br I Investigation Mi Mitigation Bl Co Collaboration
Response Liaison
Related Elements:
H.S. SONG
Global Solution Architect,
Cloud Security,
Palo Alto Networks
IT manages, monitors and responds to alerts from security systems, which is similar to
security operations but has unique differences. A team overseeing infrastructure manages
servers outside the scope of the help desk, including cloud operations for technologies that
include SaaS, platform as a service (PaaS), and infrastructure as a service (IaaS). ITOps
success is measured in uptime, system availability and performance. Availability will
almost always take precedence over vulnerability patching.
ITOps communicates with security operations during network outages. They also work
with security operations when assets run vulnerable operating systems. ITOps notifies
the security operations team of new software versions and deprecated operating systems.
When a vulnerable operating system is found, notifications are sent to threat hunting
staff and content engineers until IT can decommission the software or patch the codebase.
SecOps must be involved with the timeline between a discovered vulnerability and the
remediation.
Related Elements:
SERVER OPERATIONS
So Development, implementation and
maintenance of servers is the responsibility
Server
Operations of server operations.
This team works closely with attack surface management to help remediate vulnerabilities.
While the ITOps team looks at an organization’s network, the server operations team
oversees servers both internally and externally.
Related Elements:
The operational technology (OT) security team is responsible for identifying and
understanding OT devices, internet of things (IoT) and industrial internet of things (IIoT)
connected on the network, along with managing and maintaining systems. This team
is much like a combination of an endpoint and network security team because many of
the monitored devices are unable to run an endpoint security application or traditional
firewalls. Identifying normal behavior from OT, IoT and IIoT devices is critical to maintain
security posture. This includes permissions to authorize activity from programmable logic
controllers (PLCs) or supervisory control and data acquisition (SCADA) systems, which can
be destructive to OT, IoT and IIoT processes. For example, data that comes from medical
equipment, such as MRI machines, needs to be securely stored and unreachable by certain
entities on a network.
Source: iSMG | Securing Industry 4.0 | Manage Cyber Risk in Smart Manufacturing Operations | 2022
Source: iSMG | Securing Industry 4.0 | Manage Cyber Risk in Smart Manufacturing Operations | 2022
Similar to other security affiliates, the OT security team will communicate with asset
management, enterprise architecture, threat hunting and the content engineering teams to
identify active OT threat use cases and notify the security operations team.
It’s important that the security operations team is in contact with the operational
technology team to share discovered devices, operating system vulnerabilities and
necessary security controls for protection. The SecOps team also understands expected
traffic flow for the OT network and ensures that security operations are aware of abnormal
activity.
Related Elements:
Communication between teams remains a vital aspect. The network security team will
establish a communication channel with the group implementing the network security
policy, which may or may not be a separate team. Change control processes will include any
specific information required for network security updates and follow the standard change
control steps established for other changes within the business.
Related Elements:
The scope of the endpoint security team involves applying profiles to the various endpoints
throughout the network, including all PCs, Macs, servers, phones, tablets and assets that
are endpoint entities on a network.
All endpoints must be monitored for malicious activity, vulnerabilities, information that
can be used for triggers and exceptions, as well as events occurring within an endpoint.
The endpoint security team is responsible for collecting behavioral information about
various endpoints, benchmarking standard behavior and identifying anomalies that trigger
security alerts. For example, if there is a machine uploading a 10 MB file with financial
information every Friday to an external server, this is a behavioral anomaly that the
endpoint security team needs to review. Even if there is a reasonable explanation for the
download, investigation is needed.
The endpoint security team works to ensure that behavioral profiles are set up properly
so that an anomaly is identified as abnormal in analyst alerts. If the anomaly is malicious,
security operations are made aware as quickly as possible.
Interface agreements are defined between the endpoint security, endpoint security policy
implementation and infrastructure deployment teams. The change control process
includes any specific information that is required for endpoint security updates but follows
the standard change control steps established for other changes within the business.
The team must communicate with the business to define endpoint technologies and
operating systems that will be authorized and address their security concerns. Regular
contact between the team and the business helps plan for any new systems that will be
incorporated into the business via technology adoption or M&A.
Related Elements:
The cloud security team is responsible for the development, implementation and
maintenance of a cloud security policy and notifying SecOps of new assets and networks.
They are expected to implement security controls to various cloud assets as protection
against a compromise.
Communication channels are created between the cloud security team and the group that
will implement the cloud security policy, which could be the same team. Although the
change control process overseeing cloud infrastructure documents information required
for the cloud security updates, it still follows the standard change control steps established
for other changes within the business.
Related Elements:
BEN NICHOLSON
Global Practice Leader,
Cloud Security,
Palo Alto Networks
SECURITY PILLAR 3:
PEOPLE
The people pillar defines the individuals that will be managing the SOC, interfacing with
stakeholders, investigating incidents and constantly improving processes. Many enterprise
organizations face challenges hiring and retaining analysts.
The people pillar ties in with automation to reduce analyst workloads and allow them to
focus on threat hunting and incident response on accurate alerts. Organizations must find
people that can handle workloads and fit the corporate culture.
Support for pillars depends on the staff hired to manage infrastructure and the SOC. The
people pillar comprises two categories: enablement and growth. Enablement ensures that
staff has the knowledge, resources and confidence needed to do their work well. Growth
establishes opportunities for people to progress in their skills and defines the roles and
responsibilities of each position. Both categories benefit the organization and help with
detection and mitigation of current and new threats.
MICHAEL GREGG
Chief Information Security Officer,
North Dakota Information Technology
TRAINING
T Properly training staff within an organization
creates consistency, drives effectiveness and
Training reduces risk.
An organization must understand requirements to onboard and help new staff get up to
speed with the goals and objectives of the security operations team. Onboarding training,
while accessible to all staff members, introduces new employees to formal documentation
around organizational infrastructure, tools, processes and communication. Impactful
onboarding programs include time for analysts to shadow existing analysts and frequently
update content to ensure accuracy. These types of programs help new employees develop
the skills, understanding and confidence needed to begin contributing much sooner than
those without.
Related Elements:
Tabletop Knowledge
Tt
Exercise S Staffing Km
Management
Tools
One key hallmark of a profession (versus simply a trade) is the promotion of not only
training but true scholarship in the area of study. Accompanying that comes research
and theory that drives the profession to new heights and to greater applicability in the
workplace. This is particularly critical in cybersecurity, where practitioners have to be
able to make informed decisions at a faster rate than their opponents.
Analysts also need to understand information they receive about a certain type of ticket and
the information needed to quantify an incident, but analysts can only be consistent when
they have robust processes and procedures in place.
