"Houston, we have a problem.

" Those are the famous words from the Apollo 13 moon
mission.

Well, what if you have a problem in cybersecurity?

Who is mission control?

Well, it's the SOC-- the security operations center.

And you're looking at a picture of IBM's cyber range in the Boston, Massachusetts
area where you can see what a modern SOC would look like.

Lots of technology.

Well, what is the mission of the SOC?

What are the roles and organization of a soc?

What are the tools?

And in particular, I'm going to go through three different scenarios as to how

those tools might run in a modern SOC.

First of all, the mission.

So, in security, we're always focused on prevention, detection, and response.

That's what everything in cybersecurity is about.

And the SOC is particularly focused on those last two things where it's about
finding the problems and resolving those problems.

Now, a little bit about the roles.

There's at least four distinct roles I'm going to talk about here.

One is the manager of the SOC who organizes the operations.

There is an engineer.

Engineers are the people who are building the SOC itself, as in installing the
software, picking the tools, configuring the tools and things of that sort.

Then we have an analyst.

A SOC analyst is going to be the one who is actually going through the scenarios,
fielding the incidents and trying to discover what was the root cause of those.

Oftentimes, we have SOC analysts that are organized in different tiers, depending
on the level of complexity of the problem that they're dealing with.

So a tier 1, tier 2, tier 3, where the tier 1 does the initial fielding of the
issues, and then if it needs more, deeper investigation, tier 2 and tier 3.

Very often these could be done in-house or could be done as part of a managed
security service.

Or maybe you just have the tier 1 as the managed security service and then your
organization does the deeper investigations.
The fourth role that I'm going to mention here is a threat hunter.

And a threat hunter is someone who is going to come up with a hypothesis

and then they're going to go out proactively trying to find where the problems
areas might be.

Okay, let's talk about the tools. In the tools area,

let's take a scenario where we've got a web server and that web server now suddenly
starts getting tons and tons of traffic and it's not good traffic.

In fact, we're in a denial of service situation, so we're under attack.

What could happen in that case is, I'm going to take the information from that web
server and feed it into something that we call a SIEM--

a security information and event management system.

And I'm going to have the cybersecurity analyst here looking into the SIEM and
seeing what's happening.

They're going to get all of that telemetry, they're going to have the information
they need to go off and do an investigation and find out what's going on.

So that's our first scenario.

Our second scenario, let's say we have a database-- with a critical information in
it --and someone is exfiltrating that data.

That is, they're taking data out of that system and sending it out into the
network.

Maybe they're selling it, who knows what they're doing.

But anyway, we would like to be able to detect that there's an anomalous level of
activity, either of accessing data or sending data out.

And I could use a technology called a user behavior analytics (UBA) system that
runs along with the SIEM in order to figure that out.

And it would send an alarm up and then this SOC analyst might be able to use that
system in order to do further investigations.

So that's what an analyst might do in those two cases.

How about let's look at a third case where we have a workstation here and this
workstation has been infected by malware.

And in fact, it's not one, but it's a lot of these workstations that are out here,
and maybe many of them have been infected and some of them haven't.

So what would we do?

Well, we have in this case, the threat hunter that I just mentioned would be using
a platform

and they might use a platform that we call an XDR, an extended detection and
response platform.

And what that tool does is it allows us to query information in what we call a
federated search-- pull this information just when I need it.

So I leave the information in place until I need it, where the SIEM is bringing all
the information up and fetching that in advance

and acting as an alarm system, this is more of a go out and look through the
information and figure out what I want to do.

So our threat hunter uses the XDR system to do that.

Now, we would also have the ability to have linkages between these systems that
would also be very important.

And then ultimately leverage a system called a SOAR-- a security orchestration,

automation and response system

--that either of these people could use in order to go out and guide their
activities, orchestrate the response,

use a dynamic playbook, open a case, and do the incident response and resolution
that's necessary in order to solve the problem.

So now you have an idea of what goes into a modern SOC.

And it all boils down to this: people, process, and technology.

With all of those things working together, a modern SOC can give us the solution we
need.

And now, Houston, we have a solution.

Thanks for watching.

If you found this video interesting and would like to learn more about
cybersecurity, please remember to hit like and subscribe to this channel.