This session will help individuals to get the indepth details on SoC and how they can build the SoC which can be Business Enabler in their organizations. This session will also give them the information on How can they evaluate some of the main components before they finalize them and consider them into the SoC Environment
1. Best Of The World In Security Conference
Best Of The World In Security
12-13 November 2020
How to Build Effective SoC
Amit Modi
#CISOplatform #SACON
2. Agenda
• What is SoC
• Key Functions of SoC
• What are The Responsibilities of SOC
• SoC Reference Architecture
• Visualizing NextGen SoC
• SoC Success Pillars
• SoC Building Journey
• Key Elements of Building SoC
• SIEM Evaluation Criteria
• SoC Maturity Model
• Sample SoC Maturity Plan
• Defining & Building the SoC Use Cases
• SIEM Use Case Development Template
• SoC as Business Enabler
• MSSP Vs. On Premise SoC
• SoC Implementation Methodology
• Incident Management Cycle
• Challenges of SIEM
• Defining SOAR
• Role of SOAR in Incident Management
• Advantages of SOAR
• Key Elements to Look for in SOAR
• SOAR Use Case Development Template
• SOAR Evaluation Criteria
• Narrow Downing : Challenges &
Expectation Vs. Solution
• Reference Architecture with SOAR
3. What is SoC
• A SOC stands for Security Operations Center,
which is a team of cybersecurity personnel
dedicated to monitoring and analyzing an
organization’s security while responding to
potential or current breaches.
• The team is responsible for scanning all the
security systems in real-time.
• This first line of defence works around the clock
to protect an organization’s security
infrastructure from potential cyber threats.
4. Key Functions
of SoC
• Real Time Monitoring
• Security Incident Detection & Mitigation
• Risk Management
• Vulnerability Scanning
• Security Incident Analysis (Protecting
Evidences for Investigation)
• Intelligent Analysis & Correlation
• Reporting
5. What Are The
Responsibilities
of SOC
• SOCs use strategic methodologies
and processes for active surveillance
and real-time analysis of an
organization’s security infrastructure.
The team carries out the following
tasks.
Task Description
Identify assets
SOC operations start with gaining a holistic
understanding of the tools and technologies at their
disposal. The team learns about the hardware and
software running on the systems. Their in-depth
understanding helps in the early detection of potential
cyber threats and existing vulnerabilities.
Proactive monitoring
A SOC primarily focuses on detecting malicious
activities on the network before they can lead to
substantial harm.
Manage logs, configuration change, and response
Thorough management of activity logs help a cyber
forensic investigator trace back to the point where
something may have gone wrong.
Rank alerts as per their severity
Whenever a SOC detects a threat or irregularity, it is
responsible for ranking the severity of the incident.
This data helps in prioritizing the response to the
event.
Adjust defenses
A SOC adjusts its defenses by vulnerability
management and increasing its awareness about
threats. It helps the team stay vigilant for breaches.
Check compliance
SOCs can checks if the organization complies with
applicable regulations and standards.
Notify on security breach
Organizations aim for minimal or no network
downtime when hit by unexpected security incidents.
A SOC alerts the stakeholders as quickly as possible
to keep ensure business continuity.
9. SoC Building
Journey
• Identification of various teams and types of devices
• Identification and categorization of Logs – Critical , Major ,
Minor , Informational
• Integration procedures for all types of device and awareness to
the departments
• Dashboard Customization as per Requirement
• SOC Operation Manual (SOPs / Run Books)
• BCP document for SOC devices
• Back-up Procedure
• Incident Management Policy and Procedure
• Scheduled Reports
• Trainings
10. Packet Capture
1) Unique Threat Detection, Forensics &
Response lifecycle
2) Real-time forensics
3) Proactive hunting.
4) Detect Unknown
5) Visualize Attack on End Points.
6) Automatic Event Prioritization
Cyber Security Operations
Center Feeding
1. Defining an Asset, Network Based threat
Modelled Usecase approach.
2. Seamless & SME level Log Monitoring &
Correlation & Analysis
3. Resolution for L1/L2 incidents using
Machine Learning
4. Self-Learning capabilities with Actionable
Intelligence.
IR Process / Tool
1. Automation of the manual Event
to Incident trigger
2. Full response activities automation
with Forensics linking.
3. Workflows & tasks for Cyber Sec
Incident Response.
4. Remediation Advisory & Play
Books availability.
Threat Intel
1) Contextualisation, Prioritization and
Automation of Events.