Related Elements:
Palo Alto Networks Tabletop Exercises are custom-built multi scenario pen and paper exercises that engage
affiliating teams and mimic a live environment
Expand Enable
Security Organizational
Awareness Collaboration
Beyond SOC
- Leverage the
interactive
nature of a
tabletop for
increased
organizational
awareness
Train like you fight—security teams need to have a sparring partner to develop new
defenses and build muscle memory. SOC teams continuously need to engage with Red
Teams (to run Purple Team exercises) and conduct adversary simulations to continuously
remain ahead of the threats.
LUCAS PIPPENGER
Active Defense Team Lead,
State of North Dakota
Well-built tabletop exercises are built progressively with layers of depth, multiple answers
and multiple paths to succeed. Implementing red herrings into tabletops adds a degree
of complexity to an exercise, since it may lead SecOps down a rabbit hole and will allow
them to recognize the context that they missed themselves. Tailoring tabletops to the
organization’s industry and known attack vectors gives SecOps the opportunity to work
through a threat they may not be familiar with but could see in the future. If a tabletop
ventures outside the realm of an industry, it’s not entirely benefiting the stakeholders
involved in a meaningful way.
Tabletop exercises should be conducted on a quarterly basis, or at the very least, annually.
When these exercises are conducted more regularly, processes will become more innate
to all involved. The results of each tabletop lead to the next tabletop and give a time frame
benchmark that allows participants to grow over time. Tabletops are not meant to become
routine, and thus, a particular scenario should never be repeated two times in a row.
When conducted well, tabletop exercises will keep the SecOps team vigilant and expose
inconsistencies as they arise.
Related Elements:
Employees need opportunities for challenges to gain experience necessary for career
progression. Providing these opportunities is beneficial for organizations as well, as
employees bring enhanced knowledge to their daily roles, leading to increased productivity.
Before content engineering, it was common to see analysts putting 100% of their time
toward monitoring the queue. With computer intervention, analysts were given the
opportunity to shift their focus to monitoring alerts, enrichment opportunities and
investigations. However, this leads to the age-old problem in the cyber industry of console
burnout. It is not uncommon to see analysts staring at the same dashboard and responding
to the same events day after day—which leads to higher employee turnover.
To help avoid burnout, analysts need opportunities to dedicate time to projects that
enhance their abilities and provide insight into the processes. Impactful projects provide
a sense of purpose, which leads to satisfaction, alleviates burnout and reduces employee
turnover.
Related Elements:
Governance Risk
A Alerting Grc
& Compliance Me Metrics
Content
Ce
Engineering M Mission S Staffing
JOE BONNELL
Founder & CEO,
Alchemy Security
The skills required for career path progression are not limited to technical skills;
employees must also develop soft skills required to advance, such as positively influencing
peers, leading projects well and taking initiative. Soft skills also need to be defined for
positions so employees know where they can practice developing these skills.
When an employee is interested in moving to another role within the organization, the
first step is having a conversation with their manager. Managers should make it known
they are open to these conversations, and it is their responsibility to give team members
opportunities to develop, so when an opportunity arises their team can take advantage of
it. It is the employee’s responsibility for initiating the conversation if there is a motive to
advance and ask for feedback or areas the manager sees they need to further develop in
order to be successful in a new position.
Related Elements:
Building great teams may be the most crucial element of a security program. In most
SOCs, it’s perhaps inevitable that attrition will be a problem, as the job can burn
analysts out while the skills they learn enable them to find more engaging work.
Great organizations find ways to automate the transactional security activities, to
free up their analysts to work on the things that excite them and matter more to the
organization.
BRETT WAHLEN
Chief Information Security Officer,
Amazon Prime Video
The business pillar defines the purpose of the SecOps team to the organization. In every
organization, a budget is required to fund and maintain its cybersecurity and security
operations as well as unique business requirements. A SOC should bring more cost-
savings benefits than the consequences of a compromise, while also meeting your business
requirements for security and data integrity. The organization and SOC leaders must define
the SOC functionality objectives to bring benefits to the business.
The mission is foundational to the security operations team and critical for driving SecOps
goals and objectives. Financial elements encompass the budget and planning elements
and establish an understanding for SecOps’ requests for funding to meet their mission.
Executive visibility provides a means of conveying success to various stakeholders and
organizational leadership. Continuity ensures security operations run smoothly and stay
consistent with the mission. GRC audits an organization’s risk and establishes boundaries
for security operations around regulatory compliances and policies the business must
adhere to.
DAWN-MARIE HUTCHINSON
OnePharma Information Security Officer,
GSK
MISSION
M Mission is the foundational element of an
entire security operations team. The mission
Mission statement serves as the SOC’s objective and
defines SecOps team job functions, how they do
it and why they do it.
The mission statement also defines the purpose of security operations for the organization
and what the organization can expect from SecOps. The security operations team develops
the mission statement as a long-term driving goal established for security operations. The
statement drives and showcases successes within security operations by demonstrating
how the team is continually working toward or meeting the objectives.
When a security operations team is first established, the mission statement is the first
item defined and serves as the overarching goal that SecOps is looking to progress towards
and achieve. The mission statement drives the goals of the security operations team and
business objectives.
Related Elements:
Severity Employee
St
Triage E
Utilization B Budget Fa Facility P Planning
STUART SAVAGE
Global Solution Architect,
Endpoint and Security Operations,
Palo Alto Networks
When a budget is granted, it will be allocated directly back to the plan. If the budget is lower
than proposed, the SecOps team will need to begin compromising to get the best plan with
the budget available.
Budget will need to address capital expenditure (CapEx) versus operating expenditure
(OpEx), as well as initial start-up expenses versus continued operations expenses.
Outside of staffing expenses, there are many recurring software expenses such as licensed
software, as opposed to tangible assets. A business-savvy budgeting resource can help
navigate these expenses and the business expectations.
Related Elements:
Severity
St
Triage Fa Facility M Mission P Planning
Proper planning encompasses every element of the security operations team and guides
the security organization towards achieving its goals. A plan includes details of the SOC’s
main business drivers, vision, strategy, service scope, deliverables, responsibilities,
accountability, operational hours, stakeholders and statement of success.
Planning is done with a three-year vision, which ensures the continuation of operations,
even in times of rotating executives that may have execution variances, to provide the
expected value to the business. Developing an investment strategy is also part of planning,
and includes technology purchases, automation goals and staffing investments. Aligning
the investment strategy tightly to the business priorities is important. For example, if there
is a large M&A strategy or digital transformation to the cloud, the investment plan will
support those initiatives.
Establishing strong plans also equips the security operations team with necessary details
to request budget needed, as they can show how the funds will be allocated. Without a plan,
it is hard to ask for the proper budget and show how the funds will help security operations
align with its mission for the business.
