Professional Documents
Culture Documents
(English) Security Operations Center (SOC) Explained (DownSub - Com)
(English) Security Operations Center (SOC) Explained (DownSub - Com)
" Those are the famous words from the Apollo 13 moon
mission.
And you're looking at a picture of IBM's cyber range in the Boston, Massachusetts
area where you can see what a modern SOC would look like.
Lots of technology.
And the SOC is particularly focused on those last two things where it's about
finding the problems and resolving those problems.
There's at least four distinct roles I'm going to talk about here.
There is an engineer.
Engineers are the people who are building the SOC itself, as in installing the
software, picking the tools, configuring the tools and things of that sort.
A SOC analyst is going to be the one who is actually going through the scenarios,
fielding the incidents and trying to discover what was the root cause of those.
Oftentimes, we have SOC analysts that are organized in different tiers, depending
on the level of complexity of the problem that they're dealing with.
So a tier 1, tier 2, tier 3, where the tier 1 does the initial fielding of the
issues, and then if it needs more, deeper investigation, tier 2 and tier 3.
Very often these could be done in-house or could be done as part of a managed
security service.
Or maybe you just have the tier 1 as the managed security service and then your
organization does the deeper investigations.
The fourth role that I'm going to mention here is a threat hunter.
and then they're going to go out proactively trying to find where the problems
areas might be.
let's take a scenario where we've got a web server and that web server now suddenly
starts getting tons and tons of traffic and it's not good traffic.
What could happen in that case is, I'm going to take the information from that web
server and feed it into something that we call a SIEM--
And I'm going to have the cybersecurity analyst here looking into the SIEM and
seeing what's happening.
They're going to get all of that telemetry, they're going to have the information
they need to go off and do an investigation and find out what's going on.
Our second scenario, let's say we have a database-- with a critical information in
it --and someone is exfiltrating that data.
That is, they're taking data out of that system and sending it out into the
network.
But anyway, we would like to be able to detect that there's an anomalous level of
activity, either of accessing data or sending data out.
And I could use a technology called a user behavior analytics (UBA) system that
runs along with the SIEM in order to figure that out.
And it would send an alarm up and then this SOC analyst might be able to use that
system in order to do further investigations.
How about let's look at a third case where we have a workstation here and this
workstation has been infected by malware.
And in fact, it's not one, but it's a lot of these workstations that are out here,
and maybe many of them have been infected and some of them haven't.
Well, we have in this case, the threat hunter that I just mentioned would be using
a platform
and they might use a platform that we call an XDR, an extended detection and
response platform.
And what that tool does is it allows us to query information in what we call a
federated search-- pull this information just when I need it.
So I leave the information in place until I need it, where the SIEM is bringing all
the information up and fetching that in advance
and acting as an alarm system, this is more of a go out and look through the
information and figure out what I want to do.
Now, we would also have the ability to have linkages between these systems that
would also be very important.
--that either of these people could use in order to go out and guide their
activities, orchestrate the response,
use a dynamic playbook, open a case, and do the incident response and resolution
that's necessary in order to solve the problem.
With all of those things working together, a modern SOC can give us the solution we
need.
If you found this video interesting and would like to learn more about
cybersecurity, please remember to hit like and subscribe to this channel.