2) Empowering security operations centers,
incident response teams domain specific
curated feeds.
3) Feeds ingestion to Logs Events, & Packets.
Security Governance
Dashboard
1. Security Based OneVue
Reporting with GRC View
2. Integrated Governance
Model .
Investigation & Analytics
1) Intelligence driven big data platform
for NBA, UEBA.
2) Zero Day Analytics and pattern data
analysis.
3) Providing predictive accurate &
proactive assistance for Threat
hunting processes.
Visualization
1.Attack Tree Depiction.
2.Visualize a meaning full view of
data.
3. Linking contexts of Risks ,Threats
and Behaviour activities.
4. Interactive Dashboard.
Key Elements of Building SoC
11. SIEM
Evaluation
Criteria
• Real-Time Monitoring & Alerting
• User Activity Monitoring
• Use Case Investigation
• Threat Detection / Intelligence
• Forensic Capability
• Data Analysis
• Automated Response Capabilities
• Long Term Event Storage
• Scalability
• Integration
• Business Applications
• Infra Devices
• Reporting
12. SoC Maturity Model
SoCMaturityModel
GovernanceManagement
Context and Leadership Evaluation and Direction Compliance,Audit, and Review
Information Security Charter
Culture and Awareness
Information Security Organizational
Structure
Security Risk Management
Security Strategy and
Communication
Security Policies
Security & Engineering Compliance
Management
External Security Audit
Management Review of Security
Internal Security Audit & Security
Assessments
Prevention
Detection
Responseand Recovery
Measurement
Identity and Access Management
Identity Security
Data Security
Asset Management
Data Security & Privacy
Infrastructure Security
Network Security
Metrics Program
Endpoint Security
Malicious Code
Application Security
Vulnerability Management
Red Teaming
Technical Assessments(Infra,
App,Web)
Physical
Security
Configuration and Change
Management
Vendor Management
Security Threat Detection Log and Event Management
Security Incident Management
Security eDiscovery, Intelligence
&Forensics
Containment& Recovery
Information Security in BCM
Continuous Improvement
Change and Support HR Security
HR Security
DevSecOps-Cloud Security
ReportingBehaviour, Pattern and Anomaly
TPS
13. Sample - SoC
Maturity
Plan
Band Technology Offered What Will be Covered Expected Output Time Line of Maturity
M1 SIEM + VAPT as a Service
Organization's Infra
- Network Devices
- Security Devices
Deliverables
- Log Collection
- Log Correlation
- Alerts
- Advisories
- 24x7 Monitoring (People)
- VAPT Services (Assessment & Closure Guidance)
1 Year
M2 M1 + Advance SIEM as a Service
Organization's Infra + Apps + DB +
TIP
- M1 Infra
- Business Applications
- Databases
- Threat Intel Feed
Deliverables
- M1
- Business Application Uses Cases
- Advance Correlation
- 24x7 Monitoring (People)
- VAPT Services (Assessment & Closure Guidance)
1 Years
M3 M1 + M2 + Analytics + EDR + FIM
M1 + M2
- UEBA
- NBA
- EDR (Servers & EndPoints)
- File Integrity Monitoring
Deliverables
- M1
- M2
- User & Entity Behavioural Analytics
- Network Behavioural Analytics
- Malware + Ransomware Protection
- 24x7 Monitoring (People)
- File Integrity Monitoring
- VAPT Services (Assessment & Closure Guidance)
1 Years
M4
M1 + M2 + M3 + Incident Response +
Process
M1 + M2 + M3
- Incident Response
- Incident Management
- Process
Deliverables
- M1
- M2
- M3
- Incident Response
- Incident Management
- SoC Processes
1 Years
M5 M1 + M2 + M3 + M4 + Automation
M1 + M2 + M3 + M4
- Tool Automation
- Process Automation
Deliverables
- M1
- M2
- M3
- M4
- Tool Automation
- Process Automation
1 Years
14. Define & Build
the SoC Use
Cases
Objective –
Problem
Statement
Threat /
Protect /
Monitor
Stakeholders Data Required
Logic
Testing with
Sample Data
Priority
Output (Rule /
Alert)
Evaluate &
Refine
16. SoC as a
Business
Enabler
• SoC can be a “Business Enabler” by creating picking
up the logs from Business Applications, Databases
etc.
• Build the Use Case based on the Problem Statement
of the Business Owners.