Related Elements:
Severity
St
Triage B Budget M Mission
ALEX WOOD
Vice President,
Information Security/Chief Information Security Officer,
Pulte Group, Inc
Some foundational metrics are no longer used, including events per analyst hour (EPAH)
and mean time to resolution (MTTR). Both metrics have merit in providing an overarching
understanding if there are more events then there are analysts to resolve. However, neither
metric is good at judging the success of security operations or effectiveness of an analyst
because they incentivize the wrong behavior.
Caution must be taken when measuring team member performance. Ranking top
performers by number of incidents handled can skew results and may lead to analysts
“cherry-picking” incidents that they can quickly resolve. Other metrics can showcase the
value of security operations and a drive toward being better.
Business-level metrics are a primary tool to measure against goals outlined by the
organization, showcasing the return on investment (ROI) and where further investment is
required. Operational metrics are used to measure against the SecOps team and supporting
teams, determining the actual effectiveness of team members, processes and procedures
being used. Capability metrics ensure technology is performing as expected, and the
visibility needed is continually implemented through continuous improvements.
Related Elements:
DUSTIN GRAY
Consulting Services Manager,
Endpoint and Security Operations,
Palo Alto Networks
Reports collect data to show how well security operations are performing and where
deficiencies lie. The outcome of reporting will not necessarily drive changes in behavior;
reporting is meant to track current activity. Deficiencies are highlighted to help SecOps
teams identify where additional budget, headcount, technologies or improvements can be
made.
Daily reports include open incidents with details centered on daily activity. Weekly reports
identify security trends to initiate threat-hunting activities, which include the number
of cases opened and closed and conclusions of the tickets (e.g., malicious, benign, false
positives). The organization’s chosen reporting solution includes information such as the
number of security use cases triggered and their severity and number of hours distributed
throughout the day.
Monthly reports focus on the overall effectiveness of the SecOps function. These reports
cover topics such as how long events sit in queue before being triaged, whether staffing
in the SOC is sufficient for quick analysis and mitigation, the efficacy of rules to manage
emergencies and alert accuracy versus false positives.
Related Elements:
This also relates to facility changes and shift handovers where the security operations team
needs to ensure continuity 24/7/365. If a key component to operating a SOC is lost, such as
a log source or alert engine, an organization needs to have a plan to navigate the disaster
and continue operating smoothly. Guidelines on surviving unforeseen catastrophes, such
as a loss in data center connectivity, are often laid out in a disaster recovery plan. Disaster
recovery practices are given to key personnel every year to ensure they are aware of what
must be done in the event of a disaster.
Related Elements:
Severity
St T Training Rc Risk & Compliance
Triage
When deciding on a facility, it is important that the SOC has its own separate space for
the SecOps team to view events without outside entities peering over their shoulder
and looking at the incidents or vulnerabilities within an organization. Only authorized
personnel can enter the SOC. Many companies are moving toward cyber-defense centers,
or SOC fusion centers, where there is more than just the SecOps team sitting in one room.
Fusion centers can help immensely with communication between teams.
If a breach does occur, a SecOps team will need access to a “war room,” which is segregated
from the main rooms, to handle an incident until it has been resolved. The war room is
where critical staff come together to determine the plan for mitigation, containment and
eradication of a threat. It’s important to have an operations plan if a facility becomes
unavailable.
Related Elements:
Severity
St
Triage B Budget P Planning
WIKUS SAAIMAN
Director,
Information Security,
CITEC
Staffing cybersecurity roles remains one of the biggest challenges in the technology
industry, and trying to hire security operations staff introduces additional layers of
complexity. Roles of a SOC can include Tier 1 analysts, Tier 2 analysts, Tier 3 analysts,
threat intelligence and hunting specialists, depending on the size of the organization.
Staffing a SOC includes recruiting, screening and selecting analysts and other personnel.
At Palo Alto Networks, our SOC story is highly optimized in that we actively chose
to break away from the traditional four-tier SOC approach, ranging from Tier 1
analysts who monitor, prioritize and investigate SIEM alerts to Tier 4 SOC managers
responsible for recruitment, security strategy and reporting to management. Taking
more of a hybrid approach, the Palo Alto Networks SOC team follows this general
philosophy:
• Staff the SOC so 80% of staff have previous SOC experience
• Cross-train the SOC team in all domains, including alert triage, incident
response, threat hunting, automation and others
• Provide a well-funded annual training budget for all analysts
Source: Cortex by Palo Alto Networks | Planning the Government SOC | White Paper | 2022
Considerations must be made for the staffing model chosen (e.g., 24x7, 8x5, co-sourcing).
On-call staffing requirements must be defined for critical incidents as well as after hours
support requirements, which will drive the number of full-time employees required to meet
the objectives of the team. In-sourcing resources (e.g., analyst as a service) is a staffing
option that may alleviate the strain for organizations experiencing hiring difficulties.
Proper staffing of a security organization ensures there are the right people in place to
meet the mission and objectives of the SOC. Using metrics, security operations ensure that
there are enough staff on each shift to cover spikes in events.
Related Elements:
Employee
Cn Consistency E
Utilization Fa Facility
Collaboration tools often incorporate other tools and are at high risk of feature duplication.
The SecOps team must define the primary tool(s) to be utilized and the information to
be captured, which will be the single source of truth to avoid duplication of information
and potential inaccuracies. Access typically extends beyond the security operations
organization, especially in the case of war rooms, so access control must be addressed for
the chosen tools.
Related Elements:
The responsibilities, policies and compliance items that affect security operations must
be defined and strictly adhered to; otherwise, the organization could face costly fines for
violations.
Related Elements:
FRED THIELE
Chief Information Security Officer,
Transport for New South Wales
Compliance sets the foundation for what acceptable risk looks like. It can be measured
using data integrity, protected end-user information and adherence to standards across
the world. Organizations need to ensure they are compliant with all relevant policies and
understand the risks associated with being non-compliant. Risk and compliance cannot
be successful unless an organization is using auditing standards. Audits check for any
gaps in compliance, infrastructure and processes, and help security operations bring
their systems to compliance.
Related Elements:
With GDPR and now CCPA, businesses are having to rethink their SOC
strategies. Many data privacy laws include notification requirements
or private rights of action. It’s no longer enough to recognize you
have been breached. Businesses must understand—within the defined
notification periods—the “what” and the “how” required by the GRC
teams in order to work with regulatory bodies, including within any
defined notification periods.
HELMUT REISINGER
CEO for Europe,
Middle East and Africa,
Palo Alto Networks
The visibility pillar defines access controls and information necessary for the SOC to
monitor threats in the environment. This includes security and systems data, as well
as knowledge management content and communications between infrastructure tools.
