Cyber Reconnaissance & Combat Lab

Bahria University Islamabad

Building Security Operation
Center (SOC)
Introduction to SOC
• The security operations center, more commonly called “the SOC,” is a
centralized unit that deals with security issues on both an organizational
level and a technical level. This occurs through the use of people, process,
and capabilities to deliver one or more service
• The journey of a thousand miles begins with one step. —Lao Tzu
 SOC Aspects
Business People Technology Services/Processes
Goals alignment + ROIs Skill development SIEM and SOAR, UEBA Incident Detection and
Alert triage
SOC charter Awareness and training IDS/IPS Incident Response
programs
SOC governance program SOC team capability EDR/XDR, NDRs Forensics and Analysis
(Solutions)
SOC team Coordination Firewalls Vulnerability
Management
Vulnerability management Malware analysis
tools
Threat Intelligence Threat Hunting
Platforms
Threat Hunting platforms Threat intelligence
services
 SOC charter

• 1.1. Background
1. Executive • 1.2. Purpose
Summary • 1.3. Scope

• 2.1. Security Monitoring and Incident Response

2. Objectives • 2.2. Threat Intelligence
• 2.3. Security Operations

• 3.1. Coverage
3. Scope • 3.2. Limitations
 SOC charter

• 4.1. SOC Team

4. Roles and • 4.2. Management
Responsibilities • 4.3. Legal & Compliance

• 5.1. Incident Handling

5. Operational • 5.2. Escalation Procedures
• 5.3. Reporting
Procedures • 5.4. Communication
 SOC charter

• 6.1. Security Technologies

6. Technology and • 6.2. SIEM and Log Management
Tools • 6.3. Threat Intelligence Feeds

7. Training and • 7.1. SOC Team Training

• 7.2. Continuous Learning
Development

8. Compliance and • 8.1. Data Protection and Privacy

• 8.2. Legal and Regulatory Compliance
Legal
 SOC charter

9.Performance • 9.1. Key Performance Indicators (KPIs)

• 9.2. Service Level Agreements (SLAs)
Metrics

• 10.1. Incident Classification

10. Incident • 10.2. Incident Triage
• 10.3. Incident Resolution
Response • 10.4. Post-Incident Analysis
 SOC charter

11. Documentation • 11.1. Document Retention

and Record Keeping • 11.2. Records Management

• 12.1. Definitions
12. Appendices • 12.2. Acronyms
Best of Breed vs. Défense in Depth

• Best practice is to layer different capabilities rather than using the

same type of detection.
Standards, Guidelines, and Frameworks

• Many organizations look to industry standards, guidelines, and

frameworks for help with developing security architectures for their
environment.
• Many organizations will turn industry recommendations into corporate
policies, which could have both advantages and disadvantages.
• Advantage: developed by industry experts and tested against common
threats such as using threat modelling
• Disadvantage: They take time to develop and update, during which
time threats continue to rapidly change.
NIST Cybersecurity Framework

• The latest CSF Version is available at (

https://www.nist.gov/cyberframework)

• Identify applies to managing systems, people, assets, data, and

capabilities.
• Protect focuses on defending services.
• Detect covers how to identify that a specific event has occurred.
• Respond is what actions are taken when an incident is detected.
• Recover applies to how an organization attempts to be resilient during the
attack as well as how to restore services impacted by the event.
 ISO 3100:2018

• Some organizations will even talk about being ISO certified even
though ISO does not certify organizations meaning the certification
part is developed by third parties.
• ISO 3100:2018, Risk management – Guidelines, helps organizations to
deal with risk. The 2018 version replaces the 2009 standard
• The risk management framework attempts to identify business goals
and establish a formal framework that is sponsored by leadership.
• Learn more about ISO standards at
-https://www.iso.org/standards.html
FIRST Service Frameworks

• Visit for details - https://www.first.org/standards/frameworks/

• FIRST.org is a non-profit that brings together incident response and
security teams from every country across the world to develop best
practices for cybersecurity
• The FIRST Computer Security Incident Response Team (CSIRT)
Services Framework provides recommendations for areas of services
used by CSIRT team (e.g., Information Security Event Management,
Information Security Incident Management, Vulnerability
Management, Situational Awareness, Communication, and Knowledge
Transfer.)
Industry Threat Models

• The security industry uses threat models to represent attack and defend
concepts. The purpose of these models is to help organizations
understand the type of capabilities they need as they develop a
defense-in-depth architecture.
• As organizations pile on all the possibilities for the types of tools
potentially needed, they become overwhelmed and need industry
threat models to help them understand what tools and technology
apply to their business needs
The Cyber Kill Chain Model

• One of the most popular threat models used in the industry is the
Cyber Kill Chain created by Lockheed Martin
• The Cyber Kill Chain model is specific to a threat actor attempting to
compromise a network by gaining direct control of the compromised
system, all attacks do not have to follow this particular attack flow
 The Diamond Model

• Cyber kill chain model evaluates one specific type of attack behavior, however
there are many other ways an adversary could attack your organization
• The adversary uses various capabilities
along some form of infrastructure
to launch an attack against the
victim. Capabilities used by the
attacker are various forms of tools,
techniques, and procedures (TTPs),
while the infrastructure is what connects
the adversary and victim
Extended Diamond Model
Extended Diamond Model: example
Diamond Model Attack Graph
MITRE ATT&CK Model

• Customized threat models based on continuously updated real-world

data can be more accurate than the Cyber Kill Chain and Diamond
models, which can lead to a better view of detection of post-
compromise cyber-adversary behavior.
MITRE ATT&CK Model
In-house vs Managed SOC
Standard incident triage and response process
Threat Threat Malware
Hunting Intelligence Analysis
Incident Incident Collect and
Start
identification prioritization preserve data

No
Solution New
Enrichment Offense

Yes

Recover Execute incident Contain

Deep analysis
System and response process activity
services
Post incident
activities
SOC Process Flow
SOC PROCESSES

• L1 Threat Monitoring Process and alert triage

• L2 Threat Triage Process

• L2 Threat Response Process

• L2 Incident Response Process

• SOC Escalation Process

• SOC Delivery Management Process

• Use Case and SIEM Rule Management Process

• Log Source on-boarding process

 SOC Services

• Risk management
• Vulnerability management
• Incident management
• Analysis
• Compliance
• Situational and security awareness
• Research and development
• Threat Hunting
• Threat Intelligence
Effective SOC
 SOC Maturity Models

• How does assessing a SOC’s maturity work?

• A basic maturity assessment evaluates how each SOC service is
functioning. What are gaps in processes and services?
• What are exact areas where gaps are
CMMI
SOC Program Maturity
Challenges in SOCs

• Alert Fatigue and Overwhelming

Volume
• Skill Shortages and Retention
• Evolving Threat Landscape
• External and Internal coordination
Thanks