• Define the expected output
• Pick up the data sources and fields from those
applications, databases
• Put the Logic based on the expected output against
the Problem Statement
• Define the Action, Priority & Output to Test it further
• Keep Refining the same on a regular basis
19. SoC Implementation Methodology
Strategy and Roadmap
SIEM & Current Tech
Optimization
SOC Governance SOC Processes and Workflows
1 2 3 4
• Maturity assessment across
governance, operation, technology
and integration and processes
• Strategy developmentfrom Current
State and Future State
• Roadmap with milestone and
financialbudgeting
• Use Case Fine Tuning and
Framework
• New use case creation
• Response Run Book
• Log Source Integration
• Reporting and Visualization
• SOC Organization
• Roles and Responsibilitiesand RACI
• Performance Indicator and
Management
• Skill Analysis and Metrics
• Training
• Roster Management
• Incident Management – Monitoring,
Validation, Analysis, Triage,
Escalation, Response and Resolution
• Problem Management
• Forensics Process
• Device on-boarding
SOC Reportingand
Analytics
Cyber Defense and Security Operations
5
• SOC Advanced Reporting
• Visualization
• AnalyticalReporting and
Dashboards.
L - 1
Monitoring and
Validation
L - 2
Triage and Escalation
L – 3
Response and
Coordination
Security Integration
Vulnerability Mgmt
Asset Management
Identity Mgmt,
Data Security
Incident /ticketing tool
Security Analytics & Incident
Reporting
SIEM Architecture
SOC Engineering
Rule Dev/Tuning
Tool Integration
Device Mgmt
SIRT
Incident Handling
Forensic Handling
Security 2.0 Operations
Incident Monitoring
IOC Management
SIEM Rules and Use Case
Response Playbooks
Threat HuntingSimulations and Stress Test
6
20. Incident Management Cycle
4.0 Advanced
Security
&Analytics
Operational
Normalization
Data Quality
Management
Data Collection
and Enrichment
Algorithmic Data
Modeling
Data
Visualization
Cybersecurity Governance
1.0 Threat
Intelligence
Threat Modeling
Threat Analysis
Intelligence
Exchange
Intelligence
Gathering
2.0 Vulnerability
Management
Vulnerability
Identification
Remediation
Tracking
Vulnerability
Prioritization
and Reporting
3.0 Cyber
Operational
Advanced SOC
Security
Monitoring
Event Triage
Prioritization
and Reporting
Compliance
Monitoring
Log Management
7.0 Supporting
Capabilities
IT Governance
IT Service
Management
Enterprise Risk
Management
Asset
Management
Analytics
Security Service Performance Management
5.0 Security
Incident
Management
Identification
and Triage
Forensic Analysis
Communication
Response
Recovery
6.0 Active Defense
Containment
Reverse
Engineering
Track down
Automation
Continuous Improvement
Prepare Predict and Detect Respond and Recover
The Cybersecurity Logical Operating Model is comprised of three core intelligence driven functions :
Prepare, Predict & Detect and Respond & Recover
Deception
21. Challenges with SIEM
Challenges
• SIEM Generating Huge amount of Alerts
• Incidents Getting Missed
• Lack of Threat Visibility
• Finding Lateral Impact
• Learning from Past
• Finding the RCA
• Skills Shortage
• Incident Based SLA Management
• Incident Closures
• Reporting
• Technical
• Business Context
• Performance Based
Expectations
• Business Context to the Investigation
• Adding BigData Analytics
• Bulletin Boards to the Team
• Case Management
• Automating Runbook
• Threat Visibility & Spread
• Avoid Over Detection & False Positive
• Automate Similar Incidents
• Prioritization Based on Business Impact
• Incident Containment as a First Step
• Surgical Response for Accurate Threat Eradication
• Practicing the Crisis Situation
22. Defining
SOAR
The term describes the merging of three distinct and
interconnected Solutions.
• Security Automation & Orchestration (SAO)
• Threat Intelligence Platforms (TIP)
• Security Incident Response Platform (SIRP)
SOAR is a term coined by Garther which stands for Security,
Orchestration, Automation and Response (SOAR). Many of
the characteristics that describe SOAR are unique to this
technology and that’s why SOAR is growing in demand in the
modern cyber security industry. SOAR helps SecOps and
CSIRT teams in many ways most notably with above.