Some capabilities are used purely as sensors to identify risks to the environment. The SOC
consumes and processes sensor data to generate alerts and identify incidents for threat
mitigation.
For effective data protection, an organization’s SecOps staff must be aware of all elements
of the environment and receive the right data from various tools and cybersecurity
infrastructure. If an event didn’t log, it didn’t happen.
There are five components to visibility: enrichment, deep packet inspection, cloud traffic
inspection, packet capture and operational technologies. When executed well, each of
these components establishes a foundation for SecOps to have the proper visibility into the
network and organization.
Visibility Pillar Elements 89
Most SOCs have too many tools due to
an “I need one of everything, best of
breed” mentality, and the tools they
do have are poorly implemented.
ROBERT DODSON
Global Solution Architect,
Endpoint and Security Operations,
Palo Alto Networks
CORRELATION
Cr Correlation is simply correlating two or more events together to
quantify something malicious. A single event may look benign or
normal; however, multiple events within a certain amount of time
Correlation may indicate an attack. In the industry right now, there is a switch
from manual correlation to automated correlation where ML and AI
are infused into the process and help detect potentially malicious
incidents. A SecOps team should identify what correlations should be in place and create
those alert strings to help security operations identify potential incidents. This work
should be conducted in conjunction with the content engineering function to implement
them properly.
Related Elements:
Analysts need all of the relevant information about the incident and
associated context available at their fingertips. Time spent tracking
down this information is time not spent responding to the attack.
MARCEL HOFFMANN
Former SOC Manager,
Hewlett Packard Enterprise
Case management requires a significant data retention policy. Specific cases are referenced
for future training material as new employees are onboarded. A case management system
tracks users involved in the case, the time spent on a case, the amount of time the case was
idle, and idle time between phases. These metrics provide a security operations manager or
director with visibility statistics.
Security operations teams need a clear protocol for documenting and escalating incidents.
Case management is a collaborative process that involves documenting, monitoring,
tracking and notifying the entire organization of each security incident and its current
status. The minimum set of data points captured in a case, and the tool selected, must be
sufficient for a new analyst to take over the incident with only what is available in case
documentation. Often, organizations will use multiple tools, including ticketing, SOAR
and email for case management. Using more than one tool is ill-advised because data
continuity is severed and incident handling efficiency takes a hit.
Access controls are also necessary in case management to determine who has access to
the data and tools, how cases will be documented in a consistent manner and how teams
will collaborate to close out incidents. A case management system must be encrypted,
with strict access controls enforced due to the highly sensitive data that it will contain.
Case management software will provide visibility into the SecOps process by allowing for
collaboration with peers and including additional analysts on a case if needed.
Related Elements:
Quality
A Alerting Qr T Training Cr Correlation
Review
Process Threat
Pi Th
Improvement Hunting
Threat intelligence often combines visualization to help analysts better understand the
attack landscape. Threat intelligence management helps identify and quickly attribute a
specific APT (Advanced Persistent Threat), hacker group or attack pattern to the malicious
events security operations have observed.
Threat intelligence usually comes in the form of Indicators of Compromise. IoCs are
the specific data points or strings of data that can be attributed to the type of an attack.
Quality tactical threat intelligence will always show the IoC and the ways it evolved, giving
SecOps context to validate the IoC importance. Analysts should search the network to
see if the IoC is of interest to the security operations team and their organization. IoCs
can also be applied to OT environments. Operational threat intelligence assists security
operations and content engineering to identify new tactics, techniques and procedures
that are aimed at their operational technology. The team or person responsible for
content engineering should tune and create detection rules around all threat intelligence
discovery. Additionally, content engineering can use the information gathered from threat
intelligence platform IoCs to build a use case, or use cases, with the IP addresses, URLs,
DNS entries, known threat actors and correlations between them.
Related Elements:
Severity Threat Machine Learning &
A Alerting St Th R Reporting Ml
Triage Hunting Artificial Intelligence
Content Threat
I Investigation Ce Ti Cr Correlation
Engineering Intelligence
DARREN LAWLESS
Senior Manager,
Threat Monitoring,
IBM Security
To have effective vulnerability management, it’s critical that security operations have
proper asset management in place.
Related Elements:
Cloud Data
A Alerting Cs Me Metrics Da
Security Analytics
Content Network
Ce Ns
Engineering Security
Source: iSMG | Securing Industry 4.0 | Manage Cyber Risk in Smart Manufacturing Operations | 2022
Every organization adds and retires network resources throughout the year. Asset
management is a continual lifecycle process and must be kept up-to-date. To ensure
proper asset management, someone within security operations takes responsibility
for maintaining the database. Proper asset management is often missing from SOCs.
Prioritizing asset management will help organizations improve their automation
processes.
Related Elements:
Because most enterprise networks have thousands of digital assets, analysis tools are built
to consume terabytes of data, which is impossible for personnel to manually parse.
Processes are defined around the ways an analyst will determine whether an alert is
malicious, and the chosen analysis tools assist or automate this process. These tools also
provide access to gather context about the given event. Ownership, budget and support for
the tools need to be defined.
Analysis tools are often based on ML, deep learning and AI that provide either stand-alone,
embedded or add-on functionality to detect evidence of a security compromise. Security
analytics can be performed on data that is either stored at rest or collected in motion, even at
light speed on a massive network. This is a capability that can be obtained by SecOps teams in
a variety of different ways, with most security products and services including some sort of
security analytics function.
Related Elements:
Severity
St
Triage
The knowledge base can either be elaborate or as simple as a wiki. It contains the
operations, administration and maintenance of the security operations platforms and the
team’s processes. Since information in knowledge management systems ages quickly, the
team must review and update content frequently, especially when zero-day attacks are
released and discovered. A properly kept knowledge management system speeds up new-
hire training and is key to providing consistent security to the organization. The security
operations team must work with IT teams to source the knowledge base tool and identify
ownership for the underlying system (e.g., CPU, RAM, and storage).
Related Elements:
Interface Severity
A Alerting Ia
Agreement St
Triage T Training Cr Correlation
Case Enterprise
Cd Mi Mitigation Ea R Reporting
Documentation Architecture
Capability Pre-approved
Ci Pa
Improvement Mitigation
Escalation Process
Ep Pi
Process Improvement
Any traffic that leaves the network and is not protected by an employee privacy act should
be decrypted and investigated. Most firms indicate at least 80% of traffic is encrypted,
so it must be logged.
Security operations review egress network traffic to ensure patterns are normal, check
for secure connections with servers and determine the validity of a packet. (Packets are
a small segment of a full message of data carried over a computer network.) SSL tunnels
that perform deep packet inspection are another popular visibility technology. Otherwise,
traffic should pass through Layer 7 inspection. To help with visibility, virtual private
network (VPN) tunnel traffic is analyzed before it reaches the intended target.
Related Elements:
Behavioral Malware
A Alerting Me Metrics Ba
Analytics Ms
Sandbox
GERRY STEGMAIER
Attorney,
Reed Smith
Traditional firewalls, routers and switches look at Layers 1–4, but layer 7 inspection looks
at the data within a packet of an application and ensures that the packet is absent of any
malicious content.
Layer 7 inspection includes data loss prevention (DLP), application identification, URL
filtering, DNS security, IPS, antimalware, antispyware and antivirus. DLP ensures that no
sensitive data leaves the network that shouldn’t. For example, strings that look like social
security numbers or credit card numbers should be detected. While this is not the primary
responsibility for SecOps teams, it’s good to be aware of it, since it could be an indicator
of malicious activity on the network. AppID validates malicious intent by mapping against
the application to gather additional context. The context is used to cross-reference and
understand if something is malicious so that action can be taken to control the behavior.
URL filtering helps identify malicious domains or unknown domains. Some URL filters
provide additional context to explain whether a domain is a high, medium or low risk and
categorizes threat level. DNS security will be signature- or technique-based. Techniques
for DNS security include sinkholing, where edge security plays the meddler-in-the-middle
that protects a network by sending back a spoofed address to figure out which host is
infected. Sinkholing also helps identify which endpoint is being infected. DNS resolves the
DNS name and sends back the bad address to identify the infected endpoint. A signature-
based DNS technique involves the random generation of DNS names. Antispyware,
antimalware and antivirus software is helpful for both inspecting well-known headers
and characteristics of packets that indicate malicious activity was found, then stopping
the traffic at the network layer. This software gives security operations the visibility into
activity on the network that has not been detected at the endpoint.
Related Elements:
Behavioral Intrusion
A Alerting Me Metrics Ba
Analytics Ips
Prevention Systems
Enterprise
Ea
Architecture
Network
Ns
Security
JOHN ZAHAROPOULOS
Global Solution Architect,
Palo Alto Networks
The cloud security team ensures that each virtual asset has the correct protection
implemented once security operations have notified them of compliance issues.
It’s critical that each phase of the build process for virtual assets is monitored. This
includes scanning for vulnerabilities in the code development, infrastructure as code,
development workstation, and code repositories each step of the way. “Shift left security”
is the latest standard for virtual asset protection, where code is proactively scanned for
vulnerabilities before being deployed to production.
Related Elements:
Cloud Data
A Alerting Cs
Security Me Metrics Cr Correlation Da
Analytics
It includes the diligent examination of virtual machines and assets within the cloud
infrastructure to detect and mitigate the presence of malware and vulnerabilities. This
analysis extends to popular cloud file spaces like Google Drive, Dropbox, or OneDrive,
where the contents stored within are thoroughly inspected to identify any viruses or
malicious code that may pose a threat. By promptly identifying and remediating these
risks, cloud threat analysis ensures the integrity and security of the cloud environment.
Related Elements:
Enterprise Data
A Alerting Ea
Architecture Me Metrics Cr Correlation Da
Analytics
Cloud Network
Cs Ns
Security Security
Ds DevSecOps
When traffic anomalies are discovered, it is crucial to comprehend whether and how
they could be a potential sign of a network security compromise within the system.
Understanding these traffic patterns through data capture helps to determine the severity
of a potential incident and to identify any tampering that might have transpired.
Data capture within a SOC generally falls into three predominant categories:
• Packet Capture (PCAP): Although PCAPs are a costly solution, security operations
frequently maintain them for periods of days to a week.
• Intrusion Prevention System/Intrusion Detection System (IPS/IDS) Data/Alerts:
This type of data comes with moderate cost implications. It is usually kept for about
half a year, a duration found to be sufficient in most scenarios for data analysis and
anomaly detection.
• Network Flow Logs/IPFIX: These logs are relatively inexpensive and are often used by
organizations to identify deviations from normal network traffic patterns, providing
crucial insights into network behavior.
Related Elements:
Behavioral
A Alerting Me Metrics Ba Fw Firewall
Analytics
Network
Ns
Security
It’s important to ensure security operations have visibility into all technology devices.
Operational technologies can be found in industrial centers, energy systems and smart
cities, but are most prevalent in the medical industry, mainly as a growing presence in
hospitals. Medical devices with OT include MRI scanners, X-ray machines and insulin
pumps.
With medicine being the biggest industry leveraging OT devices, its important security
operations invest in gaining high visibility into them since attacks targeting these
devices could mean life or death. Security operations must benchmark normal traffic,
conduct behavioral analysis on devices and understand the ways devices are attached and
communicate across the network.
OT threats are frequently state-sponsored actors targeting government entities and have
real-world physical consequences. Operational technologies include industrial control
systems (ICS), programmable logic controllers (PLC), discrete process control systems
(DPC) and supervisory control and data acquisition systems (SCADA). Each of these
technologies can be responsible for monitoring major systems or devices. Examples of
well-known OT attacks are the Iranian centrifuge attack, Colonial Pipeline attack, and the
Ukraine power plant attack.
Related Elements:
Enterprise Internet of Data
A Alerting Ea
Architecture Me Metrics Iot
Things Da
Analytics
IoT is often associated with consumer devices, smart homes, wearables and other
applications that leverage data from sensors and devices for improved convenience,
efficiency and control. IoT brings connectivity and intelligence to objects that weren’t
previously connected to the internet. For security operations, it is important to account for
all endpoints on a network that includes IoT, perform behavioral analysis to benchmark
normal activity and continually monitor them to ensure no malicious activity is running
in the background of any device. Once an attacker gains a foothold, they may take their
time to discover the network and identify high-value targets before executing an attack to
ensure they reach their objective.
IoT devices are often easier targets for attackers because many organizations do not have
good visibility or understanding of normal activity. Therefore, an attacker can infiltrate an
organization, complete a discovery and not trigger alerts.
Related Elements:
Information Data
A Alerting It
Technology R Reporting Da
Analytics
Operations
Content Network
Ce Ns Cr Correlation Fw Firewall
Engineering Security
IoT and IIoT systems tend to be deficient in key security protections found in more robust
systems. This includes patch management, process isolation, access control and exploit
mitigation technologies. It is vital for a SOC to help fill in these gaps by monitoring for
abuse and misuse of these systems. This is especially important as IoT and IIoT adoption
continues to grow at a record pace, with billions of devices anticipated to come online
over the next few years.