23. Role of SOAR
in Incident
Management
Improving the efficiency of the security
operations by automating workflow processes
Improving the detection of false positives
through Incident Enrichment
Centralizing the operations from a single panel
Seamlessly integrating different cyber security
tools to simplify workflow processes
Automating tasks without the need for human
intervention wherever needed
Auto Alignment to the various Compliances
Help in accurate Threat Hunting
Faster Response (Containment & Eradication)
24. Advantages
of SOAR
• Improve the reaction Time To Threats (TAT)
• Reduce the Number of False Positives
• Calculate Risk Assessment
• Perform Evidence Management
• Free analysts from handling low-risk, repetitive tasks
• Fully document threats analysis
• Measure success by following important KPIs
• Leverage the open-integration framework to align with various tools and
technologies
• Improving the efficiency of the security operations by automating workflow
processes
• Improving the detection of false positives
• Centralizing the operations from a single panel
• Seamlessly integrating different cyber security tools to simplify workflow
processes
• Automating low-risk tasks without the need for human intervention
25. Key Elements
to Look for in
SOAR
• Case Management
• Automation
• Multi-Tenancy
• Community Support
• Additional Features
• Pricing
• RBAC
• Automated Queue Management
• Scalability
• Reports and Dashboard
• Vault Integration
• Machine Learning
• Other
27. SOAR Evaluation
Criteria
1 Orchestrator
1.1 Data Ingestion
1.2 Decision Making
1.3 Task Execution
1.4 Human Supervision
1.5 Data Management
1.6 Fault Tolerance
2 Automation Engine
2.1 Scalability
2.2 Extensibility
2.3 Alert Management
2.4 Alert Details
2.5 Alert Correlation
2.6 Issuing Actions
2.7 Action Results
2.8 Activity Log
2.9 Alert Status, Severity & Sensitivity
2.10 Alert Collaboration
3 Case Management
3.1 Case Data Organization
3.2 Adding Data to a Case
3.3 Linking Cases to Alerts
3.4 Mapping to Existing Processes
3.5 Activity Auditing
28. SOAR Evaluation
Criteria -
Continue
4 Playbook Management
4.1 Playbook Organization
4.2 Bulk Edits to Playbooks
4.3 Revision Control and Distribution
4.8 Other
5 Automation Editor
5.1 User Interface Elements
5.2 Block-Based Representation of Code
5.3 Inserting Humans into the Decision Process
5.4 Information Exchange of Action Results
5.5 Access to Playbook Source Code
5.6 Simultaneous Visual and Non-Visual Playbook Construction
5.7 Build-In Testing and Debugging and Runtime Logging
5.8 Safe Mode
5.9 Other
6 Integration
6.1 API Based Integration
6.2 Bi-Directional Integration
6.3 Open Stack Integration
6.4 Cloud Integration
6.5 Supports Open Integration Framework
6.6 Wide Out of the Box Integration
6.7 Threat Intel Platform Integration
6.8 Other
29. SOAR Evaluation
Criteria -
Continue
7 Reporting
7.1 Customization of Reporting
7.2 Organizational Reporting
7.3 Role-Based Reporting
7.4 Incident Based Reporting
7.5 Compliance Reporting
7.6 Other
8 Data Enrichment
8.1 Supports Data Enrichment Integration
8.2 Capable of Reduce False Positive
8.3 Other
9 Licensing
9.1 Instance Based
9.2 User / Analyst Based
9.3 Both
10 Other Features
10.1 Secured Platform
10.2 Scalable
10.3 Open and Extensible
10.4 Ease-of-use
10.5 Easy Installation and Setup
10.6 Easy Onboarding
10.7 Accelerate the time-to-automate
10.8 Other
30. Narrow Downing : Challenges & Expectations Vs. Solution
• SIEM Generating Huge amount of
Alerts
• Incidents Getting Missed
• Lack of Threat Visibility
• Finding Lateral Impact
• Learning from Past
• Finding the RCA
• Skills Shortage
• Incident Based SLA Management
• Incident Closures
• Reporting
• Technical
• Business Context
• Performance Based
(MSSP/Internal Team)
• Business Context to the Investigation
• Adding BigData Analytics
• Bulletin Boards to the Team
• Case Management
• Automating Runbook
• Threat Visibility & Spread
• Avoid Over Detection & False Positive
• Automate Similar Incidents
• Prioritization Based on Business Impact
• Incident Containment as a First Step
• Surgical Response for Accurate Threat
Eradication
• Practicing the Crisis Situation
• Matured Security Operation Center
(SoC)
• Identifying Unknown Threats
• Incident Management
• Incident Automation
• Containment
• Forensic Data for Accurate
Eradication
• Practicing Crisis Situation
• Continuous Skills Improvement
• Codification of Runbook for
Accuracy