ANDREW ROTHS
Senior Principal Security Engineer,
Internet of Secure Things (ioXt), Board of Directors,
Amazon
IIoT devices typically constitute a group of technologies that extend from traditional
internet of things into industrial sectors and are responsible for collecting and
transmitting data for machinery. IIoT technologies include robotics, sensors, medical
devices and programmed processes. They are often responsible for supporting nuclear,
power, water or manufacturing systems.
Visibility into IIoT devices identifies programming languages, PLC controllers running
outdated software and the number of devices on a network. Additionally, behavioral
analytics help SecOps understand normal behaviors on an IIoT device to identify malicious
behavior if and when it appears.
Related Elements:
Enterprise Data
A Alerting Ea
Architecture R Reporting Da
Analytics
Content
Ce
Engineering Me Metrics Cr Correlation
The technology pillar defines infrastructure that provides SOC visibility into operations and
data to monitor for threats. It’s important to note that each infrastructure element should
be thought of as a collection of tools that work together to monitor the environment.
Technologies and capabilities change rapidly, so these are the most fluid elements of a
security operations team.
Numerous security tools are offered individually and act as silos, leading to a variety of
issues, including extensive vendor management, limited features, duplicate functionality
and occasional end-user degradation. The industry is seeing a shift away from siloed tools
and toward platforms that provide capabilities needed in the SOC without installation and
maintenance of individual tools. How will data integrity be monitored?
When choosing technology for your environment, answer the following questions:
• What security capabilities are required to mitigate risk in the environment?
• What technology will be used to provide security capabilities?
• Who will be responsible for the licensing, implementation and maintenance
of the technology?
• How will technology and content updates be requested and performed?
• What updates will be carried out automatically and at what interval?
• How will the SOC interact with owners of the technology to secure the environment?
JOHN TELAN
Global Practice Leader,
Endpoint and Security Operations,
Palo Alto Networks
LOG STORAGE
Ls An organization’s security operations need a
location to store the massive amount of event
Log
Storage data generated from network resources.
Log storage is a centralized repository where logs are collected. Not all logs are created equal.
Some are important to the security operations team process and critical for monitoring the
environment. Others are required by the GRC team for compliance purposes.
Logs provide analysts with the most relevant information for review and incident response.
An effective endpoint detection and response solution helps collect and send over the most
critical logs. These logs are usually stored hot, or short term, for anywhere from one to three
months, depending on compliance needs. During this time, logs are actively searched using
machine learning to put together events and identify actionable events that trigger alerts.
Some logs will be required for compliance and must be stored cold, or long term, in case
a forensic case is ever needed. Guidance on logs that must be stored comes from the GRC
department and may not always be relevant to a SecOps process. These logs may also
contain compliance data, which is often helpful for identifying potential risk and compliance
violations. The GRC team communicates these concerns to content engineering and ensures
logs that do not fit within the compliance structure are not stored. For example, HIPAA or
GDPR may affect log storage duration and information contained in that storage.
Related Elements:
Visibility Data
A Alerting I Investigation Mi Mitigation Vt Da
Tuning Analytics
JEREMY KELLY
Director of Secure Data Engineering,
E*TRADE
SECURITY ORCHESTRATION AUTOMATION RESPONSE
Soar A good SOAR tool enables organizations to
Security
Orchestration collect monitoring data from a variety of
Automation
Response sources and serves as a single source of truth
for the SecOps team.
SOAR products have the capability of acting as a SecOps dashboard, collaboration medium,
evidence repository, audit and enrichment technology. Because it’s used as a single source
of truth, a SOAR tool helps a SecOps team streamline an analyst’s processes and improve
consistency. Many organizations leverage the automation aspect of SOAR but neglect the
orchestration and response capabilities that make the SOAR product critical to a security
operations team’s success.
SOAR orchestrates security technologies and integrates security tools to enhance the
incident response process. A SOAR product can collect and organize all artifacts needed for
an analyst, reducing the time needed to pivot between technologies.
Related Elements:
Since inheriting legacy applications from acquisitions can add risk, collaboration
between DevOps and security teams is essential. When these applications cannot be
quickly deprecated, the DevOps teams can implement automation wherever possible to
reduce this risk. These teams will continue to collaborate as they move into a DevOps
mindset in which security is built into the workflow.
CLINT RUOHO
Lead Acquisition Product Security Engineer,
Salesforce
Related Elements:
Ongoing monitoring of this space is paramount, especially as leading companies like Palo
Alto Networks continue to push the boundaries of AI in the cybersecurity domain. These
innovations hold immense potential for generating groundbreaking advancements in
cyber-defense, making it essential to stay abreast of the latest developments and harness
the power of AI to drive innovation and enhance security measures.
Related Elements:
Related Elements:
Adversaries are very good at staying under the radar once they have
infiltrated an organization. Behavioral analytics helps uncover these
hard-to-detect attacks and lateral movement.
WILLIAM SYKES
Global Enablement Architect,
Palo Alto Networks
The scope of endpoint security involves applying profiles to the various endpoints
throughout the network, including all PCs, Macs, servers, phones, tablets and assets.
Endpoint security is responsible for scanning, looking for malicious activity, vulnerabilities
and information that can be used to create profile exceptions that meet the needs of the
organization or restrict malicious activity. The endpoint security team is also responsible
for collecting behavioral information about the various endpoints to determine what is
standard behavior. They can then help security operations understand what abnormal
behavior is and what should constitute an investigable alert. For example, imagine there is
a machine that is uploading a 10 MB file every Friday to a server for financial information.
All of a sudden, it is now downloading all of the information and SVPing it elsewhere.
This would be a behavioral anomaly that the endpoint security team would want to call
out because it deviates from the normal behavior. Even if there is a perfectly reasonable
explanation for the download, this anomaly should still be identified. The endpoint team
should work to ensure these behavioral profiles are set properly to begin with so this
anomaly is identified as abnormal to the security operations team. If the anomaly happens
to be malicious, SecOps should be aware of it as quickly as possible.
Interface agreements should be defined between the endpoint security team, the team
implementing the endpoint security policy and the infrastructure team deploying the
technology. The change control process should include any specific information that is
required for endpoint security updates but should follow the standard change control
steps established for other changes within the business. The endpoint security team must
communicate with the business to define what endpoint technologies and operating systems
will be allowed in the business and to address security concerns around them. The team
and the organization should be in regular contact to plan for any new systems that will be
incorporated into the business through technology adoption or through M&A activity.
Related Elements:
Behavioral Intrusion
A Alerting Cr Correlation Ba Ips
Analytics Prevention
Systems
Endpoint Data Data Malware
Es Dc Da Ms
Security Capture Analytics Sandbox
These features may be integrated with a firewall or standalone tools. An IDS is considered a
reactive control that generates alerts based on rules configured in the system, whereas an
IPS is focused on prevention and mitigates or blocks malicious behavior. DNS sinkholing is
used to allow or sinkhole known malicious traffic and trigger alerts for analyst review.
Agreements must be established between the group that maintains the IDS/IPS/DNS
sinkholing technologies and the SOC, to define workflows for operating system upgrades,
outages and patching. Protocols for change requests between the business and the SOC
must also be defined. The SOC needs to be aware of basic architecture and configuration
settings, such as coverage if systems are configured to fail open. As with firewalls,
additional logging may need to be turned on to generate the context needed by the SecOps
team to perform investigations.
Related Elements:
Internet of
A Alerting Cr Correlation Iot Fw Firewall
Things
Threats using email, such as phishing, are the most common attack vectors. Without
proper email security measures in place, organizations must rely solely on employees to
detect email-based threats. However, effective email security plays a vital role in detecting
and preventing malicious email content from infecting targeted recipients, providing
protection from phishing scams and other attacks. It uses cryptography to support
confidentiality, digital signatures, sender authentication and integrity control.
Phishing attacks, which are among the most common email attacks, deceive recipients
with fraudulent messages that closely resemble legitimate sources. Attackers use various
strategies to gain unauthorized access via email including phishing, spear-phishing, social
engineering and whaling.
The goal of these attacks is to trick users into disclosing sensitive information or
performing unauthorized actions. Additionally, attackers may exploit attachments and
downloads to compromise endpoints or exploit user access, particularly in encryption-
based attacks. Therefore, implementing robust email security measures is essential to
safeguard organizations from these evolving email threats.
Email security validates hyperlinks and files against hashes to determine if they are
malicious. It also validates email headers along with embedded text to determine whether
the message is a known phishing scam. Information from email security systems is
provided to security operations so that they can investigate credential loss issues.
Email security is an area with a great opportunity for automation of use cases. It’s vital
to implement best practices for email security, which include Sender Policy Framework
(SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication,
Reporting, and Conformance (DMARC). SPF helps verify that incoming emails are sent
from authorized servers, DKIM adds a digital signature to emails to ensure their integrity,
and DMARC enables domain owners to specify email handling policies, such as quarantine
or reject, for suspicious emails.
Related Elements:
Firewalls can be physical devices or virtual solutions to protect assets in the cloud. Their
capabilities vary and can include URL filtering, IPS/IDS, antivirus, SSL decryption, VPNs,
DLP and AppID, among other features, to consolidate functionalities into a single tool.
Firewalls can be set up to monitor boundary traffic in addition to lateral traffic and are used
for network segmentation to further lock down an organization’s critical assets. They are a
key tool for the team to gain visibility into network traffic through logs and alerts received
from different points in the environment.
The security operations team defines what information they require from the firewall,
including additional context for investigation of alerts. Many firewalls are not configured
out of the box to provide this context, so the SecOps team may have to drive that
requirement with the network security team. Although firewalls provide the visibility that
analysts need, they can also be a burden to the analysts if not continuously updated with
new policies or if not tuned properly.
Related Elements:
DAVE DUKINFIELD
Global Solutions Architect,
5G Services,
Palo Alto Networks
Administrators craft policy controls on the WAF for a specific application hosted on
a web server. The rules in a WAF are more granular for the specific server than for
firewall, IDS and IPS controls. They are placed inline with the client/server Hypertext
Transfer Protocol Secure (HTTPS) conversation and have similar functions as a
proxy with built-in security. Granular control allows security operations to create
the right prevention policies that stop known web application attack vectors.
Related Elements:
A security team can “detonate” malicious files to observe their behavior and impact to
systems and networks without impacting the production environment. Malware sandbox
features include malicious file analysis, API call tracing and memory analysis, along with
other advanced capabilities.
Related Elements:
Network Behavioral
Ns Ba Fw Firewall
Security Analytics
ERIC HALLER
Vice President,
Security Operations,
Palo Alto Networks
Deception techniques are set up as traps (e.g., honeypots and honeytokens) that slow down
intrusions and give SecOps more opportunities to detect threats before they become a
critical event. These techniques are used to lure attackers and understand their targets and
exploited vulnerabilities.
Current deception technologies have evolved since the early honeypots. Authentic decoys
such as file servers, web servers, dev workstations, industrial control systems and OT are
created to mimic different machine types in the actual production environment. Pointers
are used in the environment to draw in attackers with real protocol and authentication
simulation. Entire subnets can also be created to draw attackers away and are particularly
useful in diverting attacker traffic away from critical environments. Deception techniques
tie up an attacker’s connection resources and allow observation and understanding of their
tactics, techniques and procedures.
Related Elements:
Endpoint Server
A Alerting Es So Cr Correlation
Security Operations
Identity and access management (IAM) controls assist the SOC in reducing the amount
of stolen credentials when paired with multifactor authentication (MFA). Users must
be educated on phishing and social engineering used to bypass MFA systems. The team
managing IAM implements the least privilege policies defined by the GRC team.
Related Elements:
Establishing a network that only allows authorized devices to connect will reduce the
number of potentially unpatched or compromised systems connected to a network. They
reduce the number of endpoints without visibility and any devices without endpoint
security installed so the SOC can mitigate threats against these unauthorized devices. Since
MAC addresses can be changed, network access controls are not a silver bullet and need to
be used alongside other security and threat detection tools.
Related Elements:
VPNs are now common as a result of increased work from home and travel for business.
Depending on the client’s needs, there are two different types of VPNs. For individual
users, there is a client VPN that connects to a VPN portal. For multiple users connecting to
a particular location, there are site-to-site VPNs that require VPN concentrators at each
location. Traffic on VPNs requires special security policies because it’s considered part of
the trusted network. Connections on a VPN should be subject to the same firewall and IDS/
IPS controls used for external traffic. Security operations require visibility into this traffic
to monitor for remote user and application anomalies.
VPN tunnel types include Generic Routing Encapsulation (GRE), IPSec and SSL. Special
considerations are taken to decide which VPN to use. Not all VPNs are at the service edge
or at the firewall. VPN concentrators will also be used to establish a secure connection
between VPN nodes.
Related Elements:
Enterprise Data
Ea Cr Correlation Da Fw Firewall
Architecture Analytics
Integrate with Existing Network Strong SLAs with Penalties Support for Agentless Options
Security Solutions for Downtime or Latency
Role-Based Access Control to
Transparent User Experience
Support Multiple IP Personas
Related Elements:
Malware
A Alerting Cr Correlation Ms
Sandbox
Network Data
Ns Da
Security Analytics
Source: Palo Alto Networks - Secure Access Service Edge for Manufacturing | White Paper
Am Bl
Asset Business
Management Liaison
It Ep Pa
St Information
Technology
Operations
Escalation
Process
Pre-approved
Mitigation
Scenarios
B Me
Severity
Triage
Va
Virtual
Asset
Budget Protection Metrics
Iam Vpn Dc
Km
Soar
Identity & Virtual
Access Private Data
Management Network Capture
Iot
Epp
Knowledge
Management
Tools Internet of
Things
Th Security
Endpoint
Security
Orchestration
Ia
Automation
Threat
Hunting Interface
Agreement
Response
When determining good metrics for your business, always keep in mind the mission of the
SOC and the value it provides. The business wants confidence that it can prevent attacks
and if/when a breach does occur, it can handle it quickly to limit negative impact. Good
metrics provide insight into business confidence that it can mitigate attacks. There are two
types of confidence to focus on: configuration confidence and operational confidence.
130 Appendices
In addition to configuration confidence, businesses should have operational confidence,
which is knowing that the right people and processes are in place to handle a breach if/
when it occurs.
Appendices 131
Appendix B: Successful Threat Hunting
Clean and structured data—Most often, threat hunting is performed in a data lake.
Efficiency depends on the consistency and structure of the data. This can be done via
auto-tagging using next-generation firewalls or centralized log monitoring systems. The
data must be flexible for the many ways you want to use it. Additionally, hunters need to
understand the automated processes, alerts and behavior analysis already performed on
data to avoid duplicating efforts. Also necessary is access to appropriate tools for hunting,
including query access to a data lake, APIs and threat visualizations.
Lessons and feedback—The end of the hunt results in documentation being shared with
the SOC, information about hunt activity and lessons learned from the hunt. If a conclusion
was reached, then updated prevention is fed back into controls to prevent future incidents
of this type. The hunt may also end when the two-week hunt period is exhausted without a
conclusion. Note that this still requires documentation about what was done.
One item to note about hunting: Hunt teams run into configuration issues when they are
blindly looking at data. A strong hunt team will specifically look for a particular kind of
breach and will not run into configuration issues. If configuration errors are all that are
found, then it is worth reevaluating the structure and cost of the hunt program and see if
there are less expensive ways to identify these types of configuration errors.
132 Appendices
Appendix C: Communication Motivations
Each function of the business that communicates with the SOC will have goals and
motivations distinct from those of the SOC. This creates frustration between groups that
are trying to achieve different objectives. By understanding the motivations of different
functions, the SecOps team can better align requests and communications for better results
for the business.
Appendices 133
Appendix E: Defining Security Orchestration
Security Technologies
SOAR tools integrate with all the other security tools (and many non-security tools) that
an organization uses to provide teams with a central console to coordinate and activate
all these tools. These integrations enable inter-product conversations, data transfer and
remote execution of commands.
Playbooks, also known as runbooks, are task-based graphical workflows that help visualize
processes across security products. These playbooks can be fully automated, manual or
anywhere in between.
134 Appendices
• Conditional task: Through conditional tasks, security orchestration playbooks can
check the value of any incident-related artifact and execute different branches based
on the result. For example, a conditional action can check the severity of an alert and
execute different sets of actions depending on whether the severity is high, medium
or low.
Security Teams
Here are a few ways in which SOAR playbooks can work in collaboration with human
teams for combined SecOps and incident response:
• Manual tasks: When an action is too unique, nuanced or infrequent to be automated,
security orchestration playbooks can have manual tasks that act as directives for the
SOC analyst handling the respective incident.
• Task approval: Even if some actions are prime candidates for automation, they might
be too sensitive to carry out without having a human verify their need and relevance.
In such cases, automated actions can have built-in task approvals. These actions will
wait for the relevant SOC analyst’s approval before beginning execution.
• End-user engagement: If a SOAR tool has rich integrations with email tools, these
integrations can be used to engage SOC analysts in addition to end users within the
organization and improve overall process flow.
• Phishing enrichment and response: SOAR playbooks can ingest alerts from email
inboxes and coordinate actions across threat intelligence tools, sandboxes, EDR
solutions and more for repeatable and accurate response.
Appendices 135
Appendix F: Modular Incident Response Plan
The modular incident response plan calls out each distinct process and defines what the
SOC should be doing as a part of identification, investigation, mitigation and continuous
improvement on every incident. A clearly defined incident response plan will serve as a
strong foundation for automation by achieving consistency among analysts’ responses
(See figure on page 138).
136 Appendices
Appendix G: Percentage of High vs. Medium
vs. Low Severity Incidents Being Handled
Appendices 137
Appendix I: Average Time to Resolve in Minutes
138 Appendices
Appendix K: Technology True Positive / False Positive Rate
Appendices 139
ABOUT PALO ALTO NETWORKS
Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace
cyberthreats, so organizations can embrace technology with confidence. We provide
next-generation cybersecurity to thousands of customers globally, across all sectors.
Our best-in-class cybersecurity platforms and services are backed by industry-leading
threat intelligence and strengthened by state-of-the-art automation. Whether deploying
our products to enable the Zero Trust Enterprise, responding to a security incident, or
partnering to deliver better security outcomes through a world-class partner ecosystem,
we’re committed to helping ensure each day is safer than the one before. It’s what makes
us the cybersecurity partner of choice.
www.paloaltonetworks.com
JOHN CAIMANO,
Senior Director, Practice Management,
Palo Alto Networks
AUSTIN ROBERTSON,
Global Practice Leader, Security Operations,
Palo Alto Networks
CONTRIBUTORS
© March 2023
Disclaimer
This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional
advice. Professional advice should always be sought before taking any action based on the information provided.
Every effort has been made to ensure that the information in this guide is correct at the time of publication. The
views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for
any errors or omissions contained herein. It is your responsibility to verify any information contained in the guide
before relying upon it.
This book helps you create your own SOC strategy by breaking
down the elements of security operations—and clearly
identifying the building blocks necessary for a security
organization to meet the goals of the business. These building
blocks go beyond just people, processes and technology by
expanding into the business requirements, the visibility that is
required to defend the business and the affiliate organizations
needed for collaboration to achieve the mission of the security
organization.
Cn
By understanding these elements, you can improve upon
existing functions and develop those that are lacking, creating
Consistency
both opportunities and advantages for the SOC that end in
desired results for the business. Fa Li
Layer 7
Facility Inspection
Br Nac Sase
G Breach
Response
Network
Access
Control
Secure
Access
Server
Edge
Soar Governance
I
Security Ct
Orchestration
Automation Cloud
Response
Threat
Analysis
Investigation
Ea Asm As
Et
M
Attack
Enterprise Surface
Architecture Management AppSec
Encrypted E
Traffic
Visibility Employee
Utilization
Hd
Ce
Help
Desk
Ia
Content
Engineering Interface Mission
Agreement